To shed some light on the current state of aviation transportation security, Immuniweb conducted research on cybersecurity, compliance and privacy of some of the world's largest airports.
Immuniweb leveraged an enhanced methodology from their previous research dedicated to application security of top banking institutions, including comprehensive coverage of their web, mobile and API security. The methodology of this research was also complemented with OSINT-based:
- Discovery and non-intrusive security testing of public cloud storages (e.g. AWS S3)
- Monitoring of Dark Web exposure (e.g. marketplaces and forums)
- Monitoring of public code repositories (e.g. GitHub)
Key findings include:
Main Website Security:
- 97 percent of the websites contain outdated web software
- 24 percent of the websites contain known and exploitable vulnerabilities
- 76 percent and 73 percent of the websites are not compliant with GDPR and PCI DSS respectively
- 24 percent of the websites have no SSL encryption or use obsolete SSLv3
- 55 percent of the websites are protected by a WAF
Mobile Application Security:
- 100 percent of the mobile apps contain at least 5 external software frameworks
- 100 percent of the mobile apps contain at least 2 vulnerabilities
- 15 security or privacy issues are detected per app on average
- 33.7 percent of the mobile apps outgoing traffic has no encryption
Dark Web Exposure, Code Repositories and Cloud:
- 66 percent of the airports are exposed on the Dark Web
- 72 out of 325 exposures are of a critical or high risk indicating a serious breach
- 87 percent of the airports have data leaks on public code repositories
- 503 out of 3184 leaks are of a critical or high risk potentially enabling a breach
- 3 percent of the airports have unprotected public cloud with sensitive data
Top 3 Most Secure Airports
During the research Immuniweb identified 3 international airports that successfully passed all the tests without a single major issue being detected:
- Amsterdam Airport Schiphol (EU)
- Helsinki-Vantaa Airport (EU)
- Dublin Airport (EU)
Ilia Kolochenko, CEO & Founder of ImmuniWeb, comments: “Given how many people and organizations entrust their data and lives to international airports every day, these findings are quite alarming. Being a frequent flyer, I frankly prefer to travel via the airports that do care about their cybersecurity. Cybercriminals may well consider attacking the unwitting air hubs to conduct chain attacks of the travelers or cargo traffic, as well as aiming attacks at the airports directly to disrupt critical national infrastructure. Today, when our digital infrastructure is extremely intricate and intertwined with numerous third-parties, holistic visibility of your digital assets and attack surface is pivotal to ensure success of your cybersecurity program. Without it, all your efforts and spending are unfortunately vain.”
To read the full report, visit ImmuniWeb at: https://www.immuniweb.com/blog/state-of-cybersecurity-top-100-airports.html