GEO
GEO技术

FlyCASS系统曝严重SQL注入漏洞,机场安检与驾驶舱访问控制面临风险

2026/1/22
FlyCASS系统曝严重SQL注入漏洞,机场安检与驾驶舱访问控制面临风险
AI Summary (BLUF)

Security researchers discovered critical SQL injection vulnerabilities in the FlyCASS system, allowing unauthorized access to add fake employees to KCM and CASS programs, potentially bypassing airport security and cockpit access controls. (安全研究人员在FlyCASS系统中发现严重的SQL注入漏洞,允许未经授权访问,将虚假员工添加到KCM和CASS计划中,可能绕过机场安检和驾驶舱访问控制。)

Introduction: The Known Crewmember System and Its Security Implications (引言:已知机组人员系统及其安全影响)

Like many, Sam Curry and I spend a lot of time waiting in airport security lines. If you do this enough, you might sometimes see a special lane at airport security called Known Crewmember (KCM). KCM is a TSA program that allows pilots and flight attendants to bypass security screening, even when flying on domestic personal trips.

像许多人一样,Sam Curry和我经常在机场安检队伍中等待。如果你经常乘坐飞机,有时会看到机场安检处有一条特殊通道,称为已知机组人员通道。KCM是美国运输安全管理局的一项计划,允许飞行员和空乘人员绕过安检,即使是在国内个人旅行时也是如此。

The KCM process is fairly simple: the employee uses the dedicated lane and presents their KCM barcode or provides the TSA agent their employee number and airline. Various forms of ID need to be presented while the TSA agent’s laptop verifies the employment status with the airline. If successful, the employee can access the sterile area without any screening at all. A similar system also exists for cockpit access, called the Cockpit Access Security System (CASS). Most aircraft have at least one jumpseat inside the cockpit sitting behind the flying pilots. When pilots need to commute or travel, it is not always possible for them to occupy a revenue seat, so a jumpseat can be used instead. CASS allows the gate agent of a flight to verify that the jumpseater is an authorized pilot. The gate agent can then inform the crew of the flight that the jumpseater was authenticated by CASS.

KCM流程相当简单:员工使用专用通道,出示KCM条形码或向TSA工作人员提供员工编号和航空公司信息。在TSA工作人员的笔记本电脑与航空公司验证雇佣状态时,需要出示各种身份证明。如果验证成功,员工可以无需任何安检即可进入安全区域。类似的系统也存在于驾驶舱访问中,称为驾驶舱访问安全系统。大多数飞机驾驶舱内至少有一个跳伞座位,位于飞行飞行员后面。当飞行员需要通勤或旅行时,他们并不总是能够占用付费座位,因此可以使用跳伞座位。CASS允许航班登机口工作人员验证跳伞者是否为授权飞行员。登机口工作人员随后可以通知航班机组人员,跳伞者已通过CASS认证。

The Critical Role of Employment Verification (雇佣验证的关键作用)

The employment status check is the most critical component of these processes. If the individual doesn’t currently work for an airline, they have not had a background check and should not be permitted to bypass security screening or access the cockpit. This process is also responsible for returning the photo of the crewmember to ensure the right person is being authorized for access. So how does this work, when every airline presumably uses a different system to store their employee information? That is what we were wondering, and where it gets interesting…

雇佣状态检查是这些流程中最关键的组成部分。如果个人目前不为航空公司工作,他们就没有经过背景调查,不应被允许绕过安检或进入驾驶舱。此流程还负责返回机组人员的照片,以确保授权访问的是正确人员。那么,当每家航空公司可能使用不同的系统存储员工信息时,这是如何工作的呢?这正是我们好奇的地方,也是事情变得有趣的地方……

ARINC: The Central Hub for KCM and CASS (ARINC:KCM和CASS的中央枢纽)

ARINC (a subsidiary of Collins Aerospace) appears to be contracted by the TSA to operate the Known Crewmember system. ARINC operates a few central components, including an online website for pilots and flight attendants to check their KCM status, and an API to route authorization requests between different airlines. Each airline appears to operate their own authorization system to participate in KCM and CASS, and it interacts with the “hub” of ARINC.

ARINC似乎是TSA签约运营已知机组人员系统的公司。ARINC运营一些核心组件,包括供飞行员和空乘人员检查KCM状态的在线网站,以及在不同航空公司之间路由授权请求的API。每家航空公司似乎都运营自己的授权系统以参与KCM和CASS,并与ARINC的“枢纽”交互。

The TSA and airlines can send requests such as CockpitAccessRequest and CrewVerificationRequest to ARINC, which then routes it to the appropriate airline’s system and receives the response. There are 77 airlines currently participating in KCM. While larger airlines have likely built their own system, how do smaller airlines respond to these requests to participate in KCM or CASS?

TSA和航空公司可以向ARINC发送请求,例如驾驶舱访问请求和机组人员验证请求,然后ARINC将其路由到相应航空公司的系统并接收响应。目前有77家航空公司参与KCM。虽然大型航空公司可能建立了自己的系统,但小型航空公司如何响应这些参与KCM或CASS的请求呢?

FlyCASS.com: A Vulnerable Authorization System (FlyCASS.com:一个易受攻击的授权系统)

In our search for vendors that actually run the authorization systems, we found a site called FlyCASS which pitches small airlines a web-based interface to CASS. Intrigued, we noticed every airline had its own login page, such as Air Transport International (8C) being available at /ati. With only a login page exposed, we thought we had hit a dead end.

在我们寻找实际运行授权系统的供应商时,我们发现了一个名为FlyCASS的网站,它向小型航空公司推销基于Web的CASS界面。出于好奇,我们注意到每家航空公司都有自己的登录页面,例如Air Transport International的登录页面位于/ati。由于只暴露了登录页面,我们认为已经走到了死胡同。

Just to be sure though, we tried a single quote in the username as a SQL injection test, and immediately received a MySQL error: Uh oh. This was a very bad sign, as it seemed the username was directly interpolated into the login SQL query. Sure enough, we had discovered SQL injection and were able to use sqlmap to confirm the issue. Using the username of ' or '1'='1 and password of ') OR MD5('1')=MD5('1, we were able to login to FlyCASS as an administrator of Air Transport International!

但为了确认,我们在用户名中尝试了一个单引号作为SQL注入测试,并立即收到了MySQL错误:哦不。这是一个非常糟糕的迹象,因为用户名似乎直接插入了登录SQL查询中。果然,我们发现了SQL注入,并能够使用sqlmap确认问题。使用用户名' or '1'='1和密码') OR MD5('1')=MD5('1,我们能够以Air Transport International管理员的身份登录FlyCASS

KCM and CASS Administration Vulnerabilities (KCM和CASS管理漏洞)

It turns out that FlyCASS also operates both KCM and CASS for its participating airlines. Now that we are an administrator of Air Transport International, we are able to manage the list of pilots and flight attendants associated with them. Surprisingly, there is no further check or authentication to add a new employee to the airline. As the administrator of the airline, we were able to add anyone as an authorized user for KCM and CASS.

事实证明,FlyCASS还为其参与的航空公司运营KCM和CASS。既然我们是Air Transport International的管理员,我们能够管理与其相关的飞行员和空乘人员名单。令人惊讶的是,添加新员工到航空公司没有进一步的检查或身份验证。作为航空公司的管理员,我们能够将任何人添加为KCM和CASS的授权用户。

To test that it was possible to add new employees, we created an employee named Test TestOnly with a test photo of our choice and authorized it for KCM and CASS access. We then used the Query features to check if our new employee was authorized. Unfortunately, our test user was now approved to use both KCM and CASS.

为了测试是否可以添加新员工,我们创建了一个名为Test TestOnly的员工,使用我们选择的测试照片,并授权其访问KCM和CASS。然后我们使用查询功能检查新员工是否被授权。不幸的是,我们的测试用户现在被批准使用KCM和CASS。

At this point, we realized we had discovered a very serious problem. Anyone with basic knowledge of SQL injection could login to this site and add anyone they wanted to KCM and CASS, allowing themselves to both skip security screening and then access the cockpits of commercial airliners. We ended up finding several more serious issues but began the disclosure process immediately after finding the first issue.

此时,我们意识到我们发现了一个非常严重的问题。任何具备SQL注入基础知识的人都可以登录此网站,并将他们想要的任何人添加到KCM和CASS中,从而允许自己跳过安检,然后进入商用飞机的驾驶舱。我们最终发现了几个更严重的问题,但在发现第一个问题后立即开始了披露流程。

Disclosure and Response Challenges (披露与响应挑战)

We had difficulty identifying the right disclosure contact for this issue. We did not want to contact FlyCASS first as it appeared to be operated only by one person and we did not want to alarm them. On April 23rd, we were able to disclose the issue to the Department of Homeland Security, who acknowledged the issue and confirmed that they “are taking this very seriously”. FlyCASS was subsequently disabled in KCM/CASS and later appears to have remediated the issues.

我们难以确定此问题的正确披露联系人。我们不想首先联系FlyCASS,因为它似乎仅由一人运营,我们不想惊动他们。4月23日,我们能够向国土安全部披露此问题,他们承认了问题并确认“正在认真对待此事”。FlyCASS随后在KCM/CASS中被禁用,后来似乎已经修复了问题。

After the issue was fixed, we attempted to coordinate the safe disclosure of this issue. Unfortunately, instead of working with us, the Department of Homeland Security stopped responding to us, and the TSA press office issued dangerously incorrect statements about the vulnerability, denying what we had discovered.

问题修复后,我们尝试协调此问题的安全披露。不幸的是,国土安全部没有与我们合作,而是停止回应我们,TSA新闻办公室发布了关于此漏洞的危险错误声明,否认了我们的发现。

The TSA press office said in a statement that this vulnerability could not be used to access a KCM checkpoint because the TSA initiates a vetting process before issuing a KCM barcode to a new member. However, a KCM barcode is not required to use KCM checkpoints, as the TSO can enter an airline employee ID manually. After we informed the TSA of this, they deleted the section of their website that mentions manually entering an employee ID, and did not respond to our correction. We have confirmed that the interface used by TSOs still allows manual input of employee IDs.

TSA新闻办公室在一份声明中表示,此漏洞不能用于访问KCM检查点,因为TSA在向新成员发放KCM条形码之前会启动审查流程。然而,使用KCM检查点并不需要KCM条形码,因为TSO可以手动输入航空公司员工ID。在我们告知TSA这一点后,他们删除了网站上提及手动输入员工ID的部分,并且没有回应我们的更正。我们已经确认TSO使用的界面仍然允许手动输入员工ID。

Several other attacks were also likely possible. Since our vulnerability allowed us to edit an existing KCM member, we could have changed the photo and name of an existing enrolled user, which would likely bypass any vetting process that may exist for new members. If you are able to obtain an unenrolled KCM barcode, you can also enroll it to an employee ID yourself on the KCM website.

其他几种攻击也可能发生。由于我们的漏洞允许我们编辑现有的KCM成员,我们可以更改现有注册用户的照片和姓名,这可能会绕过可能存在的任何新成员审查流程。如果你能够获得未注册的KCM条形码,你也可以自己在KCM网站上将其注册到员工ID。

Timeline of Events (事件时间线)

  1. 04/23/2024: Initial disclosure to ARINC and FAA (2024年4月23日:首次向ARINC和FAA披露)
  2. 04/24/2024: Subsequent disclosure to DHS via CISA (2024年4月24日:随后通过CISA向DHS披露)
  3. 04/25/2024: DHS CISO confirms they are working on a resolution (2024年4月25日:DHS CISO确认他们正在制定解决方案)
  4. 05/07/2024: DHS CISO confirms FlyCASS was disconnected from KCM/CASS (2024年5月7日:DHS CISO确认FlyCASS已从KCM/CASS断开连接)
  5. 05/17/2024: Follow-up to DHS CISO about TSA statements (no reply) (2024年5月17日:就TSA声明向DHS CISO跟进(无回复))
  6. 06/04/2024: Follow-up to DHS CISO about TSA statements (no reply) (2024年6月4日:就TSA声明向DHS CISO跟进(无回复))

Collaborators (合作者)

Frequently Asked Questions (常见问题)

  1. 什么是KCM系统?

    KCM是美国运输安全管理局的一项计划,允许飞行员和空乘人员绕过机场安检,即使是在国内个人旅行时。

  2. SQL注入如何威胁机场安全?

    通过SQL注入,攻击者可以未经授权访问FlyCASS系统,添加虚假员工到KCM和CASS,从而绕过安检并进入驾驶舱。

  3. FlyCASS系统漏洞有多严重?

    根据安全研究人员的发现,此漏洞允许任何人添加自己为授权用户,严重威胁航空安全,可能被用于恶意目的。

  4. TSA对漏洞的回应是否充分?

    TSA最初否认漏洞影响,并删除了网站相关信息,但研究人员确认手动输入员工ID的功能仍然存在,显示回应不充分。

  5. 如何防止类似安全漏洞?

    应实施严格的输入验证、使用参数化查询、定期安全审计,并建立有效的漏洞披露和响应机制。

标签
搜索引擎优化AI应用开发结构化数据人工智能GEO
← 返回文章列表
分享到:微博
下一篇
开源AI革命:从Linux到LLaMA,开放生态如何定义人工智能新纪元

版权与免责声明:本文仅用于信息分享与交流,不构成任何形式的法律、投资、医疗或其他专业建议,也不构成对任何结果的承诺或保证。

文中提及的商标、品牌、Logo、产品名称及相关图片/素材,其权利归各自合法权利人所有。本站内容可能基于公开资料整理,亦可能使用 AI 辅助生成或润色;我们尽力确保准确与合规,但不保证完整性、时效性与适用性,请读者自行甄别并以官方信息为准。

若本文内容或素材涉嫌侵权、隐私不当或存在错误,请相关权利人/当事人联系本站,我们将及时核实并采取删除、修正或下架等处理措施。 也请勿在评论或联系信息中提交身份证号、手机号、住址等个人敏感信息。