Bypassing airport security via SQL injection

The TSA's response here is childish and embarrassing, although perhaps unsurprising given the TSA's institutional disinterest in actual security. It's interesting to see that DHS seemingly (initially) handled the report promptly and professionally, but then failed to maintain top-level authority over the fix and disclosure process.

Since they actually went past the SQL injection and then created a fake record for an employee, I'm shocked that Homeland did not come after and arrest those involved. Homeland would have been top of the list to misinterpret a disclosure and prefer to refer to the disclosure as malicious hacking instead of responsible disclosure. I'm more impressed by this than the incompetence of the actual issue.

You know it's bad when it's so bad that as I write this no one has even bothered talking about how bad storing MD5'd passwords is. This even proves they aren't even so much as salting it, which is itself insufficient for MD5.

But that isn't even relevant when you can go traipsing through the SQL query itself just by asking; wouldn't matter how well the passwords were stored.

> We did not want to contact FlyCASS first > as it appeared to be operated only by one person > and we did not want to alarm them

I’m not buying this. Feels more like they knew the site developer would just fix it immediately and they wanted to make a bigger splash with their findings.

Not surprised that they deny the severity of the issue, but I am quite surprised they didn't inform the FBI and/or try to have you arrested. Baby steps?

A good old SQL injection negates the entire security theatre worth probably billions a year, hilarious, but probably not all too surprising.

> We did not want to contact FlyCASS first as it appeared to be operated only by one person...

It seems pretty remarkable that airlines are buying such a security sensitive piece of software from a one person shop. If you make it very far into selling any piece of SaaS software to most companies in corporate America, at the absolute minimum they're going to ask you for your SOC2 audit report.

SOC2 is pretty damn easy to get through with minimal findings as far as audits go, but there are definitely several criteria that would should generate some red flags in your report if the company is operated by a single person. And I would have assumed that if your writing software that integrates with TSA access systems, the requirements would be a whole lot more rigorous than SOC2.

This was a wild read, that something like this could be so easy, but the later part describing the TSA response is incredibly alarming

The dudes who did this are going to probably be visited by homeland security or FBI. Not sure what they thought they will get out of this. I don't think the government cares about security, but they are vengeful.

So, the trick here would be to purchase a ticket with a major airline, pack a no-no in your carry-on, and then bypass TSA security by adding yourself to the Known Crew Member list of a small airline using the third-party FlyCASS system, via the SQL-injection. You'd then board the major airline with the no-no. Is that the vulnerability?

The safety of airports and air travel compromised by a simple SQL injection ?

What is it, the year 2000 ?

It should be a criminal offence for whoever developed that system.

I wouldn't get myself into this honestly. Wrong turn and you're a terrorist. Especially with how crooked and backward the people responsible for it seem.

Very brave of them to report this. They're likely on no-fly lists for life now, and will probably be investigated by the FBI. The government does not like to be embarrassed.

What mind-melting levels of incompetency. I would love to suggest pay raises so the Government can hire better individuals... but I worry the problem is so systemic it wouldn't do any good.

Everyone dropped the ball... and kept dropping it. The part where its handed to them on a silver platter and its essentially smacked away. Maddening.

> 05/17/2024: Follow-up to DHS CISO about TSA statements (no reply)

> 06/04/2024: Follow-up to DHS CISO about TSA statements (no reply)

There should be a public Shitlist of Organisations that don't get the Benefit of Responsible Disclosure anymore, just a Pastebin drop linked to 4chan.

Straight to jail, if this would have happened in Germany.

The TSA would have been the one suing you and would easily win.

Why does KCM still need to exist? It doesn't help airlines nor air crew:

Pilot: "Years ago we’d get a random enhanced check (which just means go to TSA precheck) now and then. These days it’s 60% of the time, so it’s not possible to get a whole crew through KCM anymore, and we wait on each other because the jet can’t be boarded until the flight attendants are ALL through security, and with the 2022/2023 KCM random checks being so high, that just doesn’t happen. Honestly, I rarely use KCM anymore. I just walk through TSA precheck. The odds are we’re going there anyway so just cut to the chase and hit precheck."[1]

VIP treatments (including the likes of KCM) should be removed no matter if someone is a prime minister[2], media personality[3] or airline CEO. In this way, VIPs can experience the inadequate security processes and staffing levels that everyone else has to deal with, and hopefully with their louder voices will be able to force airports and government agencies to improve the situation for all.

[1] https://www.quora.com/As-a-pilot-how-does-it-feel-like-to-ha...

[2] https://www.theage.com.au/national/red-faces-as-nz-leader-ge...

[3] https://www.smh.com.au/traveller/travel-news/louise-milligan...

Meanwhile, my wife just had a beautiful ameythyst she bought as a birthday gift for my son stolen by security in Mexico because it "could be used as a weapon". I say stolen because they wouldn't throw it away and just smirked the whole time at her.

It is sadly an all-too-common occurence when you give uneducated dimwits police-level power with no oversight and no recourse for anyone affected. I assume flexing government power is the real objective here since everybody knows that security is not.

Honestly, this is the most shocking part:

> We did not want to contact FlyCASS first as it appeared to be operated only by one person and we did not want to alarm them

It’s incredible (and entirely too credible) that this kind of “high security” integration could be built in such an amateur way: and a good reminder why government projects often seem to be run with more complexity than your startup devs might think is necessary.

> We had difficulty identifying the right disclosure contact for this issue. We did not want to contact FlyCASS first as it appeared to be operated only by one person and we did not want to alarm them.

Wait, what? Is this a euphemism for they didn't believe they would take it seriously? Reporting it over their heads to DHS was probably not less "alarming" to anyone...

> KCM is a TSA program that allows pilots and flight attendants to bypass security screening, even when flying on domestic personal trips.

This program seems like the root cause of the security issue.

(Outside of the US) I've often gone through security screenings just before or after crew groups in fast track, but otherwise normal security screening lanes.

Accessing CASS is a big deal, and should be fixed but you’re gonna need more than this to board an aircraft.

Also… you can fix all the SQL issues, but you’re still not going to be able to fix the “men in hoodies with a big wrench talk to an authorized administrator (while their kids are kidnapped in Mexico)”

I feel like TSA is downplaying it to avoid public backlash. This is not childish or amateur. They are just doing what any government agency would do. If you speak up louder you will get arrested or screwed by some random agency knocking on your door, FYI.

i wonder if TSA will audit the entire list, also it opens up more questions too like how long accounts remain active? are they simply assuming each airline will update pilot status? they clearly haven't been treating this sytem as important it seems.

I’m glad they uncovered and reported this but I’d be super reluctant to actually log in using purloined credentials if I were them. As macNchz says elsewhere in this discussion, CISA/TSA/DHS does not appear to make any assurances that they won’t prosecute what appears to be a facial CFAA violation just because someone is doing valid security research.

To be clear, I really hope they don’t, but they are also clearly trying to spin this in a way at odds with the researchers, and I’d hate to be in a position where they want to have leverage over me if I’d done this.

Brave that they did so though and I do think the severity of the vuln warrants this.

Security Theatre 3000... keeping us entertained

It's a stupid system anyway. Corrupt airline staff can easily bypass all security checks, bring a pistol in a handbag and leave that in the cabin luggage bin for prearranged pickup by an unscrupulous passenger or any sort of shenanigans.

How do they protect against corrupt staff. It's like they're not even thinking. Why don't they just fast track staff checks.

What’s so special about bar codes that the testers couldn’t create one themselves?

Are they cryptographically signed by a system that was inaccessible?

Or is it just a matter of figuring out the bar code format and writing out some KCM id?

I can't find the essay now, but I remember reading something from years and years ago: Bruce Schneier arguing that it made sense for airline pilots to go through security with everyone else, in spite of the silly appearance, because the inherent complication in implementing a two tier system would both eat up efficiency gains and unavoidably introduce security flaws.

He convinced me at the time, but I wasn't expecting such an on-the-nose demonstration.

Makes you wonder why there were no plane hijacks since 9/11. TSA does not seem a credible prevention mechanism given how easy it is to go around it.

Part of the issue here may be the policy of "need to know" for these high profile secret systems. If the only person who "needs to know" doesn't know what they're doing then the proper audits of the code will never be done.

I wonder how many entities knew about this before today

Does anyone know how the KCM barcodes differ from employee IDs? Seems like TSA is indexing pretty heavily on those.

While this report is embarrassing for all involved, in a practical sense, I'd argue the security of this app was "fine."

What I mean: security through obscurity is imo the best situation to be in. You can't attack something if you don't know it exists in the first place. That alone gives this system a leg up over more exposed (but hardened) platforms.

Second, convenience always beats secure. Requiring password rotations is worse than requiring none at all, because people tend to find the path of least resistance (writing a password on a notepad instead of memorizing).

If it was faster/easier to ship a useful (but vulnerable) app, that's net better than the app not shipping at all because of security hurdles. I have to imagine sanitizing inputs doesn't take much more time to include, but I don't know the systems involved.

Ultimately, what damage was experienced here? We can throw out hypotheticals about what -could- have happened, but you can't sue every driver on the road because they -could- have hit you.

An insecure system served a useful purpose for years, got more secure, and continues ticking.

Guys, I think you should not have done this. You can really piss a lot of people off doing that kind of stuff.

Why do people even attempto to disclose this?

These guy are going to end up with some serious federal charges.

Other issues aside my biggest takeaway is that no one at TSA employed even the most basic auditing of external systems accessing their secure process.

Well, government is being government. I never think bureaucracy could solve an issue when they could just hide it.

Of course the worst part is TSA and Homeland Security trying to sweep everything under the rug and ignoring the problem.

this isn't a "weakest link breaks the chain" this is a chain with 10000 weak links and we found one.

Like something you'd see in a movie and think "well, that could never really happen". Yikes.

Love reading this while sitting in the MCO terminal waiting to go home after the fourth non-stop flight in a week.

... and that was the last time Ian was allowed to fly without a printed boarding pass with SSSS on it.

How is this a thing in 2024?

Honestly, if I discovered and reported this, I'd be so scared of being charged with a crime under the CFAA or some other statute, there are just too many high profile faces that can be covered with egg here.

(edit) the charging guidelines are somewhat re-assuring but still https://www.justice.gov/opa/pr/department-justice-announces-...

If NYTimes or WSJ had any backbone or journalistic integrity, they would write a front page piece on this to fix our agencies from being defensive to bug reports, shed light to the horrid incompetency in these agencies and how there was no oversight to any of this. They would also protect the two individuals as white hat hackers and teach non-technical people that these are good guys. You know, the job of the press.

SQL injection, a real blast from the past, like a child with mumps

Little Bobby Tables' story is still a valuable lesson.

How can this even be possible? What the hell...

Who else emailed this to Frank Abagnale?

yeah i would not mess around with this and get put into a for-life no fly list dude. you even wrote data to the prod system, christ!

Great work and writing - thank you!

Bobby Tables strikes again!

https://xkcd.com/327/

I’m continually amused, amazed, and exasperated at how classes of software defects older than I am continue to be a problem.

Hilarious that the entire TSA system is vulnerable to the most basic web programming error that you generally learn to avoid 10 minutes into reading about web programming- and that every decent quality web framework automatically prevents.

It is really telling that they try to cover up and deny instead of fix it, but not surprising. That is a natural consequence of authoritarian thinking, which is the entire premise and culture of the TSA. Any institution that covers up and ignores existential risks instead of confronting them head on will eventually implode by consequences of its own negligence- which hopefully will happen to the TSA.

Little Bobby Tables strikes again:

https://xkcd.com/327/

Lol, that's the oldest trick [fail?] in the book

This shows that anyone with the slightest motivation to do harm would have zero difficulty replaying 911.

The reason there aren't more terrorist attacks isn't because various security agencies around the world protect us from them. It's because there are extremely few terrorists.

I hate the TSA with every ounce of my being and these articles reinforce why. Incompetent and useless agency that only serves to waste people's time. Can't believe it still exists; 9/11 and the Bush administration really did a number on this country.

TSA is a $10.4B [1] security theater and mistake born out of fear.

Out of that multibillion dollar budget, TSA allocates $10.4M for “cybersecurity staffing, as well as the development and implementation of enhanced cybersecurity-related measures to improve cyber resiliency across the U.S. Transportation Systems Sector.”

Glad to see our tax dollars working so effectively! \s

What a joke of a country this is

[1] https://www.tsa.gov/news/press/testimony/2023/03/29/fiscal-y...

> Now that we are an administrator of Air Transport International...

LOL

> Unfortunately, our test user was now approved to use both KCM and CASS

smh...

Xnxnxnkzjzmxnnzcskdyxk buenos días amor cómo amaneciste mi cielo bello como te fue en el estudio shdtdhdc te e dicho algo y me avisas cuando llegues a tu casa para ti gracias a Dios por tu salud te amo mucho en el trabajo de dgd Je je pero no sé dónde es eso de las cosas y te sientes por usted es que no me avisas cuando te e udbgzdh si te amo más extremo de