Techly NewsGet the app

Get the latest tech news

Bypassing airport security via SQL injection


We discovered a serious vulnerability in the Known Crewmember (KCM) and Cockpit Access Security System (CASS) programs used by the Transportation Security Administration.

ARINC operates a few central components, including an online website for pilots and flight attendants to check their KCM status, and an API to route authorization requests between different airlines. Anyone with basic knowledge of SQL injection could login to this site and add anyone they wanted to KCM and CASS, allowing themselves to both skip security screening and then access the cockpits of commercial airliners. Unfortunately, instead of working with us, the Department of Homeland Security stopped responding to us, and the TSA press office issued dangerously incorrect statements about the vulnerability, denying what we had discovered.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of SQL

SQL

Photo of SQL injection

SQL injection

Photo of airport security

airport security

Related news:

News photo

Google's new pipe syntax in SQL

News photo

Pipe Syntax in SQL

News photo

SQL Injection Isn't Dead: Smuggling Queries at the Protocol Level

« Verizon is going to launch satellite messaging this fall
Unified Grid: How we re-architected Slack for our largest customers »