Waiting at airports is a universal annoyance, but hackers Ian Caroll and Sam Curry discovered a silver lining for one group: airline crew members. In the U.S., the Known Crew Member (KCM) program allows pilots and flight attendants to bypass the usual security checks, even on private domestic flights. With 77 airlines participating—primarily smaller carriers—this system is designed to streamline crew access. However, Caroll and Curry found that the security systems protecting this privilege are alarmingly vulnerable.
The hackers unearthed a critical flaw through SQL injection, a method where malicious SQL commands are inserted into an input field to manipulate databases. Caroll documented their findings in a blog post, detailing how this method allowed them to bypass security measures and access sensitive airline databases.
The implications are significant. The vulnerability enabled hackers to potentially slip past security checks and even gain cockpit access. While this issue is currently confined to U.S. domestic flights, there’s uncertainty about its impact on international flights or in other countries like Germany.
Despite reporting the vulnerabilities to security authorities, Caroll and Curry faced a frustrating lack of response. The Department of Homeland Security did not address their concerns adequately, and the TSA issued misleading statements about the severity of the flaw. The hackers suspect that additional security weaknesses may still be present in the system.
As the aviation industry grapples with these revelations, the focus shifts to addressing these critical vulnerabilities and ensuring that such breaches are not just patched but thoroughly examined to prevent future exploitation.