Feeds

Trial for T5 mandatory biometrics kicks off at Heathrow

Terminal 1 passengers get to be lab rats

Providing a secure and efficient Helpdesk

Quietly on Friday, Heathrow Airport recruited quantities of involuntary lab rats to test fingerprint-based security/traffic control system planned for Terminal 5. The luckless pioneers were selected at Terminal 1, where biometrics are now being deducted from any domestic passengers wishing to visit the international lounge.

Unconvincingly, BAA claims that the security system is being used to identify passengers in order to stop them swapping tickets once they're in the departure lounge. Terminal 5, due to open later this year, will mix domestic and international passengers in a single lounge, while although Terminal 1 has two lounges, domestic passengers are allowed to use the international one. So they need separating too - how they've managed previously, we've really no idea.

The system being used was described by The Register a little over a year ago. When fully operational it will take biometrics from all passengers as they pass into the departure lounge, and match them up as they board the aircraft. The biometrics being taken are fingerprints and a digital photograph - not, as incorrectly reported elsewhere, iris scans.

According to BAA the biometrics data will not be passed on to other authorities and will be destroyed at the end of each day. This goes some way to making the system relatively harmless (although 'destroyed on boarding' would be better), so long as we believe them, and for as long as it takes before the government starts saying 'retention of records' and 'access for the security services.'

But let's just rewind to that bit about stopping passengers swapping tickets, and try to figure out how biometric ID could help. The basic pre-biometric system used at Heathrow and most other UK international airports is approximately as follows. Passengers check in, showing their tickets and passports. They pass through the security barriers, and on their way the bar code on their ticket is scanned. In the vicinity of the security barriers their passport may be checked, but recent Register observations indicate that this isn't always the case.

It's therefore perfectly possible that both passport checks, at check-in and boarding, are carried out by the airline's staff, and if online check-in is used, then the only check of the physical passport may be at the gate. It's also perfectly feasible that the passport is never checked for forgery, never has its barcode scanned, nor (for the new ones) has its chip read at any point in the process. Which may strike you as something other than progress towards the government's goal of counting everybody in and out, but no matter.

Whether or not you'd count the personal details filled in during online check-in as an ID check is perhaps debatable, but there is at least one ID check in the process, at the point of departure. So yes, you could get into the departure lounge on a domestic ticket and then switch to an international one, but you'd still need a passport (real or fake) to match the name on the ticket, and someone pretending to be you would have had to get them past security. Granted, future security systems may turn out to be tougher for international passengers and therefore there might be an advantage in ducking through the domestic departures gate, but the process of evasion seems sufficiently logistically challenging for one to doubt that an actual vulnerability exists, at least for passengers starting their journey at Heathrow.

BAA however explains that the actual vulnerability is solely a borders and immigration matter, and goes like this. International passenger arrives at Heathrow as a transit passenger, then switches tickets to a domestic flight, thus evading UK immigration at Heathrow and arriving elsewhere in the UK as a domestic passengers. Which strikes us as one hell of a vulnerability in the routing of transit passengers (sheesh, don't they have security at Heathrow?), but one that could possibly be fixed by some means other than fingerprinting absolutely everybody who uses the place. Or the country, which is the longer-term goal.

Nor are other 'benefits' of the system particularly obvious. It allows you to know who has passed into the lounge, but you know that already from the barcode scan. It tells you when they've got onto the aircraft and who didn't make it, but you know that from the passenger list. And as you're not sharing the data with anybody else and torching it at the end of the day, there's no benefit there either. There might be a benefit if you were proposing to dispense with the ID check at the gate, because that might be faster - but what new vulnerabilities might you introduce there? ®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.