Feeds

Trial for T5 mandatory biometrics kicks off at Heathrow

Terminal 1 passengers get to be lab rats

Using blade systems to cut costs and sharpen efficiencies

Quietly on Friday, Heathrow Airport recruited quantities of involuntary lab rats to test fingerprint-based security/traffic control system planned for Terminal 5. The luckless pioneers were selected at Terminal 1, where biometrics are now being deducted from any domestic passengers wishing to visit the international lounge.

Unconvincingly, BAA claims that the security system is being used to identify passengers in order to stop them swapping tickets once they're in the departure lounge. Terminal 5, due to open later this year, will mix domestic and international passengers in a single lounge, while although Terminal 1 has two lounges, domestic passengers are allowed to use the international one. So they need separating too - how they've managed previously, we've really no idea.

The system being used was described by The Register a little over a year ago. When fully operational it will take biometrics from all passengers as they pass into the departure lounge, and match them up as they board the aircraft. The biometrics being taken are fingerprints and a digital photograph - not, as incorrectly reported elsewhere, iris scans.

According to BAA the biometrics data will not be passed on to other authorities and will be destroyed at the end of each day. This goes some way to making the system relatively harmless (although 'destroyed on boarding' would be better), so long as we believe them, and for as long as it takes before the government starts saying 'retention of records' and 'access for the security services.'

But let's just rewind to that bit about stopping passengers swapping tickets, and try to figure out how biometric ID could help. The basic pre-biometric system used at Heathrow and most other UK international airports is approximately as follows. Passengers check in, showing their tickets and passports. They pass through the security barriers, and on their way the bar code on their ticket is scanned. In the vicinity of the security barriers their passport may be checked, but recent Register observations indicate that this isn't always the case.

It's therefore perfectly possible that both passport checks, at check-in and boarding, are carried out by the airline's staff, and if online check-in is used, then the only check of the physical passport may be at the gate. It's also perfectly feasible that the passport is never checked for forgery, never has its barcode scanned, nor (for the new ones) has its chip read at any point in the process. Which may strike you as something other than progress towards the government's goal of counting everybody in and out, but no matter.

Whether or not you'd count the personal details filled in during online check-in as an ID check is perhaps debatable, but there is at least one ID check in the process, at the point of departure. So yes, you could get into the departure lounge on a domestic ticket and then switch to an international one, but you'd still need a passport (real or fake) to match the name on the ticket, and someone pretending to be you would have had to get them past security. Granted, future security systems may turn out to be tougher for international passengers and therefore there might be an advantage in ducking through the domestic departures gate, but the process of evasion seems sufficiently logistically challenging for one to doubt that an actual vulnerability exists, at least for passengers starting their journey at Heathrow.

BAA however explains that the actual vulnerability is solely a borders and immigration matter, and goes like this. International passenger arrives at Heathrow as a transit passenger, then switches tickets to a domestic flight, thus evading UK immigration at Heathrow and arriving elsewhere in the UK as a domestic passengers. Which strikes us as one hell of a vulnerability in the routing of transit passengers (sheesh, don't they have security at Heathrow?), but one that could possibly be fixed by some means other than fingerprinting absolutely everybody who uses the place. Or the country, which is the longer-term goal.

Nor are other 'benefits' of the system particularly obvious. It allows you to know who has passed into the lounge, but you know that already from the barcode scan. It tells you when they've got onto the aircraft and who didn't make it, but you know that from the passenger list. And as you're not sharing the data with anybody else and torching it at the end of the day, there's no benefit there either. There might be a benefit if you were proposing to dispense with the ID check at the gate, because that might be faster - but what new vulnerabilities might you introduce there? ®

The smart choice: opportunity from uncertainty

More from The Register

next story
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.