New research has shone on a light on what appears to be a shocking lack of security at the world’s airports.
Boffins at ImmuniWeb took a look at 100 of the world’s largest airports, and only found three that passed with flying colours for their web and app security.
According to research published by ImmuniWeb, “97 out of 100 the world’s largest airports have security risks related to vulnerable web and mobile applications, misconfigured public cloud, Dark Web exposure or code repositories leaks.”
Problems with the airports’ official websites included:
- outdated web software (97%)
- known and exploitable vulnerabilities (24%)
- not GDPR compliant (76%)
- not PCI DSS compliant (73%)
- and no SSL encryption or the use of obsolete SSL version 3 (24%)
Furthermore, a test of 36 official airport smartphone apps found a grand total of 288 mobile security flaws (15 per app on average).
According to the researchers, 100% of the mobile apps contained vulnerabilities, with 15 security or privacy issues detected per app on average.
Disappointingly, 33.7% of the mobile apps sent outgoing traffic with no encryption. So, maybe you should remember to pack your VPN, after all?
The only international airports which passed with top grades were Schiphol airport in Amsterdam, Helsinki-Vantaa airport in Finland, and Ireland’s Dubin airport.
“Given how many people and organizations entrust their data and lives to international airports every day, these findings are quite alarming. Being a frequent flyer, I frankly prefer to travel via the airports that do care about their cybersecurity,” said Ilia Kolochenko, CEO and founder of ImmuniWeb. “Cybercriminals may well consider attacking the unwitting air hubs to conduct chain attacks of the travelers or cargo traffic, as well as aiming attacks at the airports directly to disrupt critical national infrastructure.”
I don’t think poor web security should make you feel any more nervous about your next flight, but it may make you pause before you enter sensitive information into the airport’s app or place trust in its website.
In the past, airports have suffered ransomware attacks, from hackers stealing building plans and sensitive security protocols, DDoS attacks, and even data leaks at boarding gate displays.
Let’s just hope they’ve woken up to the threats, and are not keeping their head in the clouds about web security.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.