Swiss web security company ImmuniWeb has released an in-depth report on the cybersecurity posture of the world’s biggest airports, finding that almost all of them had an alarming lack of systems in place to protect their websites, mobile applications and public clouds.
The company’s researchers compiled their findings in the “State of Cybersecurity at Top 100 Global Airports” report, which said only three airports–Amsterdam Airport Schiphol, Helsinki-Vantaa Airport and Dublin Airport–passed all of their tests without a single major issue being detected.
On the flipside, dozens of airports failed all of ImmuniWeb’s tests by having vulnerable web and mobile applications, misconfigured public clouds, Dark Web exposure or code repository leaks. ImmuniWeb decided to look into airport cybersecurity after the topic was highlighted during the 2020 World Economic Forum. In its own report, released on January 22, the WEF called for airports to address emerging cybersecurity challenges
“Given how many people and organizations entrust their data and lives to international airports every day, these findings are quite alarming,” said Ilia Kolochenko, CEO and founder of ImmuniWeb.
“Being a frequent flyer, I frankly prefer to travel via the airports that do care about their cybersecurity. Cybercriminals may well consider attacking the unwitting air hubs to conduct chain attacks of the travelers or cargo traffic, as well as aiming attacks at the airports directly to disrupt critical national infrastructure,” Kolochenko said.
When it comes to security for main websites, just three airports received an A+ and only 15 managed to score an A in ImmuniWeb’s report. Nearly one in four airport websites received an F grade, meaning they were using outdated software with known and exploitable security vulnerabilities in the CMS systems like WordPress or web components like jQuery. Some of the websites even had several vulnerable components. ImmuniWeb researchers found that 97% of the websites are deploying outdated web software, 24% have known and exploitable vulnerabilities while another 76% are not compliant with GDPR. Nearly 25% have no SSL encryption or use now-obsolete SSLv3.
The security for mobile apps was even worse. For the 36 airport mobile apps that researchers examined, more than 500 security and privacy issues were found as well as 288 mobile security flaws, with an average of 15 per application.
All of the apps they looked through had at least five external software frameworks and at least two vulnerabilities. Nearly 34% of the mobile apps’ outgoing traffic has no encryption at all.
The research team at ImmuniWeb also discovered that 66 of the top 100 airports were exposed on the Dark Web, meaning they had recent leaks of highly confidential data like IDs, financial records or plaintext passwords for production systems. Other less critical risks included recent leaks of confidential data as well as internal sensitive data like source codes, documents and records.
“In light of the omnipresent proliferation of CI/CD and DevOps across the globe, 87 out of 100 airports had some sensitive or internal data exposed at various public code repositories, such as GitHub or BitBucket. Amongst them, 59 airports were identified with 227 code leakages of critical risk,” the report said.
More than 70 of the 325 exposures found are of a “critical or high risk,” indicating a serious breach. Nearly 90% of the airports have data leaks on public code repositories and 503 of the 3,184 leaks are of a critical or high risk that could potentially lead to a breach. Three percent of airports studied have unprotected public clouds with sensitive data available.
At the end of the report, ImmuniWeb researchers included a list of best practices airports can put in place to address some of the security flaws found. They suggested implementing a continuous security monitoring system with anomaly detection to spot any and all intrusions, phishing attempts and password reuse attacks.
SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic Premium)
Airports should have cybersecurity teams that are running continuous discovery programs and constantly performing an inventory of all digital assets. If possible, programs should be deployed that can give security teams a visualization of external attack surfaces as well as risk exposure with an attack surface management solution that can monitor the Dark Web and code repositories.
All web and mobile applications, as well as APIs, need to have holistic DevSecOps-enabled security programs that can test and fix any problems that may arise. Airports also need to conduct in-depth audits of their vendors and third-party suppliers that go beyond the traditional paper-based questionnaire, which are no longer sufficient to mitigate complex risks.
“Today, when our digital infrastructure is extremely intricate and intertwined with numerous third-parties, holistic visibility of your digital assets and attack surface is pivotal to ensure success of your cybersecurity program,” Kolochenko added. “Without it, all your efforts and spending are unfortunately vain.”