A Hacker Helped Shore Up This Airline Security Flaw
But not before publishing a blog post titled "How to completely own an airline in 3 easy steps and grab the TSA nofly list along the way"
It’s been a big month for outdated technology in the airline industry.
Last October, Southwest pilots began alleging that “[the company’s] technology [was] simply not up to the task of efficiently scheduling staffing,” as ZDNET detailed. Shortly thereafter in December, the airline cancelled 5,500 flights in two days, citing “antiquated computer systems” and “tedious” manual processes as the reasons for its inability to swiftly recover from the meltdown.
Little more than two weeks after that, an FAA system outage caused thousands of flight delays in the U.S. It was later revealed that a contractor had deleted some crucial files required by the system, but not before the Department of Transportation raised concerns about the age of the system in question.
If there’s a silver lining to be gleaned from either of those scenarios, it’s that they neither of them arose from any sort of cybersecurity breach. The same can not be said about the Swiss hacker who recently got her hands on the TSA’s no-fly list.
According to a report from The Daily Dot, a hacker known as “maia arson crimew” was able to tap into an unsecured server which held a document that “contained the identities of hundreds of thousands of individuals from the U.S. government’s Terrorist Screening Database and ‘No Fly List.’” Crimew documented her feat in a blog post titled “How to completely own an airline in 3 easy steps and grab the TSA nofly list along the way.”
“[A]t this point i’ve probably clicked through about 20 boring exposed servers with very little of any interest, when i suddenly start seeing some familar words. ‘ACARS,’ lots of mentions of ‘crew’ and so on,” she detailed in the post. As Forbes reported, ACARS is an acronym for Aircraft Communications, Addressing and Reporting System — a digital communication system between aircraft and ground stations. She eventually stumbled on an exposed server belonging to regional airline CommuteAir, which held a file called nofly.csv.
The list, according to crimew, appeared to have more than 1.5 million entries — of legal names, aliases and birth dates — in total, including a number of notable figures, Russian arms dealer Viktor Bout chief among them. CommuteAir later confirmed that it was an outdated iteration of the list, and not TSA’s full Terrorist Screening Database, which is not provided to airlines.
Nevertheless, the airline immediately took the document offline after crimew reached out to them directly to let them know what she had done. “She basically explained what she had found,” a CommuteAir spokesperson said. “And then she gave us enough time to reply and to pull our resources together and communicate with our employees before anything was ever made public.”
That doesn’t erase the fact that it happened. “[Breachable servers are] way more common than you would think, with these massive holes,” crimew told Forbes. Which also means that, in the absence of newer and more secure technology, it could potentially happen again. After all, this was reportedly crimew’s first venture into “anything aviation.”
In short, it’s high time other airlines take a page out of Southwest’s book. The Dallas-based carrier just budgeted more than $1 billion for upgrading its IT systems.
For more travel news, tips and inspo, sign up for InsideHook's weekly travel newsletter, The Journey.
Suggested for you