A study shows that airport websites and applications are very poorly protected. Out of 100 airports tested, 97 of them do not secure passenger data, but also their own documents such as passwords and accounting records. A word of advice: never use a mobile application.
A team of cybersecurity researchers at ImmuniWeb analyzed the security of websites and applications at 100 of the largest airports around the globe. The results are edifying to say the least. In total, 97 of the 100 airports posed risks that could allow intruders to compromise their equipment and steal travelers’ confidential information. Only the airports of Amsterdam Schiphol in the Netherlands, Helsinki-Vantaa in Finland and Dublin in Ireland offer sufficient security to travelers.
Airport websites are particularly problematic, as 97% rely on outdated code, 24% of which contain known and serious flaws. Three-quarters of the sites do not comply with the general data protection regulations ( GDPR ) or the data security standard for payment cards ( PCI DSS ). Almost a quarter uses no encryption for data transmission or uses version 3 of the SSL protocol, which is obsolete.
All mobile apps are vulnerable
On the mobile apps side, the results are even worse. All applications without exception use at least five external software infrastructures and contain at least two known flaws. On average, researchers discovered no less than 15 security or privacy concerns, and one-third did not encrypt outgoing communications.
Researchers have also used artificial intelligence to browse the underground internet, analyzing the content of forums and dark web markets in search of confidential data that has been stolen, for example by exploiting a loophole. They discovered sensitive data there from two-thirds of the airports inspected. For 13 of them, the researchers classified the leaks as being of critical level since we can find financial registers, system passwords, etc.
A lot of data exposed by simple negligence
Airport private information is not only obtained through flaws since their systems are also exposed due to human error. Most of them share their source code on collaborative sites like GitHub, but 87% have not properly redacted all confidential data beforehand. Two hundred and twenty-seven of the problems detected, which concern 59 airports, are of critical level (passwords, API keys, etc.). Finally, three of the airports keep private information in public accommodation without any protection.
Ilia Kolochenko, CEO and founder of ImmuniWeb, gave her own opinion on these results. “ Given the number of people and organizations who entrust their data and their lives to international airports every day, these results are rather alarming. Being a regular traveler, I prefer to travel via airports that care about cybersecurity. Without being able to choose one of the three airports that received the maximum score, it is better to be careful to enter as little information as possible on the website of an airport and completely avoid their mobile applications.