Total Tests:
Blog Filters reset x
By Incident
By Jurisdiction
Show More

Cybersecurity
Compliance

Cybersecurity
Legal Advisory
Learn More

State of Cybersecurity at Top 100 Global Airports

97 out of 100 of the world's largest airports have security risks related to vulnerable web and mobile applications, misconfigured public cloud, Dark Web exposure or code repositories leaks.


Wednesday, January 29, 2020
Views: 70.3k Read Time: 9 min.

State of Cybersecurity at Top 100 Global Airports

The 2020 annual meeting of the World Economic Forum (WEF) urged the consideration of emerging cybersecurity challenges in the aviation industry, as addressed in its “Advancing Cyber Resilience in Aviation: An Industry Analysis” report.

To shed some light on the current state of aviation transportation security, we decided to conduct research on cybersecurity, compliance and privacy of some of the world's largest airports, many of which will be familiar to you.

Table of Content

Key findings

Main Website Security:

  • 97% of the websites contain outdated web software
  • 24% of the websites contain known and exploitable vulnerabilities
  • 76% and 73% of the websites are not compliant with GDPR and PCI DSS respectively
  • 24% of the websites have no SSL encryption or use obsolete SSLv3
  • 55% of the websites are protected by a WAF

Mobile Application Security:

  • 100% of the mobile apps contain at least 5 external software frameworks
  • 100% of the mobile apps contain at least 2 vulnerabilities
  • 15 security or privacy issues are detected per app on average
  • 33.7% of the mobile apps outgoing traffic has no encryption

Dark Web Exposure, Code Repositories and Cloud:

  • 66% of the airports are exposed on the Dark Web
  • 72 out of 325 exposures are of a critical or high risk indicating a serious breach
  • 87% of the airports have data leaks on public code repositories
  • 503 out of 3184 leaks are of a critical or high risk potentially enabling a breach
  • 3% of the airports have unprotected public cloud with sensitive data

Top 3 Most Secure Airports

During the research we identified 3 international airports that successfully passed all the tests without a single major issue being detected:

  1. Amsterdam Airport Schiphol (EU)
  2. Helsinki-Vantaa Airport (EU)
  3. Dublin Airport (EU)

They may serve a laudable example not just to the aviation industry but to all other industries as well.

Data Source

The research covers the world's Top 100 Airports (2019) from six global regions selected by Skytrax for the World Airport Awards:

State of Cybersecurity at Top 100 Global Airports
Diagram 1: Airports Locations

Testing Methodology

We leveraged an enhanced methodology from our previous research dedicated to application security of top banking institutions, including comprehensive coverage of their web, mobile and API security. The methodology of this research was also complemented with OSINT-based:

  • Discovery and non-intrusive security testing of public cloud storages (e.g. AWS S3)
  • Monitoring of Dark Web exposure (e.g. marketplaces and forums)
  • Monitoring of public code repositories (e.g. GitHub)

The following external IT assets of the airports were detected and tested for security, compliance and privacy in a non-intrusive manner during the research:

Tested AssetsQuantity
Main websites (the “www.” domain)100
Subdomains (e.g. “subdomain.example.com”)1,346
Official mobile applications36
Backend APIs of the mobile applications244
External Public Cloud Storage13
External SaaS/PaaS Services95

Most of the leveraged testing tools are freely available online and can be used to reproduce the results of the research, as well as to monitor for improvements:

Our testing for PCI DSS compliance covered Requirements 2.3, 4.1, 6.2, 6.5 and 6.6 of the most recent version 3.2.1 of the standard (assuming the website falls within the Cardholder Data Environment).

Our testing for GDPR compliance covered Article 5 Section 1, Article 5 Section 2, Article 6 Section 1, Article 6 Section 4(e), Article 7, Article 25 Section 1, Article 32 Section 1(a)(b)(d) and Article 35 Section 7(f) of the enacted regulation (assuming website handles and/or store PII of the EU residents).

For the purpose of Dark Web Monitoring, Attack Surface Management (that included discovery of PaaS, SaaS and Private/Public Cloud Storages) and code repositories crawling we leveraged our ImmuniWeb Discovery technology.

Website and Web Applications Security

Application weaknesses and software vulnerabilities continue to be the most common means by which cybercriminals carry out external attacks says Forrester in its recent research.

Regrettably, only 3 main (“www.”) websites of the airports received the best possible “A+” grade, 15 got an “A” grade:

State of Cybersecurity at Top 100 Global Airports
Diagram 2: Website Security Grades for Main Websites

Below is a detailed security scoring for the main websites of the airports:

GradeQuantityDescription
A+3No single issue or misconfiguration
A15Minuscule issues found or slightly insufficient security hardening
B11Several minor issues or insufficient security hardening
C47Security vulnerabilities or several serious misconfigurations found
F24Exploitable and publicly known security vulnerabilities found

As many as 24 of the main websites had a failing “F” grade, meaning that they had an outdated software with known and exploitable security vulnerabilities in CMS (e.g. WordPress) and/or web component (e.g. jQuery). Some of the websites even had several vulnerable components as detailed below:

State of Cybersecurity at Top 100 Global Airports
Diagram 3: Vulnerable or Outdated Software, Main Websites

As for the subdomains, we observed merely 17% of the web applications scored an “A” grade, while the majority had a border-to-failure “C” grade:

State of Cybersecurity at Top 100 Global Airports
Diagram 4: Website Security Grades for Subdomains

Web Application Firewall Usage

Gartner says that the Web Application Firewall (WAF) market is growing, driven by adoption of cloud web application and API protection services.

However, WAFs are modestly present on the web applications run by the world's largest airports. Only 55% of the main websites and 40% of the subdomains are protected with a WAF:

State of Cybersecurity at Top 100 Global Airports
Diagram 5: Usage of Web Application Firewalls

Oftentimes, organizations regard a WAF through a prism of hindering their business by blocking requests from legitimate users, and simply disable this indispensable security control.

Website TLS Encryption Security

Holistic implementation of a reliable HTTPS TLS encryption ensures privacy and better security for the website visitors. However, as low as 15 out of 100 main websites of the airports marked the highest “A+” grade. 38 got “A” grades.

As many as 24 main websites do not use SSL/TLS encryption (“N” grade) or use obsolete SSLv3 protocol (or have another major problem), and scored with the failing “F” grade:

State of Cybersecurity at Top 100 Global Airports
Diagram 6: TLS Security of the Main Websites

Below is a detailed security scoring for the main websites of the airports:

GradeQuantityDescription
A+15No single issue or misconfiguration found
A38Minuscule issues found or slightly insufficient encryption hardening
B16Several minor issues or insufficient encryption hardening
C7Security vulnerabilities or several serious misconfigurations found
F12SSLv3 or an exploitable security vulnerability found
N12No encryption

The situation is, however, substantially worse with the subdomains, where 308 websites failed with an “F”, and 75 do not use the encryption:

State of Cybersecurity at Top 100 Global Airports
Diagram 7: TLS Security of the Subdomains

Below is a detailed security scoring for the subdomains of the airports:

GradeQuantityDescription
A+188No single issue or misconfiguration found
A424Minuscule issues found or slightly insufficient encryption hardening
B248Several minor issues or insufficient encryption hardening
C103Security vulnerabilities or several serious misconfigurations found
F308SSLv3 or an exploitable security vulnerability found
N75No encryption

PCI DSS and GDPR Website Compliance

Even if PCI DSS compliance is not always applicable or requisite, GDPR compliance seems to be vital for the international airports. Moreover, both PCI DSS and GDPR requirements cover the foundational security aspects (cf. methodology above) that should not be neglected by anyone, even if compliance is not required.

Since its implementation in May 2018, GDPR has led to over 160,000 data breach notifications across Europe, with 114 million euros ($126 million) in imposed fines, says CNBC. Alarmingly, only 27 main websites comply with the applicable PCI DSS requirements:

State of Cybersecurity at Top 100 Global Airports
Diagram 8: Main Websites PCI DSS Compliance

As for the applicable GDPR requirements, only 24% (24/100) of the main websites and 12% (158/1346) of the subdomains comply:

State of Cybersecurity at Top 100 Global Airports
Diagram 9: Websites GDPR Compliance

Public Cloud Security

2019 was marked by a grim variety of countless security incidents and disastrous data breaches caused by unprotected or misconfigured public cloud storage, frequently involving Amazon’s AWS S3 infrastructure.

A quick scan for public clouds revealed usage of AWS S3 public cloud storage by 12 airports. 3 airports had buckets that were publicly accessible and contained a considerable volume of visibly sensitive data. All of this is despite a major security hardening by Amazon announced over a year ago, aimed at making S3 secure by default.

The global airports also actively rely on various third-party SaaS and PaaS solutions, such as Monday Project Management or Heroku. 33 airports rely on third parties to process or store potentially sensitive data, having in total 88 different solutions deployed. Security testing of these solutions may be intrusive and is therefore beyond the scope of this research.

Mail Server Security

During the research, we were able to identify 147 mail servers that are used to accept or relay emails. Nearly half of mail servers (48%) do not support SSL/TLS encryption, which makes it very easy for an attacker to perform a Man-in-the-Middle (MitM) attack, intercept traffic and read email communication in plain text.

Roughly 21% of the mail servers (32) scored an “A” grade. The remaining 44 servers had poor of vulnerable implementation of SSL/TLS, mostly with “C” and failing “F” grades:

State of Cybersecurity at Top 100 Global Airports
Diagram 10: TLS Security of Mail Servers

Organizations are well aware of the necessity to harden SSL/TLS encryption of their websites, but largely neglect their email servers. By using our free SSL test you can easily test your IMAPS, POP3S, SMTPS and STARTTLS email servers for security and privacy issues.

Mobile Applications and Backend APIs Security

Denise Lund, Research Director, Enterprise Mobility Research at IDC, says: "There are few businesses for whom a proven MAST (Mobile Application Security Testing) software solution cannot benefit its time, cost, and risk profile today and for the foreseeable future."

During this research, we found and tested 36 official mobile applications belonging to the airports. In total, 530 security and privacy issues were identified, including 288 mobile security flaws (15 per application on average). Below is a risk mapping (based on CVSSv3 scoring) for the detected vulnerabilities:

State of Cybersecurity at Top 100 Global Airports
Diagram 11: Mobile Security Vulnerabilities Risk Levels

The next diagram demonstrates distribution of the discovered issues mapped according to the OWASP Top 10 Mobile risks and weaknesses. M1 (Improper Platform Usage) and M2 (Insecure Data Storage) were present in every single application and are the most popular security flaws affecting the applications:

State of Cybersecurity at Top 100 Global Airports
Diagram 12: Distribution of OWASP Top 10 Mobile Risks

As for the mobile backends (e.g. Web Services or APIs), only 55% of the outgoing connections use proper TLS encryption to protect user data in transit.

27% of the connections send the information in plaintext and do not use encryption at all (“N” grade), and 5.7% are into obsolete and vulnerable SSLv3 protocol ending up with the failing “F” grade:

State of Cybersecurity at Top 100 Global Airports
Diagram 13: Mobile Apps Backends TLS Encryption

Dark Web Exposure

Compared to the Fortune 500 companies' exposure, the global airports are doing fairly well. For the purpose of this research, we leveraged our award-winning AI technology to distill findings from the Dark Web marketplaces and other locations, notably to remove duplicates, fakes and irrelevant findings.

After purification of the results, we found that 66 out of the 100 airports are exposed on the Dark Web in one way or another. As shown on the diagram below, 13 airports have leaks or exposures of a critical risk:

State of Cybersecurity at Top 100 Global Airports
Diagram 14: Dark Web Exposure Risk Levels

Below is a brief summary and explanations of the risks related to the Dark Web exposure:

RiskNumber of airportsQuantity of exposuresDescription
Critical1330Recent leak of highly confidential data (e.g. PII, PHI, IDs, financial records, plaintext passwords for production systems, etc.)
High1942Recent leak of confidential data (e.g. PII, accounts from third party systems, etc.)
Medium3579Leak of internal or sensitive data (e.g. source codes, documents, records, etc.)
Low48174Leak of outdated or low-criticality data (e.g. non-public technical documentation)

Public Code Repositories Exposure

A week ago, AWS reportedly leaked exposed passwords and private keys on GitHub to continue a lingering set of security incidents related to public code repositories.

Nowadays, increasingly more companies and organizations rely on public code repositories to share code, and the world's largest airports are no exception. In light of the omnipresent proliferation of CI/CD and DevOps across the globe, 87 out of 100 airports had some sensitive or internal data exposed at various public code repositories, such as GitHub or Bitbucket. Amongst them, 59 airports were identified with 227 code leakages of a critical risk:

State of Cybersecurity at Top 100 Global Airports
Diagram 15: Code Repositories Exposure Risk Levels

Below is a brief summary and explanations of the risks related to the Code Repositories exposure:

RiskNumber of airportsQuantity of issuesDescription
Critical59227Confidential information disclosure (e.g. hardcoded passwords, API keys, private tokens, etc.)
High61306Sensitive information disclosure (e.g. password from third-party systems, internal source code, etc.)
Medium74995Internal information disclosure (e.g. config files, internal paths or schemas, etc.)
Low801656Debugging or technical information (e.g. ToDo lists, bug reports, internal discussions of developers, etc.)

How to Reduce the Risks

  • Implement a continuous security monitoring system with anomaly detection to spot intrusions, phishing and password re-use attacks.
  • Run a continuous discovery and inventory of your digital assets, visualize your external attack surface and risk exposure with an Attack Surface Management (ASM) solution enhanced with Dark Web and code repositories monitoring.
  • Implement a holistic, DevSecOps-enabled application security program to test and remediate your web and mobile applications, APIs and OSS in a timely manner
  • Implement a third-party risk management program encompassing continuous monitoring of your vendors and suppliers going beyond a paper-based questionnaire.
  • Invest into security awareness of your personnel, explain the risks of using professional emails on third-party resources, gamify anti-phishing training and reward the best learners.

Visualize your external attack surface and Dark Web exposure with ImmuniWeb® Discovery.

What’s next:


Latest news and insights on AI and Machine Learning for application security testing, web, mobile and IoT security vulnerabilities, and application penetration testing.
Book a Call Ask a Question
Close
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a Technical Question?

Our security experts will answer within
one business day. No obligations.

Have a Sales Question?
Email:
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
*
*
*
*
Your data will stay private and confidential