http://www.indianexpress.com/news/late-for-flight-techie-makes-hoax-bomb-call-to-airline/533270/

Because the author is saying that it uses password & some session key to encrypt. That means, it must be internally generating encryption key from password & encrypt. As for FIPS, password based key derivation functions are not allowed in FIPS mode [PBKDF. I think it is PKCS#5]. One key storage solution is using FIPS compliant hardware to store the keys [using pkcs#11].