Not even a month has passed since many airline passengers endured unprecedented hardships while traveling for the holidays, and it was just 10 days ago that contractors accidentally deleted key operational files forcing the Federal Aviation Administration to ground all domestic departures for hours. While these events may seem like a distant memory, more bad news was just released which should give travelers, and employees of at least one airline, cause for concern.
A Swiss hacker has gained access to a United States no-fly list from 2019, exposing the names and dates of birth contained in over 1 million entries. The attack was ultimately made possible by information acquired using the search engine Shodan: a crawler which can be used to find (and possibly make it easier to exploit) internet-connected devices. Crafted searches, looking for exposed Jenkins servers with "interesting goods", led the hacker to a development environment belonging to CommuteAir, which is a regional airline operating roughly 1600 flights a week. After establishing a foothold in the Jenkins server, additional files, and even AWS credentials, were discovered and used to retrieve the no-fly list. To add insult to injury, and hopefully provide valuable context to security professionals, the hacker revealed, "like so many of my other hacks this story starts with me being bored".
While the no-fly list is certainly an impactful find, and further demonstrates how the security of most data types is far from guaranteed, the mainstream media has failed to dig deeper into this hack and report on the true degree of access the attacker was able to accomplish. In a blog post providing the technical details of methods used, the perpetrator provides proof of their ability to exfiltrate messages from the Airline Communication Addressing and Reporting System (ACARS), and data from AWS databases and file stores. Unfortunately, these additional AWS resources contained data which is even more sensitive than the names and birthdates included in the no-fly list. CommuteAir's sensitive and operational information, including "pretty much all PII imaginable for each of their crew members", flight plans, maintenance records, and more, was all available for retrieval.
Unfortunately, many will disregard the headlines surrounding this cybersecurity incident simply because there is no immediate impact to them. With the media's attention on the exposure of the no-fly list, those who know they are not in such company will believe a bullet has been dodged - that only criminals, rowdy passengers, and suspicious person's names have been leaked. Whichever way you spin it, the security missteps of a small, regional airline have effectively compromised national security. Even worse, the identities and personal information for more than 1500 CommuteAir employees is now being circulated amongst journalists and others. It's only a matter of time before that data is in the hands of those who wish to do harm. Maybe the next hack, impacting a larger and more influential company, will reveal your home address, social security number, and more.
One thing is for certain: for those seeking the roles of Chief Information Security Officer or Chief Information Officer, there will be two immediate openings with a mid-sized airline very soon.
Backing Fire has deliberately excluded the name (or handle) of the hacker and links to technical details. Please contact us if you wish to learn more about the sources and methods used in this attack.