Two security researchers say they discovered a flaw in the log-in system used by the Transportation Security Administration (TSA) to authenticate airline crew members at airport security checkpoints. Researcher Ian Carroll wrote in an August blog post that the vulnerability could allow anyone with “basic knowledge of SQL injection” to add themselves to an airline roster, potentially allowing They breeze through security and into the cockpit of a commercial aircraft.
Carroll and his partner, Sam Curry, apparently discovered the vulnerability while investigating the third-party website of a vendor called FlyCASS, which provides small airlines with access to the TSA Known Crew (KCM) system. and the Cockpit Access Security System (CASS). They discovered that when they entered a simple apostrophe in the username field, they received a MySQL error.
This is a very bad sign because the username appears to be inserted directly into the login SQL query. Sure enough, we discovered SQL injection and were able to use sqlmap to confirm the problem. Using username’ or ‘1’=’1 and password’) OR MD5(‘1’)=MD5(‘1, we were able to log into FlyCASS as an administrator of Air Transport International!
Once they were in, “no further checks or identity verification” prevented them from adding crew records and photos from any airlines using FlyCASS, Carroll wrote. The blog states that anyone who could potentially exploit this vulnerability could provide a false employee number to pass the KCM security checkpoint.
TSA press secretary R. Carter Langston denied this, saying Computer beeps The agency “does not rely solely on this database to verify the identities of crew members, but only verified crew members are allowed into secure areas of the airport.”
