It seems that British Airports Authority BAA has temporarily backed regarding Heathrow Terminal 5 mandatory fingerprinting of both domestic and international passengers,
- The Daily Telegraph: Heathrow Terminal 5 fingerprint plans 'illegal'
- The Guardian: Terminal 5 fingerprinting scrapped
- The Register: BAA grounds Heathrow T5 fingerprinting system
A previous article in The Register ICO queries Heathrow T5's huge fingerprint
scam scan points to the fact that the fingerprint scanners are being supplied bythe German firm of Dermalog, who, no doubt produce excellent finger printing equipment regarding the optics, and scanning compression algorithms etc.
However we can see no data or even any claims on their website regarding any bio-safety mechanisms for cleaning or sterilising their equipment in a mass transit application, to prevent the spread of infectious diseases.
The press reports that Heathrow Terminal 5 will be using "4 fingerprints" implies that the Dermalog product must be based on their eBorder Kiosk
Unfortunately, this does not give us any confidence that system is in any way properly tamperproof because:
- MS Windows 2000, XP and Vista
- Pentium III processor or faster
- Min. 256 MB RAM
- USB 2.0 and FireWire interface and CD-ROM drive
USB 2.0 may be a possible vulnerability, but Firewire is definitely a huge security risk.
There are ways of disabling Firewire in software, although the usual recommendation involves physically cutting the wires and blocking up the Firewire connection ports with epoxy resin.
There is no way of securing a Firewire system which is intended to be used - this is not a security bug or error it is a "design feature" i.e. how it is meant to work.
Firewire provides Direct Memory Access to the computer system, regardless of any operating system security capabilities (all other operating systems are just as vulnerable as Microsoft Windows), and allows login credentials, cryptographic keys etc. to be bypassed or stolen, and has done so for several years:
See Hit by a Bus: Physical attacks with Firewire (.pdf) by Adam Boileau.
We therefore have little faith in BAA's hand waving lip service claims that some sort of unspecified "encryption" will somehow protect the public's fingerprint and other passport and boarding pass and credit card and home address etc. details from being stolen by insiders armed with just a standard portable computer and a bit of software available for download for free over the internet. It will literally take only a few seconds to compromise the security of such a fingerprint scanner, perhaps during maintenance or cleaning downtime or when the devices are in transit or storage.
It is up to British Airport Authority to prove, not only the overwhelming need to trample on people's privacy by demanding fingerprint scans, when there are other, less intrusive solutions available, but they must also be asked to prove that their equipment is not vulnerable to tampering and compromise of the computer systems security.
They must also be told to prove that they are not endangering the health of passengers and the wider general public, with unhygienic contact fingerprint scanning equipment, which they expect literally millions of people to use every year.
We are still puzzled by the Home Office and the Department of Transport's attitude towards the mixed departure lounge and shopping mall design, which allows international transit and domestic passengers to mix, either at Heathrow Terminal 5 and Terminal 1, or at Gatwick or Manchester etc.
Even if they sort out the risk of "ticket swapping" through more hygienic biometrics like facial photography, has nobody bothered to ask HM Revenue and Customs (HMRC) or Serious Organised Crime Agency (SOCA) , who are meant to deal with ad hoc and organised criminal smuggling of various sorts of contraband, what they think of such airport terminal designs ?
Unless there are illegal CCTV cameras in the toilets and washrooms, surely such a design makes international smuggling much easier ?