Feeds

Trial for T5 mandatory biometrics kicks off at Heathrow

Terminal 1 passengers get to be lab rats

The Power of One eBook: Top reasons to choose HP BladeSystem

Quietly on Friday, Heathrow Airport recruited quantities of involuntary lab rats to test fingerprint-based security/traffic control system planned for Terminal 5. The luckless pioneers were selected at Terminal 1, where biometrics are now being deducted from any domestic passengers wishing to visit the international lounge.

Unconvincingly, BAA claims that the security system is being used to identify passengers in order to stop them swapping tickets once they're in the departure lounge. Terminal 5, due to open later this year, will mix domestic and international passengers in a single lounge, while although Terminal 1 has two lounges, domestic passengers are allowed to use the international one. So they need separating too - how they've managed previously, we've really no idea.

The system being used was described by The Register a little over a year ago. When fully operational it will take biometrics from all passengers as they pass into the departure lounge, and match them up as they board the aircraft. The biometrics being taken are fingerprints and a digital photograph - not, as incorrectly reported elsewhere, iris scans.

According to BAA the biometrics data will not be passed on to other authorities and will be destroyed at the end of each day. This goes some way to making the system relatively harmless (although 'destroyed on boarding' would be better), so long as we believe them, and for as long as it takes before the government starts saying 'retention of records' and 'access for the security services.'

But let's just rewind to that bit about stopping passengers swapping tickets, and try to figure out how biometric ID could help. The basic pre-biometric system used at Heathrow and most other UK international airports is approximately as follows. Passengers check in, showing their tickets and passports. They pass through the security barriers, and on their way the bar code on their ticket is scanned. In the vicinity of the security barriers their passport may be checked, but recent Register observations indicate that this isn't always the case.

It's therefore perfectly possible that both passport checks, at check-in and boarding, are carried out by the airline's staff, and if online check-in is used, then the only check of the physical passport may be at the gate. It's also perfectly feasible that the passport is never checked for forgery, never has its barcode scanned, nor (for the new ones) has its chip read at any point in the process. Which may strike you as something other than progress towards the government's goal of counting everybody in and out, but no matter.

Whether or not you'd count the personal details filled in during online check-in as an ID check is perhaps debatable, but there is at least one ID check in the process, at the point of departure. So yes, you could get into the departure lounge on a domestic ticket and then switch to an international one, but you'd still need a passport (real or fake) to match the name on the ticket, and someone pretending to be you would have had to get them past security. Granted, future security systems may turn out to be tougher for international passengers and therefore there might be an advantage in ducking through the domestic departures gate, but the process of evasion seems sufficiently logistically challenging for one to doubt that an actual vulnerability exists, at least for passengers starting their journey at Heathrow.

BAA however explains that the actual vulnerability is solely a borders and immigration matter, and goes like this. International passenger arrives at Heathrow as a transit passenger, then switches tickets to a domestic flight, thus evading UK immigration at Heathrow and arriving elsewhere in the UK as a domestic passengers. Which strikes us as one hell of a vulnerability in the routing of transit passengers (sheesh, don't they have security at Heathrow?), but one that could possibly be fixed by some means other than fingerprinting absolutely everybody who uses the place. Or the country, which is the longer-term goal.

Nor are other 'benefits' of the system particularly obvious. It allows you to know who has passed into the lounge, but you know that already from the barcode scan. It tells you when they've got onto the aircraft and who didn't make it, but you know that from the passenger list. And as you're not sharing the data with anybody else and torching it at the end of the day, there's no benefit there either. There might be a benefit if you were proposing to dispense with the ID check at the gate, because that might be faster - but what new vulnerabilities might you introduce there? ®

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.