When it comes to cybersecurity Amsterdam, Helsinki and Dublin were ranked the three safest airports by Immuniweb, but overall these facilities fared poorly when it came to protecting their websites, mobile platforms and systems.
The study found 97 of the world’s 100 largest airports have have security risks related to vulnerable web and mobile applications, misconfigured public cloud, dark web exposure or code repositories leaks. Some of the most egregious findings were:
- 97 percent of the websites contain outdated web software.
- 24 percent of the websites contain known and exploitable vulnerabilities.
- 76 percent and 73 percent of the websites are not compliant with GDPR and PCI DSS, respectively.
- 100 percent of the mobile apps contain at least five external software frameworks.
- 100 percent of the mobile apps contain at least two vulnerabilities.
This translated into 47 percent of the airports studied receiving a C grade, meaning there were security vulnerabilities or several serious misconfigurations found; 11 percent got a B, several minor issues or insufficient security hardening; 14 topped out with an A or A+ with the latter meaning there were no issues and the former only a few minor problems discovered.
Twenty-four airports received a failing F. This means exploitable and publicly known security vulnerabilities were found. This included having outdated components, outdated CMS, vulnerable components or a vulnerable CMS.
The report was also particularly damning of the failure of most airports to be GDPR or PCI DSS compliant. Only 24 percent of the main websites and 12 percent of subdomains were GDPR compliant. PCI DSS was almost as bad with only 27 percent falling within regulations.
When it came to securing email only 32 of the 147 email servers properly implemented SSL/TLS, 44 servers had poorly implemented the protocol and 48 percent do not support SSL/TLS encryption at all leaving them open to Man-in-the-Middle attacks and having traffic intercepted.
“Cybercriminals may well consider attacking the unwitting air hubs to conduct chain attacks of the travelers or cargo traffic, as well as aiming attacks at the airports directly to disrupt critical national infrastructure,” said Ilia Kolochenko, CEO and founder of ImmuniWeb.