All
← Back to Squawk list
Security Researchers find SQL injection in Cockpit Access Security System
Ian Carroll and Sam Curry discover that anyone with basic knowledge of SQL injection could add anyone they wanted to Known Crewmember (KCM) and Cockpit Access Security System (CASS) via FlyCASS.com, allowing themselves to both skip security screening and then access the cockpits of commercial airliners. FlyCASS has fixed the flaw in the application. (ian.sh) More...Sort type: [Top] [Newest]
Amateur hour at flycass.com and the TSA.
TSA or ARINC should *hire* Ian or Sam, not stop communicating with them.
Not a bad idea. But SQL injection is not a new problem, it's a very old and *almost* universally well-known security issue for which every SQL API has long provided an injection-proof mechanism to craft SQL statements. Most likely, like so much tech work, the coding was outsourced to barely programming-literate code monkeys in the third world who don't understand code very well but are cheap and can copy and paste examples from the internet repeatedly until something seems to run. In the West, every professional programmer who is familiar with database programming wouldn't have produced code susceptible to SQL injection attacks, but they won't work for $1 per hour. That means Ian and Sam would've had to work much harder to find vulnerabilities. The other point to make is that nation-states and criminals perform SQL injection surveillance all the time, all day long, all over the internet. I see it all the time in the small, humble website I run for my retirement club. When they find vulnerabilities they don't necessarily tell anybody, they just go ahead and exploit them or sell the exploit to other criminals and nation-states. So it's fair to assume that someone already knew about this vulnerability and either used it or was keeping it in their back pocket to use in the future. Part of responsible "cleanup" of these security disasters is to go back, look at logs, and see how badly you were being exploited prior to discovering the problem. Because this is TSA and hence Department of Homeland Security-related, they tend to make everything hush-hush and probably told the flycass.com people to not say anything.
Given all the probing that goes on, it's surprising neither TSA or DHS appear to have tested this system for vulnerabilities zuch as this rather elementary one, and taken preemptive action. Looks like they need a few gray hats onboard.
Kudos to the authors for contacting the relevant authorities, rather than go public with it straight away.
Not impressed with the behaviour of the said authorities later, denying everything and saying it's all right now.
Also not impressed with the authors subsequent behaviour, going public with it when apparently there is still a vulnerability.
Not impressed with the behaviour of the said authorities later, denying everything and saying it's all right now.
Also not impressed with the authors subsequent behaviour, going public with it when apparently there is still a vulnerability.
> Also not impressed with the authors subsequent behaviour, going public with it when apparently there is still a vulnerability.
Eh? The article indicates:
> After the issue was fixed, we attempted to coordinate the safe disclosure of this issue.
Sounds like they didn't publicly disclose the vulnerability until it was fixed -- so what is wrong with that?
Eh? The article indicates:
> After the issue was fixed, we attempted to coordinate the safe disclosure of this issue.
Sounds like they didn't publicly disclose the vulnerability until it was fixed -- so what is wrong with that?
Do you think it has actually been implemented on every aircraft?