Diversity Is Our Strength 
Introduction
Like many, Sam Curry and I spend a lot of time waiting in airport security lines. If you do this enough, you might sometimes see a special lane at airport security called Known Crewmember (KCM). KCM is a TSA program that allows pilots and flight attendants to bypass security screening, even when flying on domestic personal trips.
The KCM process is fairly simple: the employee uses the dedicated lane and presents their KCM barcode or provides the TSA agent their employee number and airline. Various forms of ID need to be presented while the TSA agent's laptop verifies the employment status with the airline. If successful, the employee can access the sterile area without any screening at all.
A similar system also exists for cockpit access, called the Cockpit Access Security System (CASS). Most aircraft have at least one jumpseat inside the cockpit sitting behind the flying pilots. When pilots need to commute or travel, it is not always possible for them to occupy a revenue seat, so a jumpseat can be used instead. CASS allows the gate agent of a flight to verify that the jumpseater is an authorized pilot. The gate agent can then inform the crew of the flight that the jumpseater was authenticated by CASS.
The employment status check is the most critical component of these processes. If the individual doesn't currently work for an airline, they have not had a background check and should not be permitted to bypass security screening or access the cockpit. This process is also responsible for returning the photo of the crewmember to ensure the right person is being authorized for access. So how does this work, when every airline presumably uses a different system to store their employee information? That is what we were wondering, and where it gets interesting...
ARINC
ARINC (a subsidiary of Collins Aerospace) appears to be contracted by the TSA to operate the Known Crewmember system. ARINC operates a few central components, including an online website for pilots and flight attendants to check their KCM status, and an API to route authorization requests between different airlines. Each airline appears to operate their own authorization system to participate in KCM and CASS, and it interacts with the "hub" of ARINC.
The TSA and airlines can send requests such as CockpitAccessRequest and CrewVerificationRequest to ARINC, which then routes it to the appropriate airline's system and receives the response. There are 77 airlines currently participating in KCM. While larger airlines have likely built their own system, how do smaller airlines respond to these requests to participate in KCM or CASS?
FlyCASS.com
In our search for vendors that actually run the authorization systems, we found a site called FlyCASS which pitches small airlines a web-based interface to CASS. Intrigued, we noticed every airline had its own login page, such as Air Transport International (8C) being available at /ati. With only a login page exposed, we thought we had hit a dead end.
Just to be sure though, we tried a single quote in the username as a SQL injection test, and immediately received a MySQL error:
This was a very bad sign, as it seemed the username was directly interpolated into the login SQL query. Sure enough, we had discovered SQL injection and were able to use sqlmap to confirm the issue. Using the username of ' or '1'='1 and password of ') OR MD5('1')=MD5('1, we were able to login to FlyCASS as an administrator of Air Transport International!
KCM and CASS Admin
It turns out that FlyCASS also operates both KCM and CASS for its participating airlines. Now that we are an administrator of Air Transport International, we are able to manage the list of pilots and flight attendants associated with them. Surprisingly, there is no further check or authentication to add a new employee to the airline. As the administrator of the airline, we were able to add anyone as an authorized user for KCM and CASS.
To test that it was possible to add new employees, we created an employee named Test TestOnly with a test photo of our choice and authorized it for KCM and CASS access. We then used the Query features to check if our new employee was authorized. Unfortunately, our test user was now approved to use both KCM and CASS:
At this point, we realized we had discovered a very serious problem. Anyone with basic knowledge of SQL injection could login to this site and add anyone they wanted to KCM and CASS, allowing themselves to both skip security screening and then access the cockpits of commercial airliners.
We ended up finding several more serious issues but began the disclosure process immediately after finding the first issue.
Disclosure
We had difficulty identifying the right disclosure contact for this issue. We did not want to contact FlyCASS first as it appeared to be operated only by one person and we did not want to alarm them. On April 23rd, we were able to disclose the issue to the Department of Homeland Security, who acknowledged the issue and confirmed that they "are taking this very seriously". FlyCASS was subsequently disabled in KCM/CASS and later appears to have remediated the issues.
After the issue was fixed, we attempted to coordinate the safe disclosure of this issue. Unfortunately, instead of working with us, the Department of Homeland Security stopped responding to us, and the TSA press office issued dangerously incorrect statements about the vulnerability, denying what we had discovered.
The TSA press office said in a statement that this vulnerability could not be used to access a KCM checkpoint because the TSA initiates a vetting process before issuing a KCM barcode to a new member. However, a KCM barcode is not required to use KCM checkpoints, as the TSO can enter an airline employee ID manually. After we informed the TSA of this, they deleted the section of their website that mentions manually entering an employee ID, and did not respond to our correction. We have confirmed that the interface used by TSOs still allows manual input of employee IDs.
Several other attacks were also likely possible. Since our vulnerability allowed us to edit an existing KCM member, we could have changed the photo and name of an existing enrolled user, which would likely bypass any vetting process that may exist for new members. If you are able to obtain an unenrolled KCM barcode, you can also enroll it to an employee ID yourself on the KCM website.
Timeline
04/23/2024: Initial disclosure to ARINC and FAA
04/24/2024: Subsequent disclosure to DHS via CISA
04/25/2024: DHS CISO confirms they are working on a resolution
05/07/2024: DHS CISO confirms FlyCASS was disconnected from KCM/CASS
05/17/2024: Follow-up to DHS CISO about TSA statements (no reply)
06/04/2024: Follow-up to DHS CISO about TSA statements (no reply)
Jump in the discussion.
No email address required.
Lmao SQL injection how r-slurred;
update user set IsAdmin = 1, AdminLevel = 5 where userid = 847
Edit: holy shit it worked
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Jump in the discussion.
No email address required.
Most efficient government agency.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Thank god arabs don't know how sql works
Jump in the discussion.
No email address required.
Like 69% of terrorists are engineers
Jump in the discussion.
No email address required.
"Engineers" because that's how you can most easily commit immigration fraud. If they were remotely smart they'd have already done something better than 911. For instance, replicate USS Cole but against a 10k person cruise ship instead of an armored Navy vessel with damage control teams. Incidently, my Paul Blart 3 script focuses on this as the major plot. God those movies are funny.
Jump in the discussion.
No email address required.
LIGMA BLART
Jump in the discussion.
No email address required.
More options
Context
HAVE YOU EVER WATCHED PAUL BLART MALL COP 2 SYNCED UP TO DARK SIDE OF THE fricking MOON ITS FRICKIN EPIC
Jump in the discussion.
No email address required.
More options
Context
The Iranian Engineers seem legit though, cause the government needs em for their various shenanigans fighting Israel, Arabs, and the west.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Jump in the discussion.
No email address required.
More options
Context
Chemical engineers
Like chemical Ali
Jump in the discussion.
No email address required.
Or my chemical romance
Jump in the discussion.
No email address required.
They were inspired to form a band and live their dreams because of 9/11. I'm kinda glad 9/11 happened, knowing that.
Jump in the discussion.
No email address required.
I cant say i could name a single song of theirs. From their name i always thought they're edgy hardcore/emo shit.
Jump in the discussion.
No email address required.
They absolutely are emo. Helena was their biggest hit.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
More options
Context
Why yes I do want to destroy Western society, how could you tell?
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
Don't need to know
All they need to know is "gib hacker money, get in plane"
And there's always someone looking to improve their rep who'll do it for real
Jump in the discussion.
No email address required.
Except it ends with you getting your door kicked in by DEVGRU or SAD and being extraordinarily renditioned to Diego Garcia to be rectally fed for a year before they bring charges
Jump in the discussion.
No email address required.
Ok ok youve convinced me, Ill do it
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
WTF this is already bad enough in itself. They started making crew go through security like everyone else when a disgruntled employee shot the pilots and crashed a plane back in 1987. I guess they decided to stop doing it since then.
Jump in the discussion.
No email address required.
Ah the 70s and 80s. When hijackings were a regular occurrence
Jump in the discussion.
No email address required.
Kids these days will never understand what it was like living in a civilized society. If you wanted to go somewhere you could just hop on a plane and pull out your gun and ask.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Just like how the always have two people in the cockpit rule after the Eurowing crash was removed after a few years.
Jump in the discussion.
No email address required.
More options
Context
Yeah they still get screened, just expedited. Otherwise it would be prime time to smuggle weapons and drugs through your skywagie job
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
More options
Context
Jump in the discussion.
No email address required.
More options
Context
They must make a lot of money for such little work.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
I bypassed security in a third world airport by just entering a zone that was unsupervised, which led me to the lounge zone, and from there I could just go to where the airplanes are located.
Jump in the discussion.
No email address required.
50/50 you end up locked in a tiny cell with 50 dudes whose artistic talents have been showcased on WPD though
Jump in the discussion.
No email address required.
More options
Context
They don't care if you're white because you're not going to do anything bad.
Jump in the discussion.
No email address required.
Except maybe torture monkeys and/or children
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
Jump in the discussion.
No email address required.
More options
Context
Well he's gonna be getting alarmed up the butt now by the DHS but a nice thought.
Jump in the discussion.
No email address required.
More options
Context
This is why people shouldn't help government. Let them fail hard on their own accord.
Jump in the discussion.
No email address required.
More options
Context
Its not incompetence. Its on purpose so they can justify another war when the inevitable happens. Of course it will be "muslims" but we all know who is really behind it*
*I am on parole so somebody else reply with less cryptic hate against our good friends.
Jump in the discussion.
No email address required.
The Dutch won't be able to get away with it this time. Total Nederlander Death now!
Jump in the discussion.
No email address required.
Some people (many of whom are geniuses and scholars) would agree with your statement.
Jump in the discussion.
No email address required.
More options
Context
Jump in the discussion.
No email address required.
More options
Context
More options
Context
T.
Jump in the discussion.
No email address required.
More options
Context
I mean Muslims do indeed get up to these shenanigans. Why are you pretending they're some innocent scapegoats when they're the most useful idiots geopolitics has ever seen.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
I live in a CIA prison. A BIPOC runs my prison. In prison, the BIPOC tries to torment me. We can take away his knives by confessing, every day. In about 2000, I masturbated fantasizing about my niece, Lani. She looks like star trek seven of nine! In 1985, at my sister's wedding, I stuck my crotch on the hot tub drain because it kind of sucked. In 1985, I tried to get a dog to lick my peepee. From 1998-2003, I fantasized about leading a catholic army like dune, of mexicans or brazilians? that was dumb because they're BIPOCs. In 2003, I played tag with a black girl about 7-years-old. she reached for my crotch. In high school, in the library, Carlos and I said juicy or toxic as a way of evaluating girls. In 1988, I cheated on my SAT by talking in the hall during the break -- two problems. On 9/9/1999, I killed a CIA BIPOC on purpose with my car. :-) In 1982, when I was 12, I babysat Kevin's kids. I changed a diaper because I thought that was being professional. In 1975, when I was about the age five, my brother, Keith, put my peepee in a vacuum. In 1977, when I was about age seven, my brother, Danny, got me high on gas fumes and we sucked each others peepees. Dr. Tsakalis has an oddly round butt. Paul Keck at Xytex had a oddly round butt. Distracting? At about age five, Jay Weinrick and I touched disks to each other's buttholes.
Snapshots:
https://old.reddit.com/r/netsec/comments/1f461wm/bypassing_airport_security_via_sql_injection/:
undelete.pullpush.io
ghostarchive.org
archive.org
archive.ph (click to archive)
Sam Curry:
ghostarchive.org
archive.org
archive.ph (click to archive)
Various forms of ID:
ghostarchive.org
archive.org
archive.ph (click to archive)
ARINC:
ghostarchive.org
archive.org
archive.ph (click to archive)
77 airlines:
ghostarchive.org
archive.org
archive.ph (click to archive)
FlyCASS.com:
ghostarchive.org
archive.org
archive.ph (click to archive)
FlyCASS:
ghostarchive.org
archive.org
archive.ph (click to archive)
they deleted the section of their website that mentions manually entering an employee ID:
ghostarchive.org
archive.org
archive.ph (click to archive)
https://archive.ph/o/6L5pO/https://twitter.com/iangcarroll:
ghostarchive.org
archive.org
archive.ph (click to archive)
https://archive.ph/o/6L5pO/https://twitter.com/samwcurry:
ghostarchive.org
archive.org
archive.ph (click to archive)
Jump in the discussion.
No email address required.
More options
Context
This was deliberately left open for use by intelligence agencies
Jump in the discussion.
No email address required.
More options
Context