Security Experts Detect SQL Injection to Bypass Airport TSA Security Checks

 

Security experts discovered a flaw in a critical air transport security system, allowing unauthorised personnel to possibly bypass airport security screenings and get access to aircraft cockpits.

Researchers Ian Carroll and Sam Curry uncovered the security vulnerability in FlyCASS, a third-party web-based service used by some airlines to manage the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS).

KCM is a Transportation Security Administration (TSA) project that lets pilots and flight attendants bypass security screening, whereas CASS allows authorised pilots to use jump seats in cockpits while flying. 


ARINC, a Collins Aerospace subsidiary, runs the KCM system, which uses an online platform to authenticate airline personnel’ credentials. Access is granted without a security screening by scanning a KCM barcode or inputting an employee number, which is subsequently cross-checked with the airline’s database. Likewise, when pilots need to commute or travel, the CASS system authenticates them for access to the cockpit jumpseat. 

The researchers observed that FlyCASS’s login mechanism was vulnerable to SQ

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents

Read the original article: