API magazine
February 11, 2020
No items found.

Geneva, Switzerland-based web security company ImmuniWeb carried out the research, looking into cybersecurity, compliance and privacy at the world’s largest airports. ImmuniWeb identified three international airports that successfully passed all of its tests without a single major issue being detected: Amsterdam Airport Schiphol (AMS), in the Netherlands; Helsinki-Vantaa Airport (HEL), in Finland; and Ireland’s Dublin Airport (DUB). But 24% of the main airport websites included in the survey had a failing “F” grade, meaning that they had outdated software with known and exploitable security vulnerabilities in CMS and/or web components. Some of the websites even had several vulnerable components: 97% of them contain outdated web software; 24% of the websites contain known and exploitable vulnerabilities; 76% and 73% of the websites are not compliant with GDPR and PCI DSS, respectively; and 24% of the websites have no SSL encryption or use obsolete SSLv3.

ImmuniWeb also tested 36 official mobile applications belonging to the airports. In total, 530 security and privacy issues were identified, including 288 mobile security flaws. The tests showed that 100% of the mobile apps contain at least five external software frameworks; 100% of the mobile apps contain at least two vulnerabilities; and in 33.7% of the mobile apps, outgoing traffic has no encryption. On average, 15 security or privacy issues per app were detected. The research team found that 66 out of the 100 airports surveyed are exposed on the dark web in one way or another. Thirteen of the airports involved have leaks or exposures of a critical risk.

Ilia Kolochenko, CEO and founder of ImmuniWeb, said: “Given how many people and organisations entrust their data and lives to international airports every day, these findings are quite alarming. Today, when our digital infrastructure is extremely intricate and intertwined with numerous third parties, holistic visibility of your digital assets and attack surface is pivotal to ensure the success of your cybersecurity programme. Without it, all your efforts and spending are in vain.”