97% of airports showing signs of weak cybersecurity

97% of airports showing signs of weak cybersecurity

New research has shone on a light on what appears to be a shocking lack of security at the world’s airports.

Boffins at ImmuniWeb took a look at 100 of the world’s largest airports, and only found three that passed with flying colours for their web and app security.

According to research published by ImmuniWeb, “97 out of 100 the world’s largest airports have security risks related to vulnerable web and mobile applications, misconfigured public cloud, Dark Web exposure or code repositories leaks.”

Sign up to our free newsletter.
Security news, advice, and tips.

Problems with the airports’ official websites included:

  • outdated web software (97%)
  • known and exploitable vulnerabilities (24%)
  • not GDPR compliant (76%)
  • not PCI DSS compliant (73%)
  • and no SSL encryption or the use of obsolete SSL version 3 (24%)

Furthermore, a test of 36 official airport smartphone apps found a grand total of 288 mobile security flaws (15 per app on average).

According to the researchers, 100% of the mobile apps contained vulnerabilities, with 15 security or privacy issues detected per app on average.

Disappointingly, 33.7% of the mobile apps sent outgoing traffic with no encryption. So, maybe you should remember to pack your VPN, after all?

The only international airports which passed with top grades were Schiphol airport in Amsterdam, Helsinki-Vantaa airport in Finland, and Ireland’s Dubin airport.

“Given how many people and organizations entrust their data and lives to international airports every day, these findings are quite alarming. Being a frequent flyer, I frankly prefer to travel via the airports that do care about their cybersecurity,” said Ilia Kolochenko, CEO and founder of ImmuniWeb. “Cybercriminals may well consider attacking the unwitting air hubs to conduct chain attacks of the travelers or cargo traffic, as well as aiming attacks at the airports directly to disrupt critical national infrastructure.”

I don’t think poor web security should make you feel any more nervous about your next flight, but it may make you pause before you enter sensitive information into the airport’s app or place trust in its website.

In the past, airports have suffered ransomware attacks, from hackers stealing building plans and sensitive security protocols, DDoS attacks, and even data leaks at boarding gate displays.

Let’s just hope they’ve woken up to the threats, and are not keeping their head in the clouds about web security.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.