Airport security is a concern for every traveler. Beyond the physical passenger and luggage screening, you might be surprised at how bad some airport security is. Like when it comes to cybersecurity, for example.
As someone whose occupation requires a lot of international travel, I have become accustomed to factoring in the extra time required for security screening over the years. Any frustration at the inconvenience is more than counterbalanced by the knowledge that my flight will be more secure as a result, however. But what if I were to tell you that, beyond the luggage screening and the pat-downs, most airports are shockingly poor in one particular area of security? When it comes to cybersecurity, 97 of the world’s largest 100 airports failed to pass the tests set by one leading web security business. Given that the World Economic Forum (WEF) had flagged emerging cybersecurity challenges facing the aviation industry during its 2020 annual meeting in Davos-Klosters, the timing of this research couldn’t be better, or should that be worse?
The travel industry and cybersecurity need to be better bedfellows
When I heard that ImmuniWeb had been researching into how vulnerable the web and mobile applications from 100 of the largest airports in the world were, I kind of suspected it was going to end badly. Not that I’m a hopeless cybersecurity cynic, but recent history concerning the travel industry and infosecurity testing suggests something of a negative trend. Take the 2019 research into the security and privacy of the world’s most popular travel apps, on both Android and iOS platforms, which made for grim reading for travelers. More recently, just last month, I reported how a new wave of air travel cyber-attacks had claimed victims including the Albany County Airport Authority and international foreign currency exchange Travelex. The warning signs are all there, all pointing to a lack of proper cybersecurity due diligence that leads to situations such as the City of New Orleans declaring a state of emergency following a cyber-attack at the end of 2019.
What did ImmuniWeb find when it researched the current state of aviation transportation security?
The ImmuniWeb research covered a broad sweep of 100 of the biggest international airports on the planet. If you are a frequent business traveler, you will, without any doubt, have found yourself spending time at many of these. By focusing on airport web and mobile applications, public cloud servers, and the like, ImmuniWeb was able to shine a light into some pretty dark places as far as airport cybersecurity is concerned. Places with names like compliance and privacy.
Three, it is often said, is the magic number. It’s also the most important statistic to come out of this report: only three airports emerged from the testing with an A+ pass on all of them, meaning that no single major issue was found.
The airport I frequent most often as a hub for my transatlantic travels, Amsterdam Airport Schiphol (AMS), was in the top three, along with my second most-used airport, Dublin (DUB) and Helsinki-Vantaa (HEL) which I have visited less often.
In total, it was found that 97% of the airport websites had outdated web software, 24% had known, exploitable, vulnerabilities, and the same number either no secure sockets layer (SSL) encryption or were using obsolete versions. It should come as no surprise, nor comfort, that 76% of the airport websites were not, therefore, EU General Data Protection Regulation (GDPR) compliant. 73% also failed to be compliant with the Payment Card Industry Data Security Standard (PCI DSS) security requirements.
Within the mobile applications tested, ImmuniWeb found 530 security and privacy issues, including 288 mobile security flaws. 100% of the mobile apps tested were found to contain at least two vulnerabilities, with 15 security or privacy issues being detected per app on average. Incredibly, 33% of these apps had no outgoing traffic encryption.
Things get even blacker for airport security on the dark web
The ImmuniWeb researchers discovered 66% of the airports had data exposed on the dark web, with 72 out of the total 325 exposures being rated as either critical or high risk. These ratings being indicative of a serious data breach. Even on public code repositories, it was found that data leaks from 87% of the airports were present, with 503 out of the 3184 here being rated the same.
“Given how many people and organizations entrust their data and lives to international airports every day,” Ilia Kolochenko, CEO at ImmuniWeb, said, “these findings are quite alarming. Cybercriminals may well consider attacking the unwitting air hubs to conduct chain attacks of travelers or cargo traffic, as well as aiming attacks at the airports directly to disrupt critical national infrastructure.”
Mitigation advice for airports everywhere
On the off chance that anyone involved with airport security is reading this and is just as shocked as I was with the findings of this research, ImmuniWeb has the following mitigation steps to offer:
1. Implement a continuous security monitoring system with anomaly detection.
2. Run a continuous discovery and inventory of your digital assets, visualize your external attack surface and risk exposure with an attack surface management solution.
3. Implement a holistic, DevSecOps-enabled application security program to test and remediate your web and mobile applications, APIs, and OSS promptly.
4. Implement a third-party risk management program encompassing continuous monitoring of your vendors and suppliers going beyond a paper-based questionnaire.
5. Invest in security awareness of your personnel, explain the risks of using professional emails on third-party resources, gamify anti-phishing training, and reward the best learners.