ian.sh Open in urlscan Pro
76.76.21.21  Public Scan

URL: https://ian.sh/tsa
Submission: On August 31 via manual from US — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

ian carroll
/
Bypassing airport security via SQL injection



BYPASSING AIRPORT SECURITY VIA SQL INJECTION

08/29/2024


INTRODUCTION

Like many, Sam Curry and I spend a lot of time waiting in airport security
lines. If you do this enough, you might sometimes see a special lane at airport
security called Known Crewmember (KCM). KCM is a TSA program that allows pilots
and flight attendants to bypass security screening, even when flying on domestic
personal trips.

The KCM process is fairly simple: the employee uses the dedicated lane and
presents their KCM barcode or provides the TSA agent their employee number and
airline. Various forms of ID need to be presented while the TSA agent’s laptop
verifies the employment status with the airline. If successful, the employee can
access the sterile area without any screening at all.

A similar system also exists for cockpit access, called the Cockpit Access
Security System (CASS). Most aircraft have at least one jumpseat inside the
cockpit sitting behind the flying pilots. When pilots need to commute or travel,
it is not always possible for them to occupy a revenue seat, so a jumpseat can
be used instead. CASS allows the gate agent of a flight to verify that the
jumpseater is an authorized pilot. The gate agent can then inform the crew of
the flight that the jumpseater was authenticated by CASS.

The employment status check is the most critical component of these processes.
If the individual doesn’t currently work for an airline, they have not had a
background check and should not be permitted to bypass security screening or
access the cockpit. This process is also responsible for returning the photo of
the crewmember to ensure the right person is being authorized for access. So how
does this work, when every airline presumably uses a different system to store
their employee information? That is what we were wondering, and where it gets
interesting…


ARINC

ARINC (a subsidiary of Collins Aerospace) appears to be contracted by the TSA to
operate the Known Crewmember system. ARINC operates a few central components,
including an online website for pilots and flight attendants to check their KCM
status, and an API to route authorization requests between different airlines.
Each airline appears to operate their own authorization system to participate in
KCM and CASS, and it interacts with the “hub” of ARINC.

The TSA and airlines can send requests such as CockpitAccessRequest and
CrewVerificationRequest to ARINC, which then routes it to the appropriate
airline’s system and receives the response. There are 77 airlines currently
participating in KCM. While larger airlines have likely built their own system,
how do smaller airlines respond to these requests to participate in KCM or CASS?


FLYCASS.COM

In our search for vendors that actually run the authorization systems, we found
a site called FlyCASS which pitches small airlines a web-based interface to
CASS. Intrigued, we noticed every airline had its own login page, such as Air
Transport International (8C) being available at /ati. With only a login page
exposed, we thought we had hit a dead end.

Just to be sure though, we tried a single quote in the username as a SQL
injection test, and immediately received a MySQL error:

Uh oh.

This was a very bad sign, as it seemed the username was directly interpolated
into the login SQL query. Sure enough, we had discovered SQL injection and were
able to use sqlmap to confirm the issue. Using the username of ' or '1'='1 and
password of ') OR MD5('1')=MD5('1, we were able to login to FlyCASS as an
administrator of Air Transport International!


KCM AND CASS ADMIN

It turns out that FlyCASS also operates both KCM and CASS for its participating
airlines. Now that we are an administrator of Air Transport International, we
are able to manage the list of pilots and flight attendants associated with
them. Surprisingly, there is no further check or authentication to add a new
employee to the airline. As the administrator of the airline, we were able to
add anyone as an authorized user for KCM and CASS.



To test that it was possible to add new employees, we created an employee named
Test TestOnly with a test photo of our choice and authorized it for KCM and CASS
access. We then used the Query features to check if our new employee was
authorized. Unfortunately, our test user was now approved to use both KCM and
CASS:



At this point, we realized we had discovered a very serious problem. Anyone with
basic knowledge of SQL injection could login to this site and add anyone they
wanted to KCM and CASS, allowing themselves to both skip security screening and
then access the cockpits of commercial airliners.

We ended up finding several more serious issues but began the disclosure process
immediately after finding the first issue.


DISCLOSURE

We had difficulty identifying the right disclosure contact for this issue. We
did not want to contact FlyCASS first as it appeared to be operated only by one
person and we did not want to alarm them. On April 23rd, we were able to
disclose the issue to the Department of Homeland Security, who acknowledged the
issue and confirmed that they “are taking this very seriously”. FlyCASS was
subsequently disabled in KCM/CASS and later appears to have remediated the
issues.

After the issue was fixed, we attempted to coordinate the safe disclosure of
this issue. Unfortunately, instead of working with us, the Department of
Homeland Security stopped responding to us, and the TSA press office issued
dangerously incorrect statements about the vulnerability, denying what we had
discovered.

The TSA press office said in a statement that this vulnerability could not be
used to access a KCM checkpoint because the TSA initiates a vetting process
before issuing a KCM barcode to a new member. However, a KCM barcode is not
required to use KCM checkpoints, as the TSO can enter an airline employee ID
manually. After we informed the TSA of this, they deleted the section of their
website that mentions manually entering an employee ID, and did not respond to
our correction. We have confirmed that the interface used by TSOs still allows
manual input of employee IDs.

Several other attacks were also likely possible. Since our vulnerability allowed
us to edit an existing KCM member, we could have changed the photo and name of
an existing enrolled user, which would likely bypass any vetting process that
may exist for new members. If you are able to obtain an unenrolled KCM barcode,
you can also enroll it to an employee ID yourself on the KCM website.


TIMELINE

 * 04/23/2024: Initial disclosure to ARINC and FAA
 * 04/24/2024: Subsequent disclosure to DHS via CISA
 * 04/25/2024: DHS CISO confirms they are working on a resolution
 * 05/07/2024: DHS CISO confirms FlyCASS was disconnected from KCM/CASS
 * 05/17/2024: Follow-up to DHS CISO about TSA statements (no reply)
 * 06/04/2024: Follow-up to DHS CISO about TSA statements (no reply)


COLLABORATORS

 * Ian Carroll (https://twitter.com/iangcarroll)
 * Sam Curry (https://twitter.com/samwcyo)