I’ve seen huge issues, like exposed keys, being treated as a small issue. While an outdated js library, or lack of ip6 support being escalated.
I’m sure TSA and their partners wants to downplay potential exposure, I’m also sure it’s hard for a lot of their managers to fully understand what the vulnerability entails (most likely their developers are downplaying their responsibility and pointing fingers at others)
Edit: Fixed a double negative (previously: This is the Transportation SECURITY Agency. If the managers involved here can't understand why this is a huge deal, they're not exceptionally unqualified for their jobs.)
> It’s very hard for management, even IT managers,
I'm confident that the grandparent's comment is correct.
TSA is closer to the issue than HSA; I'd wager big that they sense embarrassment.¹²
TSA management would have immediate access to people capable of framing the issue correctly, including their own parent agency. Their reaction was never going to be held back by technical facts.
¹ US Sec/LEO/IC agencies have a long and unbroken history of attacking messengers that bring embarrassment. There is ~no crime they are more dedicated to punishing.
² The worlds easiest presupposition: Discussions took/are taking place on how they might leverage the CFAA to deploy revenge against the author.No manager (or human) is perfect, mistakes happen- we need to be humble enough to listen and learn from mistakes.
I think DHS mid level manager yelled at a TSA mid level manager who reported this to the senior TSA officials and then their usual policy kicked in... deny/deflect/ignore
(It's very easy to believe the worst possible thing about every corner of our government, since every corner of our government has something bad about it. But it's a fundamental error to think that every bad thing is always present in every interaction.)
I didn't see any comment about them being contracted to do this at least.
If they had added themselves as known crewmembers and used that to actually bypass airport screening, then yeah, they'd be in jail.
Which is why Jury selection usually removes people who understand the situation.
I think it could go any which way. The prosecution could argue that the defendant may have tampered with existing records or deleted some. In this particular case, it’s probable that the system does not have any or adequate audit trails to prove what exactly transpired. Or the claim could be that the defendant exfiltrated sensitive data (or that the defendant is trying to hide it) to share with hostile entities.
Doing this under your own name is insane.
That just means the best minds from other, potentially less friendly countries, will do the picking. I doubt they will responsibly disclose.
https://bugcrowd.com/engagements/dhs-vdp
They've had that relationship for a few years now, so I'm guessing they're somewhat versed. TSA specifically might be less so, but I can't imagine the DHS referring anything to the DOJ for prosecution given that they both have a VDP for the entire department and advise other departments on how to run VDPs (via CISA).
But I might just be overly optimistic.
I can imagine an email to some generic email address could have gone down the way you describe, but I guess they look at these reports more professionally.
Kudos to the author for alerting DHS. Methodology questions aside, it sounds like the author did a service, by alerting of a technical vulnerability that would be plausible for a bad actor to seek out and successfully discover.
But regardless, I hope any new/aspiring security researchers don't read this writeup, and assume that they could do something analogous in an investigation, without possibly getting into trouble they'd sorely regret. Some of the lines are fuzzy and complicated.
BTW, if it turns out that the author made a legality/responsibility mistake in any of the details of how they investigated, then maybe the best outcome would be to coordinate publishing a genuine mea culpa and post mortem on that. It could explain what the mistake was, why it was a mistake, and what in hindsight they would've done differently. Help others know where the righteous path is, amidst all the fuzziness, and don't make contacting the proper authorities look like a mistake.
But that isn't even relevant when you can go traipsing through the SQL query itself just by asking; wouldn't matter how well the passwords were stored.
I’m not buying this. Feels more like they knew the site developer would just fix it immediately and they wanted to make a bigger splash with their findings.
Would you rather to be prepared and do a full (well, for a govt agency, full enough) check on all people allowed to access flying death machines, or have a dev silently fix the issue with possible issues later?
It seems pretty remarkable that airlines are buying such a security sensitive piece of software from a one person shop. If you make it very far into selling any piece of SaaS software to most companies in corporate America, at the absolute minimum they're going to ask you for your SOC2 audit report.
SOC2 is pretty damn easy to get through with minimal findings as far as audits go, but there are definitely several criteria that would should generate some red flags in your report if the company is operated by a single person. And I would have assumed that if your writing software that integrates with TSA access systems, the requirements would be a whole lot more rigorous than SOC2.
You could be an "airline" by purchasing a couple of older airliners and converting them to cargo use. Is it valuable for new airlines to get started? Should we force them out of business because they don't already have the systems in place that take years to decades to build out? Should they pay $$$ for boutique systems designed for a large passenger airline when they have 2 aircraft flying 1 route between nowhere and nowhere?
Requirements and audits really aren't the answer here. The fundamental design problem is that the TSA has used authentication "airline XXX says you're an employee" with a very large blanket authorization "you're allowed to bypass all security checks at any airport nationwide" without even the basic step of "does your airline even operate here?"
Though given that airlines are responsible for the safety of their crew, passengers, and anyone in the vicinity of their aircraft, requiring them to do some basic vetting of their chosen vendors related to safety and security doesn’t seem unreasonable.
What is it, the year 2000 ?
It should be a criminal offence for whoever developed that system.
To think otherwise is beyond naive.
Everyone dropped the ball... and kept dropping it. The part where its handed to them on a silver platter and its essentially smacked away. Maddening.
> 06/04/2024: Follow-up to DHS CISO about TSA statements (no reply)
There should be a public Shitlist of Organisations that don't get the Benefit of Responsible Disclosure anymore, just a Pastebin drop linked to 4chan.
The TSA would have been the one suing you and would easily win.
Pilot: "Years ago we’d get a random enhanced check (which just means go to TSA precheck) now and then. These days it’s 60% of the time, so it’s not possible to get a whole crew through KCM anymore, and we wait on each other because the jet can’t be boarded until the flight attendants are ALL through security, and with the 2022/2023 KCM random checks being so high, that just doesn’t happen. Honestly, I rarely use KCM anymore. I just walk through TSA precheck. The odds are we’re going there anyway so just cut to the chase and hit precheck."[1]
VIP treatments (including the likes of KCM) should be removed no matter if someone is a prime minister[2], media personality[3] or airline CEO. In this way, VIPs can experience the inadequate security processes and staffing levels that everyone else has to deal with, and hopefully with their louder voices will be able to force airports and government agencies to improve the situation for all.
[1] https://www.quora.com/As-a-pilot-how-does-it-feel-like-to-ha...
[2] https://www.theage.com.au/national/red-faces-as-nz-leader-ge...
[3] https://www.smh.com.au/traveller/travel-news/louise-milligan...
It is sadly an all-too-common occurence when you give uneducated dimwits police-level power with no oversight and no recourse for anyone affected. I assume flexing government power is the real objective here since everybody knows that security is not.
> We did not want to contact FlyCASS first as it appeared to be operated only by one person and we did not want to alarm them
It’s incredible (and entirely too credible) that this kind of “high security” integration could be built in such an amateur way: and a good reminder why government projects often seem to be run with more complexity than your startup devs might think is necessary.
This program seems like the root cause of the security issue.
(Outside of the US) I've often gone through security screenings just before or after crew groups in fast track, but otherwise normal security screening lanes.
Also… you can fix all the SQL issues, but you’re still not going to be able to fix the “men in hoodies with a big wrench talk to an authorized administrator (while their kids are kidnapped in Mexico)”
To be clear, I really hope they don’t, but they are also clearly trying to spin this in a way at odds with the researchers, and I’d hate to be in a position where they want to have leverage over me if I’d done this.
Brave that they did so though and I do think the severity of the vuln warrants this.
How do they protect against corrupt staff. It's like they're not even thinking. Why don't they just fast track staff checks.
Are they cryptographically signed by a system that was inaccessible?
Or is it just a matter of figuring out the bar code format and writing out some KCM id?
He convinced me at the time, but I wasn't expecting such an on-the-nose demonstration.
What the US lacks in cybersec, it tends to make up for with IRL pew pews...
What I mean: security through obscurity is imo the best situation to be in. You can't attack something if you don't know it exists in the first place. That alone gives this system a leg up over more exposed (but hardened) platforms.
Second, convenience always beats secure. Requiring password rotations is worse than requiring none at all, because people tend to find the path of least resistance (writing a password on a notepad instead of memorizing).
If it was faster/easier to ship a useful (but vulnerable) app, that's net better than the app not shipping at all because of security hurdles. I have to imagine sanitizing inputs doesn't take much more time to include, but I don't know the systems involved.
Ultimately, what damage was experienced here? We can throw out hypotheticals about what -could- have happened, but you can't sue every driver on the road because they -could- have hit you.
An insecure system served a useful purpose for years, got more secure, and continues ticking.
Besides, I am not sure what sort of "security through obscurity" you are talking about? Ian and Sam found it, and frankly - with a public page, page title + first h1 tag clearly stating that this relates to a Cockpit Access system, this has got to show up in a shit ton of security research search engines instantly.
Two guys from (or based in) the Midwest:
Ian did his first DEFCON talk a couple weeks ago (https://x.com/iangcarroll), and Sam (the other author), was the guy that a couple years back Google accidentally sent 200K USD to, and has 81K X followers, and was recently singing the praises of that much lauded recent PHRACK article on "Hacking means understanding the world" (that was also popular round here): https://x.com/samwcyo/status/1823571295189008601
They both seem like legit security researchers from their X feeds.
I guess that petulance-tinged adolescent attitude is like the secret handshake of the security researcher world, which sounds too disparaging -- but it's not meant to be...only that probably that's what you need to expect from folks who "understand the world", where they're smarter, what's broken, and should be fixed.
I get how that attitude rubs people the wrong way and causes more harm than good - but I don't mind it much myself - I guess I just set high expectations for the kind of impact such folks could have, and I think they could have more impact if they adopted a more professional, collegiate attitude in their way of working.
But I guess that comes with the territory. Because it's really only the "outsiders" who will sit around poking at things to figure out how they work, and how to fix em, make em better. Those who feel themselves to be "rejects' from the normal world, in sense, are always gonna carry a bit of the tinge of that perspective with them. But, whaddayagonnado? Those are really only gonna be the ones who "understand the world", so you have to rely on them. Odd couples, that pairing. Between industry and these hackers.
<knock> <knock>'d
These guy are going to end up with some serious federal charges.
Time and time again these cancerous institutions have shown that their only interest is in surviving and they attempt that by concealing the flaws and brutally harassing the people that report them.
At this point only useful idiots give them the benefit of the doubt.
(edit) the charging guidelines are somewhat re-assuring but still https://www.justice.gov/opa/pr/department-justice-announces-...
I’m continually amused, amazed, and exasperated at how classes of software defects older than I am continue to be a problem.
Bobby is growing up
It is really telling that they try to cover up and deny instead of fix it, but not surprising. That is a natural consequence of authoritarian thinking, which is the entire premise and culture of the TSA. Any institution that covers up and ignores existential risks instead of confronting them head on will eventually implode by consequences of its own negligence- which hopefully will happen to the TSA.
The article mentions that FlyCASS seems to be run by one person. This isn't a matter of technical chops, this is a matter of someone who is good at navigating bureaucracy convincing the powers that be that they should have a special hook into the system.
What should really be investigated is who on the government side approved and vetted the initial FlyCASS proposal and subsequent development? And why, as something with a special hook into airline security infrastructure, was it never security audited?
Some quick googling shows the FlyCASS author used to work for a small airline, so this may piggyback off of his prior experience working with these systems for that job. He just turned it into a separate product and started selling it.
The biggest failure here is with ARINC for not properly securing such a critical system for flight safety.
Authentication should not need to be re-implemented by every single organization. We should have official auth servers so that FlyCASS doesn't need to worry about identity management and can instead just hand that off to id.texas.gov (or whatever state they operate from) the same way most single-use tool websites use Google's login.
Is their name Jia Tan, by chance?
I would love to know how one can get what I'd imagine is at least a 6 figures contract with the government? How does this work?
I imagine the author of FlyCASS must be making a good amount of money off their product.
I wonder if they just subcontract everything? One popular hack of the preferences they give to veterans and minorities in government procurement is to have essentially one person fronts that get maximum preference and which subcontract everything to a real company at a markup.
Or it's beuracracy being beuracracy. The TSA is a lot of security theater anyways.
It's supposed to give you the illusions of security while giving a DHS a bigger budget, and it employs a lot of low skilled workers.
It is what you should think of when you think "big, dumb government."
[1] https://abcnews.go.com/US/tsa-fails-tests-latest-undercover-...
That's a problem with authoritarian organisations/regimes in general. They value loyalty over competence and you end up with people being in positions they shouldn't be in.
I'm not suggesting this is what they have done here, but this is exactly what authoritarian governments do. Straight from the pneumatic into the furnace.
Because it's a scam and the system is a grift.
I'm a pilot and own a private aircraft. Landing at any airport, even my home airport which is restricted by TSA is legal without any special requirement or background check. In fact, I have heard horror stories where TSA wouldn't let a pilot retrieve their aircraft for some bullshit administrative reason or another, so they enlisted a friend with a helicopter to drop them into the secure area to fly it out. Perfectly legal. The fact that the system can be brought down with a SQL attack is the least of it.
We haven’t had a large commercial plane go down in over 10 years since 9/11. Everyone that comes to the USA has been fully screened, vetted, and background checked. We’re all very safe. Mayorkis at the DHS has made sure there aren’t any terrorists in our homeland because the government only exists to protect us from danger and make our lives better.
They make it sound like the job pool between the public and private sector is completely separate when many people move back and forth between the two.
Take away the accountability that often governs the private sector and that seems to be the recipe for situations like this.
There are oodles and oodles of apps like this powering our daily lives.
The reason there aren't more terrorist attacks isn't because various security agencies around the world protect us from them. It's because there are extremely few terrorists.
Pre-9/11, the expectation was you don't draw attention to yourself, wait it out, you're going to have a long day and a story to tell. Post-9/11, the expectation is you fight for your life.
Better cockpit doors and access hygiene probably come second.
"Post-9/11" began minutes after the first planes found their targets. Flight 93—the one that crashed in Pennsylvania—never made it because the passengers revolted after hearing about the other planes.
It only took a few minutes for the calculus to change. Knowing what was up, those passengers flipped from wait-and-see mode to fuck-you mode. This is pretty good evidence that you're right: the biggest increase in security was and still is that passengers will not be meek anymore.
While that may be a factor, there's never any news about this happening, except maybe shortly after 9/11 with shoe or underwear bombs.
The attacks of September 11th 2001 are fundamentally not reproducible irrespective of whether there is _any_ security screening at airports.
The default assumption before that morning was that a hijacked plane would fly around for a bit, then land. The default assumption afterwards is that it will be crashed if a hijacker is allowed to gain control, so the calculus on passenger intervention is quite different.
How so? The delay between the hijacking and the crashes in the buildings for both planes were around 40 minutes... even if there were jet fighters ready to go at the time, the lack of knowledge of the hijacking being in progress for much of this time and the short delay make this kind of attack still feasible.
What was actually improved our chances to avoid such attacks are the limited access to the cockpit and processes pilots must follow in case of hijacking.
The measures at the airport are to limit the risks of hijackings to begin with.
There's plenty of terrorists, but destabilisation of Middle East diverted them away from continental US. Wasn't that the whole point of Afghanistan and Iraq wars?
I put on my critical thinking hat and look at the timeline of "US meddling in the Middle East" and "first terror attack in the US by a middle eastern".
I then notice that the years are 1948 and 1993 respectively and that wet roads actually do not cause rain after all.
The planning for 9/11 took several years, $500k in financing, and had a lot of moving parts between recruiting, research, travel/visas, flight training etc. It's hard to believe that people motivated at that level would truly be deterred by what you see happening at the typical American airport these days.
So are they stopping anything serious? It's a safe bet they're not.
But the counterpoint to that is that a gunman almost succeeded in killing Trump despite showing the behaviours online and offline of your stereotypical amateur assassin.
I'm a little butthurt right now, in particular, about the security at Heathrow. They confiscated a bottle of whisky that we got in Edinburgh. After 10 minutes of head-scratching and consulting with a supervisor, they concluded that "it does not say 100ml" (it had "10cl" cast into the glass) and "even then, that is just the size of the bottle, not the liquid inside it." What an incredible demonstration of intelligence there.
They gave us a receipt and said we could have it shipped. We checked when we got home. 130 GBP with shipping. Ended up just buying a 700ml bottle from an importer, cost about half as much.
1. Ok, security is bad, what are you going to do? Go to different, competing security?
2. Nobody wants to be the politician that relaxes the security right before an accident, even if the accident wouldn't be prevented with tighter security anyway.
That's largely due to the US and 9/11. In fact, the US even pressures other countries into creating a separate mini TSA at their boarding gate for flights that fly into the US.
For one, why does is it that every TSA checkpoint feels like it was scrambled together? 9/11 was a long time ago. There's no reason why checkpoints can't have better signage, clearer instructions for what should or shouldn't go on a conveyor belt, an efficient system for returning containers (I've lost count of how many times the line was held up because employees didn't feel like bringing over a stack of containers in clear view), and so on. The checkpoints do seem to go a bit faster than they used to a long time ago, but it's still a frustrating process that makes me feel like an imbecile every time I use it. I do my best to follow directions, but directions are often lacking so I have to use my best judgment from past experience, and often get yelled at anyway. Do does the TSA want to be hated?
Secondly, there's been multiple occasions where I've made it through the security checkpoint with items that should obviously set off red flags. I recently made it through with a humongous center punch which, while not sharp like a knife, could do some serious damage to another person if used as a weapon. Got it through with no questions asked. I've also gotten through with scissors, knives, strangely shaped electronics, a custom build electronic device that a naive person could see as suspicious, and so on. Never have I been stopped for those things.
But laptops and e-readers? I'd better not forget one of them in my carry-on bag or I'm gonna get shouted at and be forced to re-run the bag through the scanner again. I can get through with sharp metallic tools and weird unlabeled boxes with wires hanging out of them, but I can't leave my kindle in my backpack? And what about the humongous battery packs I carry? No problem having 2 or 3 of those in my bag. I guess my Macbook Air or my e-reader possess uniquely dangerous powers I don't comprehend. Even if I try to comply with the "laptops out of your bag" rule, I might still get shouted at if I place it in a container instead of right on the conveyor belt... or if I place it in a container with some other belongings next to it.
Maybe the TSA stops terrorists that are as stupid as they are, which I guess is a good thing. But how good can stupid people be at catching other stupid people? Is it really worth it to waste everyone else's time and to treat them like crap in the process?
Yup, not surprised that the TSA also reacts with as much stupidity to cybersecurity flaws. If I became supreme leader overnight, I would work to completely dismantle the TSA and rebuild it from scratch. There doesn't appear to be any value in that agency that can't be easily replaced with something better.
Because all airport security is reactionary. They don't try to anticipate what an attacker might do, and how they could prevent that. They simply add one more item to a check-list of "no good" items or of "must be separately screened" items.
Therefore, because, one time, someone tried to ignite their shoes, there's now a checkbox that says: "shoes must be scanned separately".
As well, because, one time, someone purportedly tried to mix together two liquids into an explosive that they brought on board in bottles, you are now limited to 100ml max in any bottle, but you can freely walk in with a 7-11 64oz Big Gulp cup and they won't blink an eye. The "bottles" are on the check-list, but the check-list has no entry (yet) for "64oz 7-11 Big Gulp".
Out of that multibillion dollar budget, TSA allocates $10.4M for “cybersecurity staffing, as well as the development and implementation of enhanced cybersecurity-related measures to improve cyber resiliency across the U.S. Transportation Systems Sector.”
Glad to see our tax dollars working so effectively! \s
What a joke of a country this is
[1] https://www.tsa.gov/news/press/testimony/2023/03/29/fiscal-y...
LOL
> Unfortunately, our test user was now approved to use both KCM and CASS
smh...