Due to the Coronavirus epidemic, another development with worrisome implications for air travel barely got noticed. Most major airports are exposed on the Dark Web, a recent study found.
Security experts were alarmed to learn that 66 out of 100 airports were exposed on the Dark Web. This finding is the result of a recent cybersecurity study conducted by ImmuniWeb, a provider of attack surface management and threat intelligence services.
The firm examined The State of Cybersecurity at Top 100 Global Airports and found myriads of vulnerabilities. Its researchers discovered that 13 airports had data leaks or exposure at a critical risk level, which the company defines as a "recent leak of highly confidential data (e.g. PII, PHI, IDs, financial records, plaintext passwords for production systems, etc.)."
ImmuniWeb scrutinized the world's Top 100 Airports, as voted by air travelers in the 2018/2019 World Airport Survey of Skytrax, the organizer of the World Airport Awards.
The good news is that three airports passed all the operational tests for cybersecurity without a single "major issue." The "winners" were: Amsterdam Airport Schiphol (EU), Helsinki-Vantaa Airport (EU), and Dublin Airport (EU).
The bad news: this leaves 97 leading airports with a whole slew of often significant problems.
Airport Safety, OSINT, and the Dark Web
In the course of their investigation, ImmuniWeb's security researchers targeted the airports on the list with OSINT-based discovery and monitored some Dark Web marketplaces and forums.
The researchers also undertook what they call "non-intrusive security testing of public cloud storage (AWS S3)", along with examining public code repositories (like GitHub).
Want to spot an unsafe airport? Exposure on the Dark Web is a critical indicator of weaknesses in an airport's security posture. Criminals, terrorists, and nation state-sponsored threat actors buy and sell login credentials and other security-relevant information on clandestine Dark Web marketplaces.
That so many major airports were (and still are) exposed on the Dark Web doesn't come as a surprise to cyber threat intelligence professionals.
They point out the main challenge many security operation centers, threat hunting teams, and public safety professionals are facing when gathering open source intelligence.
The problem: Most lack the tools and capabilities to securely access and investigate on the Dark Web while maintaining adequate operational security. Real-life examples are shared in this video interview and this blog post.
What Else Are Airport IT Security Teams Missing?
Exposure on the Dark Web is by far not the only problem plaguing the surveyed airports. The majority of airport websites showed a variety of security vulnerabilities that open them up to attacks from the outside. ImmuniWeb found that
- 97% of the airport websites contained outdated web software. 24% of the sites contained known and exploitable vulnerabilities in Content Management Systems (CMS) and web components, such as jQuery.
What this means: outdated software usually does not contain patches for vulnerabilities that have previously been identified and can be used by attackers in exploits.
A look at the Authenic8 blog shows how attackers have used these techniques and succeeded in breaching sites in 2019. How can airports insulate both the teams managing web code and content, as well as airport website visitors and app users, from such exploits?
Web isolation provides a solution that doesn't require rebuilding such systems from the ground up. It precludes web code from being processed locally on a developer's or traveler's browser. Streaming a visual display (benign pixels) of the web session from a secure container in the cloud to users instead, web isolation solutions such as Authentic8's Silo prevent exposing their computers or smartphones to web-borne risks.
- The researchers also found that 76% and 73% of the websites were not compliant with the European Union's strict General Data Protection Regulation (GDPR) - which is applicable outside the EU - and the Payment Card Industry Data Security Standard (PCI DSS) respectively.
What this means: Airports that violate these rules and standards put their employees, contractors, and visitors at risk. The same may be true for, say, corporate travel departments and business travelers accessing the apps and web services of non-compliant airports.
They run the risk of inadvertently exposing the data of EU-based customers, clients, or fellow employees on such airports. For more details, check these resources about web access and GDPR-readiness.
Several U.S. companies are already facing stiff penalties for GDPR non-compliance, as discussed in this Authentic8 blog post about data breaches in the travel and hospitality industry.
- Notably, 24% of the websites have no SSL encryption, or they or use obsolete SSLv3.
What this means: Encrypting the data traffic between the user's browser and the visited website is one of the basics for data protection and web authentication. While being far from perfect, HTTPS/SSL needs to be both current and functional on any externally-facing website, no matter the industry sector.
55% of the airport websites told ImmuniWeb that they are protected by a Web Application Firewall (WAF) - do they think this will be sufficient? By the way, this figure for WAF use is lower for the subdomains associated with airports, where it comes in at 40%.
Airport Apps Vulnerable to Code Library Exploits
As far as Mobile Application security goes, the report states that 100% of the mobile apps that are used or offered by the airports contained at least five external software frameworks.
All of these mobile apps also contained at least two vulnerabilities each. Should we be surprised? Not really. And don't expect relief from WASM.
The list of perils doesn't end there. On average, 15 security or privacy issues were detected per app. Another finding raises additional concerns: 33.7% of the mobile apps didn't protect outgoing traffic by encryption.
The bottom line is that unprotected apps become easy targets for attackers. Functional isolation of all web activities outside the organization's IT perimeter may be necessary to prevent airport data and operational security breaches.
Web isolation precludes code from the internet from being processed by locally installed browsers. Instead, it provides users with a visual display stream (benign pixels, essentially) of the web session from a secure container in the cloud.
Airport Cloud Storage Leaks
These IT security problems threatening airline passengers and airport operations alike are exacerbated by negligent and careless data storage setup and maintenance, the survey found.
Case in point: ImmuniWeb's scan for public clouds revealed the usage of AWS S3 public cloud storage by 12 airports. Three of these airports had buckets that were publicly accessible and contained a considerable volume of visibly sensitive data.
Additionally, the airports rely on various third-party SaaS and PaaS solutions, such as Monday Project Management or Heroku. 33 airports rely on third parties to process or store potentially sensitive data, deploying in total 88 different services.
What do these findings mean for the air travel and aviation industry as a whole?
Web's Weakness Puts Air Travel in Peril
Another recent study, commissioned by the World Economic Forum (WEF), helps put the ImmuniWeb results in perspective.
The WEF realized that any single point of failure in the system that happens for any reason could feed disinformation to all the other interconnected aviation parts, which could imperil the transportation mode as a whole.
In its report Advancing Cyber Resilience in Aviation: An Industry Analysis, the WEF provides a sobering assessment. The aviation industry, the authors urge, needs to "[u]nderstand shared risk ("your risk is my risk") and develop market incentives to nudge industry players to improve cyber capabilities across the supply chain."
Supply chain threats have been discussed frequently on this blog, and they can be subtle. Attackers may not initially cause wreckage, preferring to use their ill-gotten network access for gathering information to use in later efforts.
The WEF report also looks at how a lack of data confidentiality could impact data integrity going forward and cautions: "Integrity related controls are more complex to enforce and manage."
The authors warn: "Attacks affecting the integrity of information poses [sic] an increasing risk to the aviation industry. Machine learning will bring new risks related to data security such as data poisoning, data manipulation, logic corruption or data injection."
According to the WEF study, employee negligence or malfeasance drove 66% of the insurance claims submitted by companies impacted by cyber incidents.
External threat actors caused 18% of the incidents, "other" reasons were behind 9% of them, while direct social engineering attacks caused 3%. Network business interruption came in at 2%, along with "cyber extortion" (read: ransomware), which also accounted for 2%.
Social Engineering and the Dark Web
Quite likely, the Dark Web also played a role in incidents that airport operators reported to insurers as caused by" employee negligence or malfeasance. "Even if the resulting breach was not directly attributable to social engineering, it could have facilitated it.
A typical example: spear phishing attacks. They often leverage detailed insights into organizational reporting chains, prior financial transactions, and confidential email communication.
In the light of the ImmuniWeb findings, one wonders how many socially engineered ruses were and are prepared based on information acquired and profiles built from Dark Web resources - while airport security teams remain blissfully unaware of what is going on.