Security researchers have uncovered a severe vulnerability in a crucial air transport security system, potentially allowing unauthorized individuals to bypass airport screenings and access aircraft cockpits. This alarming discovery highlights the ongoing challenges in cybersecurity within the aviation industry.
The vulnerability, identified as a SQL injection flaw, was found in FlyCASS, a third-party web-based service utilized by some airlines to manage the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS). These programs are integral to the Transportation Security Administration’s (TSA) efforts to streamline security processes for airline crew members.
Researchers Ian Carroll and Sam Curry stumbled upon this critical security loophole while investigating vendors that manage authorization systems. They discovered that the login pages for individual airlines using FlyCASS were susceptible to a simple SQL injection attack. By exploiting this vulnerability, the researchers gained administrator access to an airline’s account within the system.
The implications of this security breach are significant. With administrator privileges, an attacker could potentially add unauthorized individuals to the KCM and CASS databases. This would allow these fictitious “employees” to bypass standard security screenings and potentially gain access to aircraft cockpits, posing a severe threat to aviation security.
The researchers demonstrated the vulnerability by creating a test account, which was immediately granted authorization for KCM and CASS use. This ease of manipulation underscores the critical nature of the flaw and its potential for exploitation by malicious actors.
Upon discovering the vulnerability, Carroll and Curry promptly initiated the responsible disclosure process, alerting the Department of Homeland Security (DHS) to the security risk. In response, FlyCASS was temporarily disconnected from the KCM/CASS system, and the identified issues were subsequently patched.
However, the researchers expressed concerns about the handling of the disclosure process. They reported difficulties in communication with the DHS and claimed that the TSA issued statements that contradicted their findings. This highlights the challenges in coordinating effective responses to cybersecurity threats in critical infrastructure.
How to Protect Against SQL Injection
- Use Parameterized Queries: This is the most effective way to prevent SQL injection attacks. Instead of concatenating user input directly into SQL statements, use parameterized queries that separate the SQL code from the data.
- Implement Input Validation: Validate and sanitize all user inputs before processing them. This includes using whitelists to allow only specific characters or data formats.
- Employ Least Privilege Principle: Restrict database user privileges to the minimum necessary for each application or user role. This limits the potential damage if an attack succeeds.
- Utilize Stored Procedures: When properly constructed, stored procedures can provide an additional layer of security by separating the SQL logic from the application code.
- Keep Software Updated: Regularly update all software components, including libraries, frameworks, and database management systems, to patch known vulnerabilities.
This incident serves as a stark reminder of the importance of robust cybersecurity measures in aviation and other critical sectors. It underscores the need for regular security audits, penetration testing, and the implementation of best practices such as parameterized queries to prevent SQL injection attacks. As cyber threats continue to evolve, the aviation industry must remain vigilant and proactive in addressing potential vulnerabilities to ensure the safety and security of air travel.
