New research from web security company ImmuniWeb has found that 97 out of 100 the world’s largest airports have security risks related to vulnerable web and mobile applications, misconfigured public cloud, Dark Web exposure or code repositories leaks.
The 2020 annual meeting of the World Economic Forum (WEF) urged the consideration of emerging cyber security challenges in the aviation industry, addressed in its “Advancing Cyber Resilience in Aviation: An Industry Analysis” report.
To shed some light on the current state of aviation transportation security, ImmuniWeb decided to conduct research on cyber security, compliance and privacy of the world’s largest airports. The key findings are below.
During the research the report identified three international airports that successfully passed all the tests without a single major issue being detected:
Application weaknesses and software vulnerabilities continue to be the most common means by which cyber criminals carry out external attacks, says Forrester in its recent research.
Regrettably, only 3 main (“www.”) websites of the airports received the best possible “A+” grade, 15 got an “A” grade:
As many as 24 of the main websites had a failing “F” grade, meaning that they had outdated software with known and exploitable security vulnerabilities in CMS (e.g. WordPress) and/or web component (e.g. jQuery). Some of the websites even had several vulnerable components as detailed below:
During this research, the report also found and tested 36 official mobile applications belonging to the airports. In total, 530 security and privacy issues were identified, including 288 mobile security flaws (15 per application on average). Other findings included:
Compared to the Fortune 500 companies’ exposure, global airports are doing fairly well. For the purpose of this research, ImmuniWeb leveraged its AI technology to distil findings from the Dark Web marketplaces and other locations, notably to remove duplicates, fakes and irrelevant findings.
After purification of the results, the research team found that 66 out of the 100 airports are exposed on the Dark Web in one way or another. 13 airports have leaks or exposures of a critical risk:
Ilia Kolochenko, CEO & Founder of ImmuniWeb, comments: “Given how many people and organisations entrust their data and lives to international airports every day, these findings are quite alarming. Being a frequent flyer, I frankly prefer to travel via the airports that do care about their cyber security. Cyber criminals may well consider attacking the unwitting air hubs to conduct chain attacks of travellers or cargo traffic, as well as aiming attacks at the airports directly to disrupt critical national infrastructure.
Today, when our digital infrastructure is extremely intricate and intertwined with numerous third-parties, holistic visibility of your digital assets and attack surface is pivotal to ensure the success of your cyber security programme. Without it, all your efforts and spending are unfortunately vain.”
Suggestions from ImmuniWeb include:
You can find out all about security in the transport sector at The Transport Security Show, taking place on 21 May, at IFSEC International.
