The Known Crewmember (KCM) and Cockpit Access Security System (CASS) programs are two transport security systems that pilots, flight attendants, and other airline employees to bypass traditional airport security checks and access cockpit jumpseats. These systems verify an employee’s active employment status with their airline, and depending on their status authorize to skip security screening or access the cockpit. The process involves presenting identification, and a TSA agent verifies the employee’s status using a laptop.
The researchers Ian Carroll and Sam Curry conducted a study on the verification processes implemented by these systems highlighting that different airlines likely use various systems to manage employee data.
ARINC, a subsidiary of Collins Aerospace, manages the Known Crewmember (KCM) system for the TSA, routing authorization requests between different airlines via an API. While larger airlines may have their own systems, smaller ones often rely on services provided by third-party organizations like FlyCASS. FlyCASS provides a web-based interface for KCM and Cockpit Access Security System (CASS) participation. The two researchers discovered a critical vulnerability in FlyCASS, finding a SQL injection in the login system. This flaw allowed the researchers to gain administrator access to Air Transport International’s account, allowing them to manage and add pilots and flight attendants to the airline’s KCM and CASS lists without further authentication.
“To test that it was possible to add new employees, we created an employee named Test TestOnly
with a test photo of our choice and authorized it for KCM and CASS access. We then used the Query features to check if our new employee was authorized. Unfortunately, our test user was now approved to use both KCM and CASS:” wrote Carroll. “At this point, we realized we had discovered a very serious problem. Anyone with basic knowledge of SQL injection could login to this site and add anyone they wanted to KCM and CASS, allowing themselves to both skip security screening and then access the cockpits of commercial airliners. We ended up finding several more serious issues but began the disclosure process immediately after finding the first issue.”
The researchers initially disclosed the issue to the Department of Homeland Security (DHS) on April 23. Then the FlyCASS was disabled in KCM/CASS to address the issue. The researchers explained that when they attempted to coordinate a safe public disclosure, DHS stopped responding, and the TSA issued misleading statements downplaying the issue.
The TSA inaccurately claimed that the flaw couldn’t be used to access KCM checkpoints, asserting that a vetting process was required before issuing a KCM barcode.
“Unfortunately, instead of working with us, the Department of Homeland Security stopped responding to us, and the TSA press office issued dangerously incorrect statements about the vulnerability, denying what we had discovered.” added Carroll. “The TSA press office said in a statement that this vulnerability could not be used to access a KCM checkpoint because the TSA initiates a vetting process before issuing a KCM barcode to a new member. However, a KCM barcode is not required to use KCM checkpoints, as the TSO can enter an airline employee ID manually.”
The security duo pointed out that a KCM barcode isn’t necessary since TSA agents can manually enter an airline employee ID. Then the TSA removed the relevant information from their website but didn’t address the researchers’ correction.
Threat actors can have exploited the vulnerability other attacks, such as editing existing KCM members’ details, which could bypass the vetting process for new members. Additionally, unenrolled KCM barcodes could be linked to employee IDs through the KCM website.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, air transport security)