Back to Squawk list
  • 20

Security Researchers find SQL injection in Cockpit Access Security System

Submitted
Ian Carroll and Sam Curry discover that anyone with basic knowledge of SQL injection could add anyone they wanted to Known Crewmember (KCM) and Cockpit Access Security System (CASS) via FlyCASS.com, allowing themselves to both skip security screening and then access the cockpits of commercial airliners. FlyCASS has fixed the flaw in the application. (ian.sh) More...

Sort type: [Top] [Newest]


ghstark
Greg S 9
Amateur hour at flycass.com and the TSA.
Bobh528FA
Bob Hallissy 6
TSA or ARINC should *hire* Ian or Sam, not stop communicating with them.
ghstark
Greg S 8
Not a bad idea. But SQL injection is not a new problem, it's a very old and *almost* universally well-known security issue for which every SQL API has long provided an injection-proof mechanism to craft SQL statements. Most likely, like so much tech work, the coding was outsourced to barely programming-literate code monkeys in the third world who don't understand code very well but are cheap and can copy and paste examples from the internet repeatedly until something seems to run. In the West, every professional programmer who is familiar with database programming wouldn't have produced code susceptible to SQL injection attacks, but they won't work for $1 per hour. That means Ian and Sam would've had to work much harder to find vulnerabilities. The other point to make is that nation-states and criminals perform SQL injection surveillance all the time, all day long, all over the internet. I see it all the time in the small, humble website I run for my retirement club. When they find vulnerabilities they don't necessarily tell anybody, they just go ahead and exploit them or sell the exploit to other criminals and nation-states. So it's fair to assume that someone already knew about this vulnerability and either used it or was keeping it in their back pocket to use in the future. Part of responsible "cleanup" of these security disasters is to go back, look at logs, and see how badly you were being exploited prior to discovering the problem. Because this is TSA and hence Department of Homeland Security-related, they tend to make everything hush-hush and probably told the flycass.com people to not say anything.
locomoco
M.F. LaBoo 4
Given all the probing that goes on, it's surprising neither TSA or DHS appear to have tested this system for vulnerabilities zuch as this rather elementary one, and taken preemptive action. Looks like they need a few gray hats onboard.
Bandrunner
Bandrunner 5
Kudos to the authors for contacting the relevant authorities, rather than go public with it straight away.
Not impressed with the behaviour of the said authorities later, denying everything and saying it's all right now.
Also not impressed with the authors subsequent behaviour, going public with it when apparently there is still a vulnerability.
Bobh528FA
Bob Hallissy 5
> Also not impressed with the authors subsequent behaviour, going public with it when apparently there is still a vulnerability.

Eh? The article indicates:

> After the issue was fixed, we attempted to coordinate the safe disclosure of this issue.

Sounds like they didn't publicly disclose the vulnerability until it was fixed -- so what is wrong with that?

srobak
srobak 1
Do you think it has actually been implemented on every aircraft?
mendieta
Pablo Rogina 3
>> Also not impressed with the authors subsequent behaviour, going public with it when apparently there is still a vulnerability.

Well, that's a common practice within the information security field when a fix is not provided before a deadline set when the researchers initially privately disclosed the flaw.
See "responsible disclosure" -> https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html

Login

Don't have an account? Register now (free) for customized features, flight alerts, and more!
Did you know that FlightAware flight tracking is supported by advertising?
You can help us keep FlightAware free by allowing ads from FlightAware.com. We work hard to keep our advertising relevant and unobtrusive to create a great experience. It's quick and easy to whitelist ads on FlightAware or please consider our premium accounts.
Dismiss