Developers: | U.S. Transportation Security Administration (TSA) |
Date of the premiere of the system: | August 2024 |
Branches: | Information Security, Transport |
2024: Identifying a critical vulnerability
In early September 2024, it became known about the problem of the pilot authorization system, which allows attackers to bypass security checks at US airports and even board under the guise of a regular flight pilot.
Researchers Ian Carroll and Sam Curry studied the safety of systems that allow pilots and other crew members to avoid long lines of screening at U.S. airports, as well as systems that allow pilots to check in for any flight to fly in a spare reclining seat in the cockpit for both work and personal, such as vacations. As it turned out, these systems have a critical vulnerability that allows hackers to bypass queues under the guise of pilots.
In theA vulnerability was found in FlyCASS, a third-party web service that some airlines use to manage Known Crewmember (KCM) and Cockpit Access Security System (CASS). KCM is a United States Transportation Security Administration (TSA) project that allows pilots and flight attendants not to be screened, and CASS allows licensed pilots to occupy seats in aircraft cockpits while traveling.
The pilot assistance program is known to cover 76 airlines, but major airlines tend to develop their own authorization systems and are therefore not considered vulnerable. However, smaller operators more often rely on the services of third-party suppliers, including FlyCASS, whose mistake allowed hackers to penetrate the system. The researchers noted that literally anyone with basic IT knowledge could take advantage of the vulnerability, which allowed them to both bypass security checks and gain access to the cockpit of commercial airliners.
The researchers alerted the systems developer as soon as they discovered the vulnerability, and on April 25, 2024, FlyCASS was disconnected from KCM and CASS programs. However, the US Transportation Security Administration (TSA) did not consider it necessary to publish this data, to the alarm of the researchers. "In April, TSA became aware of a vulnerability in a third-party database containing information about crew members. Government data or systems were not compromised and the issue had no significant security implications[1]
Notes
- ↑ " Tired of airport security queues? SQL inject yourself into the cockpit, claim researchers