Researchers say a bug let them add fake pilots to rosters used for TSA checks

A pair of security researchers say they discovered a vulnerability in login systems for records that the Transportation Security Administration (TSA) uses to verify airline crew members at airport security checkpoints. The bug let anyone with a “basic knowledge of SQL injection” add themselves to airline rosters, potentially letting them breeze through security and into the cockpit of a commercial airplane, researcher Ian Carroll wrote in a blog post in August.

Carroll and his partner, Sam Curry, apparently discovered the vulnerability while probing the third-party website of a vendor called FlyCASS that provides smaller airlines access to the TSA’s Known Crewmember (KCM) system and Cockpit Access Security System (CASS). They found that when they put a simple apostrophe into the username field, they got a MySQL error.

This was a very bad sign, as it seemed the username was directly interpolated into the login SQL query. Sure enough, we had discovered SQL injection and were able to use sqlmap to confirm the issue. Using the username of ‘ or ‘1’=’1 and password of ‘) OR MD5(‘1’)=MD5(‘1, we were able to login to FlyCASS as an administrator of Air Transport International!

Once they were in, Carroll writes that there was “no further check or authentication” preventing them from adding crew records and photos for any airline that uses FlyCASS. Anyone who might have used the vulnerability could present a fake employee number to get through a KCM security checkpoint, the blog says.

TSA press secretary R. Carter Langston denied that, telling Bleeping Computer that the agency “does not solely rely on this database to authenticate flight crew, and that “only verified crewmembers are permitted access to the secure area in airports.”