Congressman ‘coming for answers’ after ‘no-fly list’ hack

A Republican congressman on the House Committee on Homeland Security is seeking answers about last week's hack of regional airline CommuteAir, which led to the exposure of a copy of the federal no-fly list from 2019. 

Alarm has grown since the researcher behind the hack, a Swiss national who goes by maia arson crimew, published a blog post explaining that the information was left exposed on an unsecured server alongside other sensitive data from CommuteAir, a regional airline under United Airlines.

On Saturday, Rep. Dan Bishop (R-NC), expressed outrage at the situation.

“The entire US no-fly list – with 1.5 million+ entries – was found on an unsecured server by a Swiss hacker,” he said. 

“Besides the fact that the list is a civil liberties nightmare, how was this info so easily accessible? We’ll be coming for answers.”

The entire US no-fly list - with 1.5 million+ entries - was found on an unsecured server by a Swiss hacker.

Besides the fact that the list is a civil liberties nightmare, how was this info so easily accessible?

We’ll be coming for answers. https://t.co/9sN2AhucnM

— Rep. Dan Bishop (@RepDanBishop) January 21, 2023

According to crimew, the list was found on an exposed Jenkins server, which companies use to build and test software. The server was found using the research tool Shodan. 

“Given the access to production airline services, and what I can guess would have been possible with the APIs [Application Programming Interface] I had credentials for, I’d assume it would be possible to cancel or delay flights, or even edit crew members and change flight crews… the implications of that probably dont need to be spelled out,” crimew told The Record in an interview on Signal.  

“But I had access to pretty much all their infrastructure in some way.” 

The findings, which were first published by The Daily Dot, sparked outrage, both at the idea that a version of the list was now public and the human rights implications of it being as long as it is. 

The list – provided to The Record by crimew – contains more than 1.5 million first and last names as well as birth dates.  

While crimew said they don’t think the list should be public, they do feel that it is important for researchers to examine and assess the breadth of the impact it has and “how absolutely nonsensical it all is.”

United Airlines declined to comment on the hack and directed The Record to a spokesperson for CommuteAir, which confirmed that a researcher informed them of the misconfigured development server. 

The airline said the researcher was able to access files that included what they called an “outdated” version of the federal no-fly list.

“Additionally, through information found on the server the researcher discovered access to a database containing personal identifiable information of CommuteAir employees.  Based on our initial investigation, no customer data was exposed,” the spokesperson said. 

“CommuteAir immediately took the affected server offline and started an investigation to determine the extent of data access.” The company said it reported the exposure to the Cybersecurity and Infrastructure Security Agency. 

When contacted for comment, CISA referred all responses to the Transportation Security Administration.

“TSA is aware of a potential cybersecurity incident, and we are investigating in coordination with our federal partners,” a spokesperson for the agency told The Record.

The fiasco comes just weeks after thousands of flights were delayed or canceled due to a technical issue affecting the Federal Aviation Administration’s Notice to Air Mission (NOTAM) system.

That situation prompted Congress to demand an investigation into the potential cybersecurity vulnerabilities facing U.S. aviation systems – an industry the White House has sought to include in efforts to better protect from cyberattacks. 

Several cybersecurity experts said what crimew found was sadly common among organizations ranging from healthcare to companies to wedding officiant training businesses. Businesses typically leave this kind of information left unsecured in servers — allowing almost anyone to gain access if they are found. 

Sammy Migues, principal scientist at Synopsys Software Integrity Group, said unsecured public-facing servers “are an attacker’s bread-and-butter and an organization’s nightmare.” 

“This is especially true when the server is unsecured long enough to appear in connected-device search engines such as Shodan and ZoomEye,” Migues said. 

"Too many organizations use cloud storage without really understanding what it means to lock the front door and keep our data safe. If the cloud storage is so misconfigured that it’s the equivalent of leaving the front door open, it takes little or no actual hacking to get the data."

Andrew Hay, COO at LARES Consulting, explained that organizations need to explicitly configure access to these kinds of buckets due to the sensitive information often held inside. 

He noted that cloud providers are now doing a better job of protecting newly created storage buckets and restricting public access so that administrators now have to go out of their way to allow access. 

But he added that CommuteAir should not have been using real data on a development system. 

“Sometimes, however, organizations will sacrifice security for expedience and testing with live customer data,” Hay said. “Creating anonymized datasets takes time and the common argument is that it ‘doesn't accurately reflect real data.’”

Netenrich’s John Bambenek said it is common to test systems with real data because creating credible and at-scale test data is often complicated. 

“You want your tests to represent the ‘real world’ as much as possible, so it's a very natural temptation,” he said. 

KnowBe4’s Erich Kron said this issue extends far beyond the aviation industry.

In his experience, he has seen it happen not just with primary organizations but also with contractors and partners.

Tools like Shodan have also made it much easier to scan the internet constantly for exposed servers. There are databases out there that have been all but forgotten by the organizations that created them or use them, Kron added. 

“That doesn't mean on premise instances can take security more lightly, it only takes a misconfigured firewall to let traffic in, but when storing data in the cloud, organizations must be very diligent.”