Hacker Exposes TSA's No-Fly List on Unsecured AWS Server 

A Swiss hacker has exposed the Transportation Security Administration’s (TSA) No-Fly list after claiming to have stumbled across the highly-sensitive document on an unsecured AWS server. 

The 23-year-old hacker known as ‘maia arson crimew’ said the unsecured server was hosted by Ohio-based regional airline CommuteAir, and, as well as the No-Fly List, contained the private information of almost 1,000 of the airline’s employees. 

In a statement to the Daily Dot, CommuteAir confirmed the legitimacy of the data found by the hacker, explaining that the exposed server, which it described as a misconfigured development server, was being used for testing purposes before it was breached. 

“The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth, CommuteAir Communications Manager Erik Kane stated. 

“We have submitted notification to the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigation,” he added.

The leaked data reportedly included names and birthdates of those listed on the No-Fly List, as well as the passport numbers, addresses and phone numbers of CommuteAir staff. 

CommuteAir said that the server had already been taken offline as soon as the security flaw came to its attention and that the leak did not expose any customer information bases on its initial investigation. 

Several known names were included on the exposed No-Fly list, such as Viktor Bout, a Russian arms dealer released from US prison last month as part of an exchange with US basketball player Brittney Griner. 

A security catastrophe for the TSA

In a blog post entitled “How to Completely Own an Airline in 3 Easy Steps,” Crimew explained that boredom was the main reason for finding the server. 

“Like so many other of my hacks, this story starts with me being bored and browsing shodan looking for exposed Jenkins servers that may contain some interesting goods,” they wrote.  

Shodan is an online search engine which provides a platform for people to conduct in-depth searches on public servers connected to the internet. 

Since this AWS server was accidentally left open by Commute Air, the hacker could use the platform to gain access to private information company data contained within its files, including the TSA No-Fly List. 

A TSA spokesperson told Motherboard that TSA was “aware of a potential cybersecurity incident” and said it was “investigating in coordination with federal partners.” 

The breach comes weeks after a computer glitch in the Federal Aviation Authority (FAA) system that led to more than 10,000 delays and over 1,000 cancellations on January 12.

The FAA confirmed that the glitch was caused by a contractor mistakenly deleting files, which brought America's airspace to a standstill for the first time since 9/11. 

But it is this recent lapse in security that has grabbed the attention of governmental officials around the world, with many questioning if the aviation industry is doing enough to protect flyers from malicious cyber activity. 

Dan Bishop, a Republican congressman serving on the House Homeland Security Committee said members of Congress will “be coming for answers.”

The entire US no-fly list - with 1.5 million+ entries - was found on an unsecured server by a Swiss hacker.

Besides the fact that the list is a civil liberties nightmare, how was this info so easily accessible?

We’ll be coming for answers. https://t.co/9sN2AhucnM

— Rep. Dan Bishop (@RepDanBishop) January 21, 2023

"Besides the fact that the list is a civil liberties nightmare, how was this info so easily accessible?”, Bishop said in a Tweet posted this week. 

Cybercrime’s barrier to entry is getting lower

The fact that a seemingly inexperienced hacker could access such a sensitive document as the TSA no-fly list has sparked concern across the cybersecurity community. 

Crimew used a free, easily accessible search tool to infiltrate data from a company with over 50,000 employees and extensive security protocols. It took less than 30 minutes.

As threat actors find more options to breach security teams' defence mechanisms, experts warn that a new wave of attacks is on the horizon, and it won’t be huge hacktivist groups launching attacks, but single unsophisticated attackers using tools acquired online. 

To learn more about cyber attacks, visit our dedicated Business Continuity Page. 

“You can actually buy the material on the dark web, whether they’d be people’s details or the kits to do something like a ransomware attack or phishing attack, at a very low cost,” Jason Murrell, AustCyber group executive told The West Australian.

“There’s another layer of criminal (activity) which is building and supplying tools for the cause and they are making their money off the gangs who are then purchasing it,” Mr Bennett added.