Few Americans have any confidence in the Transportation Security Administration (TSA), the sprawling security agency created in the wake of the September 11, 2001, terrorist attacks. Air travel has been made miserable for decades, with TSA clamping down tighter and tighter on what travelers may carry—the thwarted “shoe bomber” incident still has us taking our shoes off 20 years later.
After a foiled attempt by terrorists to mix chemicals to make a bomb, the TSA restricted liquids that could be carried on board to a tiny amount, leading to the absurdity of having to empty clear water bottles before getting on a plane. Lately they’ve been harassing passengers who bring peanut butter aboard to feed their kids by claiming the sticky substance is a “liquid” and is therefore banned.
If you need one more reason to lack confidence in the agency’s professionalism, here’s one: a bug in third-party software used by smaller airlines may have allowed fake pilots to get through TSA. Although the details are not clear, the bug apparently allowed airlines to place flight crew onto lists of known crew, therefore allowing them to bypass normal security screenings.
Security researchers Ian Carroll and Sam Curry discovered the flaw in the software supplied by vendor FlyCASS. This software interfaces with the TSA’s databases called Known Crew Member and the Federal Aviation Administration’s system Cockpit Access Security. The smaller carriers using FlyCASS were able to upload their crew names this way which allowed for security bypass.
Carroll and Curry say they reported the bug privately to the FAA and the U.S. Department of Homeland Security, which runs the TSA. And just recently, a new report shows that the TSA allowed 300 people to completely get around airport security since March, 2023. The agency called this “a larger number than we realized.”
According to Carroll and Curry, only the FAA has taken necessary action, while the TSA’s press department has “issued dangerously incorrect statements about the vulnerability.”
The software is vulnerable to manipulation because it allows hackers to insert what looks like correct and appropriate computer code. But in reality, the code is malicious and allows outsiders to get into these allegedly secure databases and manipulate the contents.
The TSA is objecting to the characterization of their protocols as lax, insisting that they use other measurements, not just the databases, “to verify the identity of crewmembers.”
Whether any Americans will believe this is a separate question.