Major Vulnerability Found in TSA’s Crew Verification System
In a disturbing revelation, two cybersecurity experts have identified a significant security flaw in the login procedures utilized by the Transportation Security Administration (TSA) to authenticate airline personnel at airport security checkpoints. This vulnerability enables individuals with even minimal understanding of SQL injection techniques to potentially add themselves to airline crew lists, which might allow them unrestricted access through airport security and into the cockpit of commercial aircraft. This alarming finding was detailed by researcher Ian Carroll in an August blog entry.
The Discovery Process: Exposing Weaknesses in FlyCASS Systems
The researchers, Ian Carroll and his colleague Sam Curry, stumbled upon this vulnerability while investigating the operations of FlyCASS—a third-party vendor that allows smaller airlines to connect with the TSA’s Known Crewmember (KCM) system alongside its Cockpit Access Security System (CASS). During their exploration…
