Connect with us

Tech News

Anyone Could Evade Airport Security Via SQL Injection Attack

Published

on

Latest Hacking News

Security researchers have uncovered a significant vulnerability in airport and flight cockpit security systems that could potentially be exploited by attackers. The vulnerability, specifically an SQL injection flaw, could allow attackers to bypass security checks at airports and gain unauthorized access to areas such as cockpits.

Researchers Demonstrate SQL Injection Bypass on Airport Security

In a recent demonstration, researchers Ian Carroll and Sam Curry shed light on a critical security flaw in airport security systems. They discovered how a malicious actor could exploit SQL injection vulnerabilities in the FlyCASS cockpit security system to bypass security checks.

FlyCASS is a web-based security system designed to help airlines verify the eligibility of crew members for cockpit access. It is commonly used by small airlines to comply with the Known Crewmember (KCM) program and Cockpit Access Security System (CASS) established by the Transportation Security Administration (TSA).

The researchers identified an SQL injection vulnerability on the FlyCASS login page, allowing attackers to inject malicious SQL queries into the crew members’ database. They also noted that additional authentication checks were lacking when adding new employees to the database. To validate their findings, they added a “Test” user account, which was immediately granted access to KCM and CASS privileges.

This vulnerability could potentially enable attackers to add unauthorized users to the KCM and CASS database, circumventing standard airport screening procedures.

Resolution of the Vulnerability

Upon discovering the vulnerability, the researchers promptly reported it to the Department of Homeland Security (DHS). The DHS acknowledged the report and took necessary actions. Subsequently, FlyCASS was disabled from the KCM/CASS system until the vulnerability was addressed.

See also  Israeli attack on southern Gaza kills 71; strike said to target head of Hamas’ military wing

Following the fix, the researchers did not receive further communication from the DHS regarding the vulnerability disclosure. Additionally, they received a statement from TSA denying the existence of the exploit. However, the researchers maintain their findings and warn of potential attack scenarios targeting KCM/CASS checks.

Share your thoughts in the comments section below.

Trending