ckpoint
© Unknown
An attacker could have added fake pilots to the roster using SQL injection.

Why it matters: Security researchers have uncovered a major vulnerability that could have allowed anyone to bypass airport security and even access airplane cockpits. The flaw was found in the login system used by the Transportation Security Administration to verify airline crew members at checkpoints.

The story began in April when researchers Ian Carroll and Sam Curry were exploring a third-party website called FlyCASS. This vendor provides smaller airlines with access to the TSA's Known Crewmember (KCM) and Cockpit Access Security System (CASS) databases. While testing the site's login page, they noticed a telltale MySQL error appear after inserting an apostrophe - a classic sign of an SQL injection flaw.

Update (Sept 10): The TSA has issued a statement regarding this matter and has requested us to update this story accordingly with the following details:
In April, TSA became aware of a report that a vulnerability in a third party's database containing airline crewmember information was discovered and that through testing of the vulnerability, an unverified name was added to a list of crewmembers in the database. This vulnerability was immediately resolved by the third party. No government data or systems were compromised and there are no transportation security impacts related to the activities.

TSA does not solely rely on this database to verify the identity of crewmembers. TSA has procedures in place to verify the identity of crewmembers and only verified crewmembers are permitted access to the secure area in airports. TSA worked with stakeholders to mitigate against any identified cyber vulnerabilities.
The original story follows below:

For those unfamiliar, SQL injection is a technique in which malicious code is inserted into application queries to manipulate the backend database illicitly. In this case, the researchers realized FlyCASS was interpolating usernames directly into its SQL queries, making it vulnerable to exploitation.

By leveraging this flaw, the pair managed to log in as an admin for one airline. Once inside, they found no further security checks in place, essentially giving them free rein to create fake crew accounts, complete with employee numbers and photo IDs.
Carroll added that anyone with "basic knowledge" of SQL injection could exploit the bug and gain access to the site.

Upon realizing the severity of the issue, Carroll and Curry reported it to the Department of Homeland Security on April 23. The TSA's parent agency confirmed the vulnerability was legitimate and had FlyCASS disconnected from federal databases on May 7 as a temporary measure.

Thankfully, the vulnerability was fixed soon after on FlyCASS.

However, the disclosure process encountered a setback when the DHS suddenly stopped responding to further coordination attempts. The researchers claim that the TSA press office issued "dangerously incorrect statements" about the vulnerability.

Meanwhile, TSA spokesperson R. Carter Langston stated that no government data or systems were compromised due to the vulnerability. He added that the agency does not rely solely on the database and has procedures in place "to verify the identity of crew members, and only verified crew members are permitted access to secure areas in airports."