
State of Cybersecurity at Airports - keydutch
https://irishtechnews.ie/state-of-cybersecurity-at-top-100-global-airports/
======
mikece
Mobile app security can be a big deal. I remember a few years ago the app for
British Airways would make a non-encrypted call to BA servers to get the SSIDs
and passwords for the WIFi access points of their airport lounges. While
trivial in comparison to other security leaks it goes to show that small but
important things can easily be overlooked.

~~~
riyakhanna1983
We see a lot of security researchers time and time again finding security
issues with mobile apps. Not sure if security matters more than adding
features quickly.

------
mayniac
"66% of the airports are exposed on the Dark Web"

What exactly does this mean?

~~~
LukeHoersten
The actual study talks about it a bit more (linked in another comment).
"Recent leak of highly confidential data (e.g. PII, PHI, IDs, financial
records, plaintext passwords for production systems, etc.)"

------
LukeHoersten
The actual study the article references:
[https://www.immuniweb.com/blog/state-of-cybersecurity-
top-10...](https://www.immuniweb.com/blog/state-of-cybersecurity-
top-100-airports.html)

------
bArray
Backup source:
[https://web.archive.org/web/20200130122835/https://irishtech...](https://web.archive.org/web/20200130122835/https://irishtechnews.ie/state-
of-cybersecurity-at-top-100-global-airports/)

------
Aeolun
For some reason, I fully expected Schiphol airport to be one of the three.

------
dbg31415
First hand knowledge of why airports are getting such terrible scores.

Airlines use agencies to do a lot of their tech work.

And agencies never really hire the "best and brightest" \-- when they need to
staff up after winning a project, they hire whatever freelancers they can get
their hands on; whatever freelancer allows them to still make a 40-70% margin
that is.

Airlines will go with the lowest bidder, more often than not, and all of the
funding for a website or app is Capital Expenditure (CapEx) -- meaning there's
no ongoing money set aside to do updates and security patches.

While airlines probably do have some sort of under-staffed IT department, most
of the projects are owned inside of the airline's marketing team's budget.
This means the airline's IT department is typically intentionally excluded
from the talks between the airline's marketing team and the agency doing the
work. Making maintenance of whatever gets delivered a lot harder.

The Airline's marketing team will say things like, "Our IT guys are slow, if
we ask them for an estimate they'd say 3 years... we want this done in 6
months." Even if the agency staff wants to flag a tech or security issue...
the dev doing the work is more often than not just on a contract, and would
have to fight his manager (who would then have to fight the account manager)
to get any sort of time to fix the defect. The airline's marketing team will
lean on the agency to cut corners to hit the date.

Just an aside, often times the airline's IT staff is so under-funded, their
only option is to lock down every bit of equipment. So the airline's marketing
team ends up using OLD laptops with Windows 7, and can't even install things
like Slack. So all communication between the airline's IT marketing team and
the agency vendor happens on personal text messages, or via Whatsapp. Files
are sent via whatever temp large storage host the marketing guys know how to
use... I remember asking for a schema and getting back large chunks of
customer data, over 100k rows, all sent via whatever "free large file upload"
tool was popular at the time. I had to watch an ad video to download, seemed a
lot more secure than a password...

When the project is finally launched, the agency won't have put together any
sort of documentation around it if that documentation wasn't part of the
requirements in the bid. And more often than not there's no security review.
True story... we shut down an internal testing server, and had a client call
us panicked. When we gave them code, they couldn't get their IT guys to load
it onto their servers... so they just changed the DNS over to their test
servers. This website was gathering customer details, and serving as the
source of truth for the marketing CRM for years... we weren't told us the test
server was now customer-live, but doubtful anyone would have cared since all
we did was mark up the cloud hosting bill and pass it on to the airline.

Also you can replace "airline" with just about any company type here that uses
agencies, but certainly true for airlines.

~~~
na85
At least in North America, airlines and airports are not the same
corporations.

