August 30, 2024 at 09:35AM
Cybersecurity researchers discovered a vulnerability in the Known Crewmember (KCM) and Cockpit Access Security System (CASS) programs, allowing unauthorized access to skip airport security and enter the cockpit of commercial airliners. By exploiting a SQL injection bug in the third-party vendor site FlyCASS, the researchers gained admin access and manipulated the programs, prompting immediate disconnect and disclosure difficulties.
From the meeting notes, it seems that cybersecurity researchers Ian Carroll and Sam Curry discovered a vulnerability in the Known Crewmember (KCM) and Cockpit Access Security System (CASS) programs. They found that a third-party vendor’s service, FlyCASS, was susceptible to a simple SQL injection, allowing unauthorized access to create new approved pilots on the CASS program without proper checks. This raised serious concerns as it potentially allowed individuals to bypass security screening and gain access to commercial airliner cockpits.
The researchers tried to disclose their findings to various authorities, including FlyCASS, ARINC, the Federal Aviation Administration (FAA), and the Department of Homeland Security (DHS), but faced difficulties. They claim that the TSA issued incorrect statements denying the vulnerability and that the DHS ignored their attempts to disclose the findings in a coordinated manner.
The situation also raises concerns given an observation by a software engineer about a potential ransomware infection on the FlyCASS system.
It’s important that these findings are addressed and the vulnerabilities are resolved to ensure the security of airport and airline operations. The response from the TSA, DHS, FAA, and FlyCASS is crucial in understanding how they are addressing these issues and preventing potential security threats.