Due to COVID, another development with worrisome implications for air travel barely got noticed. Most major airports are exposed on the dark web, a recent study found.
Security experts were alarmed to learn that 66 out of 100 airports were exposed on the dark web. This finding is the result of a recent cybersecurity study conducted by ImmuniWeb, a provider of attack surface management and threat intelligence services.
The firm examined The State of Cybersecurity at Top 100 Global Airports and found myriads of vulnerabilities. Its researchers discovered that 13 airports had data leaks or exposure at a critical risk level, which the company defines as a "recent leak of highly confidential data (e.g. PII, PHI, IDs, financial records, plaintext passwords for production systems, etc.)."
ImmuniWeb scrutinized the world's Top 100 Airports, as voted by air travelers in the 2018/2019 World Airport Survey of Skytrax, the organizer of the World Airport Awards.
The good news is that three airports passed all the operational tests for cybersecurity without a single "major issue." The "winners" were: Amsterdam Airport Schiphol (EU), Helsinki-Vantaa Airport (EU), and Dublin Airport (EU).
The bad news: this leaves 97 leading airports with a whole slew of often significant problems.
In the course of their investigation, ImmuniWeb's security researchers targeted the airports on the list with OSINT-based discovery and monitored some dark web marketplaces and forums.
The researchers also undertook what they call "non-intrusive security testing of public cloud storage (AWS S3)", along with examining public code repositories (like GitHub).
Want to spot an unsafe airport? Exposure on the dark web is a critical indicator of weaknesses in an airport's security posture. Criminals, terrorists, and nation-state-sponsored threat actors buy and sell login credentials and other security-relevant information on clandestine dark web marketplaces.
That so many major airports were (and still are) exposed on the Dark Web doesn't come as a surprise to cyber threat intelligence professionals.
They point out the main challenge many security operation centers, threat hunting teams, and public safety professionals are facing when gathering open-source intelligence.
The problem: Most lack the tools and capabilities to securely access and investigate on the dark web while maintaining adequate operational security. Real-life examples are shared in this video interview and this blog post.
Source: ImmuniWeb's State of Cybersecurity at Top 100 Global Airports
Exposure on the dark web is by far not the only problem plaguing the surveyed airports. The majority of airport websites showed a variety of security vulnerabilities that open them up to attacks from the outside. ImmuniWeb found that
55% of the airport websites told ImmuniWeb that they are protected by a Web Application Firewall (WAF) - do they think this will be sufficient? By the way, this figure for WAF use is lower for the subdomains associated with airports, where it comes in at 40%.
As far as mobile application security goes, the report states that 100% of the mobile apps that are used or offered by airports contained at least five external software frameworks.
All of these mobile apps also contained at least two vulnerabilities each. Should we be surprised? Not really. And don't expect relief from WASM.
The list of perils doesn't end there. On average, 15 security or privacy issues were detected per app. Another finding raises additional concerns: 33.7% of the mobile apps didn't protect outgoing traffic by encryption.
The bottom line is that unprotected apps become easy targets for attackers. Functional isolation of all web activities outside the organization's IT perimeter may be necessary to prevent airport data and operational security breaches.
Web isolation precludes code from the internet from being processed by locally installed browsers. Instead, it provides users with a visual display stream (benign pixels, essentially) of the web session from a secure container in the cloud.
These IT security problems threatening airline passengers and airport operations alike are exacerbated by negligent and careless data storage setup and maintenance, the survey found.
Case in point: ImmuniWeb's scan for public clouds revealed the usage of AWS S3 public cloud storage by 12 airports. Three of these airports had buckets that were publicly accessible and contained a considerable volume of visibly sensitive data.
Additionally, the airports rely on various third-party SaaS and PaaS solutions, such as Monday Project Management or Heroku. 33 airports rely on third parties to process or store potentially sensitive data, deploying in total 88 different services.
What do these findings mean for the air travel and aviation industry as a whole?
Another recent study, commissioned by the World Economic Forum (WEF), helps put the ImmuniWeb results in perspective.
The WEF realized that any single point of failure in the system that happens for any reason could feed disinformation to all the other interconnected aviation parts, which could imperil the transportation mode as a whole.
In its report Advancing Cyber Resilience in Aviation: An Industry Analysis, the WEF provides a sobering assessment. The aviation industry, the authors urge, needs to "[u]nderstand shared risk ("your risk is my risk") and develop market incentives to nudge industry players to improve cyber capabilities across the supply chain."
Supply chain threats have been discussed frequently on this blog, and they can be subtle. Attackers may not initially cause wreckage, preferring to use their ill-gotten network access for gathering information to use in later efforts.
The WEF report also looks at how a lack of data confidentiality could impact data integrity going forward and cautions: "Integrity related controls are more complex to enforce and manage."
The authors warn: "Attacks affecting the integrity of information poses [sic] an increasing risk to the aviation industry. Machine learning will bring new risks related to data security such as data poisoning, data manipulation, logic corruption or data injection."
According to the WEF study, employee negligence or malfeasance drove 66% of the insurance claims submitted by companies impacted by cyber incidents.
External threat actors caused 18% of the incidents, "other" reasons were behind 9% of them, while direct social engineering attacks caused 3%. Network business interruption came in at 2%, along with "cyber extortion" (read: ransomware), which also accounted for 2%.
Quite likely, the dark web also played a role in incidents that airport operators reported to insurers as caused by" employee negligence or malfeasance. "Even if the resulting breach was not directly attributable to social engineering, it could have facilitated it.
A typical example: spear phishing attacks. They often leverage detailed insights into organizational reporting chains, prior financial transactions, and confidential email communication.
In the light of the ImmuniWeb findings, one wonders how many socially engineered ruses were and are prepared based on information acquired and profiles built from dark web resources - while airport security teams remain blissfully unaware of what is going on.
This blog was authored by guest contributor Larry Loeb.
Larry Loeb has been online since uucp "bang" addressing (where the world existed relative to !decvax) and served as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. He wrote for BYTE magazine, was a senior editor for the launch of WebWeek, and authored books on the Secure Electronic Transaction Internet protocol and "Hack Proofing XML" (his latest). Larry currently writes about cybersecurity for Security Now.