A hacker has landed a very shiny prize at the end of the cyber rainbow: the Transportation Security Administration’s no-fly list, as first reported by the Daily Dot.
“TSA is aware of a potential cybersecurity incident, and we are investigating in coordination with our federal partners,” a TSA spokesperson said in an email to Forbes.
In a blog post entitled “How to completely own an airline in 3 easy steps and grab the TSA no fly list along the way,” a Swiss hacker known as “maia arson crimew” detailed how boredom led to hunting on the internet for exposed open-source automation Jenkins servers. The hacker’s Twitter bio describes an “indicted hacktivist/security researcher, artist, mentally ill enby polyam trans lesbian anarchist kitten (θΔ), 23 years old.”
In March 2021, crimew was indicted by a grand jury in the United States on criminal charges related to her alleged hacking activity between 2019 and 2021, according to her Wikipedia page, which she says is accurate.
Crimew’s blog post told of an accidental discovery. “At this point i've probably clicked through about 20 boring exposed servers with very little of any interest, when i suddenly start seeing some familar words. ‘ACARS,’ lots of mentions of ‘crew’ and so on,” she wrote. ACARS is an acronym for Aircraft Communications, Addressing and Reporting System, a digital communication system between aircraft and ground stations.
Then came the payoff: “jackpot. an exposed jenkins server belonging to CommuteAir,” wrote crimew. After spending some time poking around the server, she eventually ran across a file called nofly.csv.
“i had owned them completely in less than a day,” she wrote, “with pretty much no skill required” besides patience.
“That was my first experience with anything aviation really,” crimew told Forbes.
One of six regional airlines operating under the United Express umbrella, CommuteAir flies a fleet of 50-seat Embraer ERJ145 jets out of its hubs in Denver, Houston and Washington, D.C. to about four dozen small airports around the country.
CommuteAir first learned of the breach from crimew. “She basically explained what she had found,” said a company spokesperson. “And then she gave us enough time to reply and to pull our resources together and communicate with our employees before anything was ever made public.”
The breached server was not the airline’s main server but one used for testing and development. According to the airline spokesperson, “she was able to exploit the default settings.”
“We instantly took it offline,” the CommuteAir spokesperson said. “We went into clean-up mode as soon as we received word that we had been exploited, that she had gotten into our system.”
Breachable servers are “way more common than you would think, with these massive holes,” crimew said, adding that it didn’t surprise her to find a weakness at a small airline. “The aviation space works in very tight budgets, as far as I'm aware.”
Our nation’s antiquated aviation systems have indeed made headlines recently. Earlier this month, the Federal Aviation Administration (FAA) grounded all domestic flights for several hours due to an outage affected the agency’s 30-year-old Notice to Air Missions system, known as NOTAM, while Southwest Air just pledged $1 billion to update its computer system after a spectacular holiday meltdown led to 17,000 flight cancellations in the last days of December.
CommuteAir confirmed that the hacker accessed “an outdated 2019 version of the federal no-fly list that included first and last name and date of birth” but emphasized that it was not the entire Terrorist Screening Database, which is not provided to airlines.
The TSA no-fly list is a small subset of individuals in Terrorist Screening Database, more commonly known as “the watchlist,” which the FBI says “are known to be or reasonably suspected of being involved of terrorist activities.”
While the details of the TSA’s no-fly list are notoriously opaque, it has traditionally targeted international terrorists. A 2016 press release from Senator Dianne Feinstein ballparked that there were roughly 1,000 Americans on the list out of approximately 81,000 total names—or roughly 1% of suspected passengers.
Forbes has received a copy of the nofly.csv file and a second file called selectee.csv, which is another subset of the Terrorist Screening Database.
The 2019 no-fly list contains just over 1 million entries, with multiple aliases for many people on the list. For example, as the Daily Dot reported, the no-fly datafile includes at least 17 aliases for Russian arms dealer Viktor “Merchant of Death” Bout, who was released last month from U.S. custody in a prisoner swap for WNBA star Brittney Griner.
“It’s just the fact how like 90% of the names I saw was scrolling by are all like very Arabic sounding and some Russian sounding names. And that’s basically the entire list,” crimew said. “There are definitely also European people. There are some IRA folks on there. But there is very clearly a focus on Arabian countries.”
Crimew also “discovered access to a database containing personal identifiable information of CommuteAir employees,” according to a statement from the airline. “Based on our initial investigation, no customer data was exposed.” CommuteAir has reported the data exposure to the Cybersecurity and Infrastructure Security Agency.
“while the nature of this information is sensitive, i believe it is in the public interest for this list to be made available to journalists and human rights organizations,” crimew wrote, inviting journalist, researchers and others “with legitimate interest” to reach out via email or Twitter, adding, “i will only give this data to parties that i believe will do the right thing with it.”
Since publishing her findings a day ago, crimew said she has been contacted by “15 to 20 journalists” but has not heard from the TSA or any other government agency.
“Nobody at all,” she said.