Feeds

Trial for T5 mandatory biometrics kicks off at Heathrow

Terminal 1 passengers get to be lab rats

5 things you didn’t know about cloud backup

Quietly on Friday, Heathrow Airport recruited quantities of involuntary lab rats to test fingerprint-based security/traffic control system planned for Terminal 5. The luckless pioneers were selected at Terminal 1, where biometrics are now being deducted from any domestic passengers wishing to visit the international lounge.

Unconvincingly, BAA claims that the security system is being used to identify passengers in order to stop them swapping tickets once they're in the departure lounge. Terminal 5, due to open later this year, will mix domestic and international passengers in a single lounge, while although Terminal 1 has two lounges, domestic passengers are allowed to use the international one. So they need separating too - how they've managed previously, we've really no idea.

The system being used was described by The Register a little over a year ago. When fully operational it will take biometrics from all passengers as they pass into the departure lounge, and match them up as they board the aircraft. The biometrics being taken are fingerprints and a digital photograph - not, as incorrectly reported elsewhere, iris scans.

According to BAA the biometrics data will not be passed on to other authorities and will be destroyed at the end of each day. This goes some way to making the system relatively harmless (although 'destroyed on boarding' would be better), so long as we believe them, and for as long as it takes before the government starts saying 'retention of records' and 'access for the security services.'

But let's just rewind to that bit about stopping passengers swapping tickets, and try to figure out how biometric ID could help. The basic pre-biometric system used at Heathrow and most other UK international airports is approximately as follows. Passengers check in, showing their tickets and passports. They pass through the security barriers, and on their way the bar code on their ticket is scanned. In the vicinity of the security barriers their passport may be checked, but recent Register observations indicate that this isn't always the case.

It's therefore perfectly possible that both passport checks, at check-in and boarding, are carried out by the airline's staff, and if online check-in is used, then the only check of the physical passport may be at the gate. It's also perfectly feasible that the passport is never checked for forgery, never has its barcode scanned, nor (for the new ones) has its chip read at any point in the process. Which may strike you as something other than progress towards the government's goal of counting everybody in and out, but no matter.

Whether or not you'd count the personal details filled in during online check-in as an ID check is perhaps debatable, but there is at least one ID check in the process, at the point of departure. So yes, you could get into the departure lounge on a domestic ticket and then switch to an international one, but you'd still need a passport (real or fake) to match the name on the ticket, and someone pretending to be you would have had to get them past security. Granted, future security systems may turn out to be tougher for international passengers and therefore there might be an advantage in ducking through the domestic departures gate, but the process of evasion seems sufficiently logistically challenging for one to doubt that an actual vulnerability exists, at least for passengers starting their journey at Heathrow.

BAA however explains that the actual vulnerability is solely a borders and immigration matter, and goes like this. International passenger arrives at Heathrow as a transit passenger, then switches tickets to a domestic flight, thus evading UK immigration at Heathrow and arriving elsewhere in the UK as a domestic passengers. Which strikes us as one hell of a vulnerability in the routing of transit passengers (sheesh, don't they have security at Heathrow?), but one that could possibly be fixed by some means other than fingerprinting absolutely everybody who uses the place. Or the country, which is the longer-term goal.

Nor are other 'benefits' of the system particularly obvious. It allows you to know who has passed into the lounge, but you know that already from the barcode scan. It tells you when they've got onto the aircraft and who didn't make it, but you know that from the passenger list. And as you're not sharing the data with anybody else and torching it at the end of the day, there's no benefit there either. There might be a benefit if you were proposing to dispense with the ID check at the gate, because that might be faster - but what new vulnerabilities might you introduce there? ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.