97 out of 100 of World's Largest Airports Have Cybersecurity Vulnerabilities

the camera system at the El Paso International Airport

To shed some light on the current state of aviation transportation security, Immuniweb conducted research on cybersecurity, compliance and privacy of some of the world's largest airports.

Immuniweb leveraged an enhanced methodology from their previous research dedicated to application security of top banking institutions, including comprehensive coverage of their web, mobile and API security. The methodology of this research was also complemented with OSINT-based:

Discovery and non-intrusive security testing of public cloud storages (e.g. AWS S3)
Monitoring of Dark Web exposure (e.g. marketplaces and forums)
Monitoring of public code repositories (e.g. GitHub)

Key findings include:

Main Website Security:

97 percent of the websites contain outdated web software
24 percent of the websites contain known and exploitable vulnerabilities
76 percent and 73 percent of the websites are not compliant with GDPR and PCI DSS respectively
24 percent of the websites have no SSL encryption or use obsolete SSLv3
55 percent of the websites are protected by a WAF

Mobile Application Security:

100 percent of the mobile apps contain at least 5 external software frameworks
100 percent of the mobile apps contain at least 2 vulnerabilities
15 security or privacy issues are detected per app on average
33.7 percent of the mobile apps outgoing traffic has no encryption

Dark Web Exposure, Code Repositories and Cloud:

66 percent of the airports are exposed on the Dark Web
72 out of 325 exposures are of a critical or high risk indicating a serious breach
87 percent of the airports have data leaks on public code repositories
503 out of 3184 leaks are of a critical or high risk potentially enabling a breach
3 percent of the airports have unprotected public cloud with sensitive data

Top 3 Most Secure Airports

During the research Immuniweb identified 3 international airports that successfully passed all the tests without a single major issue being detected:

Amsterdam Airport Schiphol (EU)
Helsinki-Vantaa Airport (EU)
Dublin Airport (EU)

Ilia Kolochenko, CEO & Founder of ImmuniWeb, comments: “Given how many people and organizations entrust their data and lives to international airports every day, these findings are quite alarming. Being a frequent flyer, I frankly prefer to travel via the airports that do care about their cybersecurity. Cybercriminals may well consider attacking the unwitting air hubs to conduct chain attacks of the travelers or cargo traffic, as well as aiming attacks at the airports directly to disrupt critical national infrastructure. Today, when our digital infrastructure is extremely intricate and intertwined with numerous third-parties, holistic visibility of your digital assets and attack surface is pivotal to ensure success of your cybersecurity program. Without it, all your efforts and spending are unfortunately vain.”

To read the full report, visit ImmuniWeb at: https://www.immuniweb.com/blog/state-of-cybersecurity-top-100-airports.html

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

A head of state needs heart surgery at your facility. High-profile members of a national sports team are getting updated vaccinations. What do you do when you get the call?