A hacker has won a brilliant prize at the end of the cyber rainbow: the Transportation Security Administration’s no-fly list, as first reported by the Daily Dot.
“TSA is aware of a potential cybersecurity incident and we are investigating it in conjunction with our federal partners,” a TSA spokesperson said in an email to UKTN.
In a blog post titled “How to Fully Own an Airline in 3 Easy Steps and Grab the TSA No Fly List Along the Way,” a Swiss hacker known as “maia arson crimew” describes how boredom led to Internet hunting to exposed open source automation Jenkins servers. From the hacker Twitter bio describes an “indicted hacktivist/security researcher, artist, mentally ill enby polyam trans lesbian anarchist kitten (θΔ), age 23.”
In March 2021, crimew was indicted by a grand jury in the United States on criminal charges related to her alleged hacking activity between 2019 and 2021, according to her Wikipedia page, which she believes is accurate.
Crimew’s blog post tells the story of an accidental discovery. “Right now I’ve probably been clicking through 20 or so boring exposed servers with very little interest when suddenly I start seeing some familiar words. ‘ACARS’, many mentions of ‘crew’ and so on,” she writes. ACARS is an acronym for Aircraft Communications, Addressing and Reporting System, a digital communication system between aircraft and ground stations.
Then came the payout: “jackpot. an exposed Jenkins server from CommuteAir,” writes crimew. After poking around the server, she finally came across a file called nofly.cvs.
“I had them in full possession in less than a day,” she writes, “with virtually no skill required” aside from patience.
“That was actually my first experience with anything to do with aviation,” says Crimew UKTN.
CommuteAir, one of six regional airlines operating under the United Express umbrella, flies a fleet of 50-seat Embraer ERJ145 jets from its hubs in Denver, Houston and Washington, D.C. to about four dozen small airports across the country.
CommuteAir first learned of crimew’s breach. “She actually explained what she had found,” says a CommuteAir spokesperson. “And then she gave us enough time to respond and to pool our resources and communicate with our employees before anything was ever made public.”
The hacked server was not the airline’s main server, but was used for testing and development, the airline spokesman said. “She was able to abuse the default settings.”
“We immediately took it offline,” says the CommuteAir spokesperson. “We went into cleanup mode as soon as we learned that we had been exploited, that she had entered our system.”
Fragile servers are “a lot more common than you might think, with these huge holes,” says crimew, adding that she wasn’t surprised to discover a weakness at a small airline. “The aviation space operates on very tight budgets, as far as I know.”
Our country’s outdated aviation systems have recently made headlines. Earlier this month, the Federal Aviation Administration (FAA) grounded all domestic flights for several hours due to a malfunction in the agency’s 30-year-old Notice to Air Missions system, known as NOTAM, while Southwest Air just pledged $1 billion to his computer system after a spectacular Christmas crisis led to 17,000 canceled flights in the last days of December.
The airline confirms that the hacker accessed “an outdated 2019 version of the federal no-fly list with first and last name and date of birth,” but emphasized that it was not the full Terrorist Screening Database, which is not provided to airlines. provided.
The TSA no-fly list is a small subgroup of individuals in the Terrorist Screening Database, more commonly known as “the watchlist,” that the FBI says are “known or reasonably suspected to be involved in terrorist activity.”
While the details of the TSA’s no-fly list are notoriously opaque, it has traditionally focused on international terrorists. A 2016 press release from Senator Dianne Feinstein said there were about 1,000 Americans on the list out of a total of about 81,000 names — or about 1% of suspected passengers.
UKTN has received a copy of the nofly.csv file and a second file called selectee.csv, another subset of the Terrorist Screening Database.
The 2019 no-fly list has just over 1 million entries, with multiple aliases for many people on the list. For example, as the Daily Dot reported, the no-fly database lists at least 17 aliases for Russian arms dealer Viktor “Merchant of Death” Bout, who was released from US custody last month in a prisoner exchange for WNBA star Brittney Griner.
“It’s just the fact that 90% of the names I saw scrolling by all sound very Arabic and some Russian sounding names. And that’s basically the whole list,” says crimew. “There are certainly also Europeans. There are some IRA people there. But there is a very clear focus on Arab countries.”
Crimew “also discovered access to a database of personally identifiable information belonging to CommuteAir employees,” a statement from CommuteAir said. “Based on our initial investigation, no customer data has been released.” CommuteAir has reported the data exposure to the Cybersecurity and Infrastructure Security Agency.
“While the nature of this information is sensitive, I believe it is in the public interest that this list be made available to journalists and human rights organizations,” writes crimew, inviting journalists, investigators and others “with a legitimate interest” to contact via email or Twitter, adding, “I will only give this information to parties I believe will do the right thing with it.”
Crimew says she has been approached by “15 to 20 journalists” since publishing her findings a day ago, but has not heard back from the TSA or any other government agency.
“No one at all,” she says.