Share this article on:
A Swiss cyber security researcher with time on her hands and a healthy curiosity has managed to breach the not-so-secure servers of a United States airline, and has walked away with its copy of the federal no-fly list.
The researcher, who goes by the handle maia arson crimew, gained access to the servers of CommuteAir — a regional airline headquartered in Ohio — while simply browsing popular network search engine Zoomeye for poorly secured servers to explore.
Crimew realised she had found something interesting when she started recognising some of the acronyms being used on one particular server, specifically ACARS.
ACARS — which stands for Aircraft Communications, Addressing and Reporting System — is a system for sending short text messages to other aircraft and stations on the ground. Crimew was soon looking at what looked to be CommuteAir’s entire record of ACARS communications.
“The very first project I decide to look at in more detail is something about “ACARS incoming”, since I’ve heard the term ACARS before, and it sounds spicy. A quick look at the resource directory reveals a file called application-prod.properties (same also for -dev and -uat),” crimew writes on her blog. “It couldn’t just be that easy now, could it?
“Well, it sure is! Two minutes after finding said file I’m staring at Filezilla connected to a Navtech sftp server filled with incoming and outgoing ACARS messages.”
With the proper credentials, crimew says she would have been able to access a lot more, including details of Airbus’ NAVBLUE suite of products. Crimew could see details for cancelling and changing flights and aircrew but could not make any changes without further digging.
What she could see, however, were two files that caught her attention — noflycomparison and noflycomparisonv2 — which prompted her to look further. After finally “finding” a set of Amazon Web Server credentials, crimew had full access, and was at this stage reporting her findings to The Daily Dot.
“I now seemingly have access to pretty much their entire AWS infrastructure via AWS CLI, numerous s3 buckets, dozens of DynamoDB tables, as well as various servers and much more,” crimew continues.
With this, crimew was able to finally find three very important files: employee_information.csv, nofly.csv, and selectee.csv.
The Daily Dot has seen the list, and has confirmed that it is the real deal, as has the airline now. It appears to be a copy of the original document from 2019. On the list are members of the IRA, and an overwhelming number of individuals of Middle Eastern and Arabic descent.
The list features over 1.5 million names, though many aliases are also listed on separate lines, thus making the data likely closer to 1 million.
“On the list were several notable figures, including the recently freed Russian arms dealer Viktor Bout, alongside over 16 potential aliases for him,” The Daily Dot reports.
Also on the list is an eight-year-old child, according to crimew.
The researcher also gained access to the personal details of CommuteAir employees. Crimew is currently hosting the no-fly list on her site, for journalists and other interested parties to request access to.
“We have submitted notification to the Cybersecurity and Infrastructure Security Agency, and we are continuing with a full investigation,” a CommuteAir spokesperson confirmed to The Daily Dot.
The no-fly list is a list of terrorists, terrorism suspects, and other individuals barred from flying in or into the United States. It is maintained by the Terrorist Screening Center and was created in the aftermath of the 9/11 terrorist attacks. The selectee list is used for additional screening of other passengers.
The figure of at least 1 million people being on the no-fly list currently suggests a dramatic increase in the number of people watched by the TSC in recent years. According to the FBI, there were 16,000 people on the no-fly list in 2011, which had risen to 47,000 in 2014.
Prior to the 2011 attacks, a similar list had only 16 individuals proscribed from travel into and through the United States.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.