« ICO asks BAA to justify mandatory fingerprinting at Heathrow Terminal 5 | Main | Danger ! Draft Constitutional Renewal Bill Part 6 tries to remove even the limited constitutional safeguards of the "destroy Parliament" Legislative and Regulatory Reform Act 2006 »

Heathrow Terminal 5 fingerprinting temporarily delayed - bio-safety and computer security worries still remain

It seems that British Airports Authority BAA has temporarily backed regarding Heathrow Terminal 5 mandatory fingerprinting of both domestic and international passengers,

See

A previous article in The Register ICO queries Heathrow T5's huge fingerprint scam scan points to the fact that the fingerprint scanners are being supplied bythe German firm of Dermalog, who, no doubt produce excellent finger printing equipment regarding the optics, and scanning compression algorithms etc.

However we can see no data or even any claims on their website regarding any bio-safety mechanisms for cleaning or sterilising their equipment in a mass transit application, to prevent the spread of infectious diseases.

The press reports that Heathrow Terminal 5 will be using "4 fingerprints" implies that the Dermalog product must be based on their eBorder Kiosk

Unfortunately, this does not give us any confidence that system is in any way properly tamperproof because:

System requirements:
  • MS Windows 2000, XP and Vista
  • Pentium III processor or faster
  • Min. 256 MB RAM
  • USB 2.0 and FireWire interface and CD-ROM drive

USB 2.0 may be a possible vulnerability, but Firewire is definitely a huge security risk.

There are ways of disabling Firewire in software, although the usual recommendation involves physically cutting the wires and blocking up the Firewire connection ports with epoxy resin.

There is no way of securing a Firewire system which is intended to be used - this is not a security bug or error it is a "design feature" i.e. how it is meant to work.

Firewire provides Direct Memory Access to the computer system, regardless of any operating system security capabilities (all other operating systems are just as vulnerable as Microsoft Windows), and allows login credentials, cryptographic keys etc. to be bypassed or stolen, and has done so for several years:

See Hit by a Bus: Physical attacks with Firewire (.pdf) by Adam Boileau.

We therefore have little faith in BAA's hand waving lip service claims that some sort of unspecified "encryption" will somehow protect the public's fingerprint and other passport and boarding pass and credit card and home address etc. details from being stolen by insiders armed with just a standard portable computer and a bit of software available for download for free over the internet. It will literally take only a few seconds to compromise the security of such a fingerprint scanner, perhaps during maintenance or cleaning downtime or when the devices are in transit or storage.

It is up to British Airport Authority to prove, not only the overwhelming need to trample on people's privacy by demanding fingerprint scans, when there are other, less intrusive solutions available, but they must also be asked to prove that their equipment is not vulnerable to tampering and compromise of the computer systems security.

They must also be told to prove that they are not endangering the health of passengers and the wider general public, with unhygienic contact fingerprint scanning equipment, which they expect literally millions of people to use every year.

We are still puzzled by the Home Office and the Department of Transport's attitude towards the mixed departure lounge and shopping mall design, which allows international transit and domestic passengers to mix, either at Heathrow Terminal 5 and Terminal 1, or at Gatwick or Manchester etc.

Even if they sort out the risk of "ticket swapping" through more hygienic biometrics like facial photography, has nobody bothered to ask HM Revenue and Customs (HMRC) or Serious Organised Crime Agency (SOCA) , who are meant to deal with ad hoc and organised criminal smuggling of various sorts of contraband, what they think of such airport terminal designs ?

Unless there are illegal CCTV cameras in the toilets and washrooms, surely such a design makes international smuggling much easier ?

Comments

All the press reports about the Heathrow fingerprinting seems to have focused solely on Terminal 5. However Terminal 1 implemented this at the start of February and I passed through the Flight Connections Centre on the very day (1st Feb) it was brought into force. I was handed a leaflet explaining the biometic requirements and directed over to the appropriate desks. As there had been *NO* advance publicity of the biometrics introduction I was somewhat surprised. The leaflet given out claimed that refusal to do the biometrics would result in being refused boarding on my next flight. I demanded to talk to someone in charge and was directed to the "trainer". Eventually, after about 15-20 minutes, he admitted that I could avoid biometrics by returning to Terminal 2, going through Arrivals there, and then walking round to Terminal 1 and going in via Departures. However by this stage I had insufficient time to do this so I reluctantly had the 4 fingers of my right hand fingerprinted and my photograph taken. I did however insist that the operator cleaned the fingerprint scanner first with a disinfectant wipe and also at the checkout gate at the other end of the shopping "trap" I demanded the same.

Fast forward to now - both T1 and T5 no longer take digital fingerprints as I confirmed last week. I see BAA are doing their bit for the environment though (not!) as all the fingerprint readers at both Flight Connections Centre and Domestic T1 are still switched on (there are green coloured lights/LEDs shining across the scanning glass). I assume at T5 these are also turned on even though not in use. When I chatted to the guy at Flight Connections last week he claimed that the Feb 1st fingerprint taking was only a "trial" - however the leaflet I received at the time did not indicate this anywhere. He also seemed to think that the government DID want BAA to reintroduce fingerprint scanning in some fashion in the future.

On the downside - in the past when going from T1 Domestic arrivals on to another flight in T1-5 via the Flight Connections Centre you did not have to go through a security check (I assume as you'd previously gone through one at the originating UK airport). Now however that the Flight Connections Centre has been redesigned/revamped all people going through it including domestic arrivals must go through security, so adding at least another 15 minutes to connection times.


Post a comment