Dublin Airport Authority Accused of Tracking Passengers via Mobile Data
Jackie Reddy November 23, 2015
Dublin Airport Authority may have been spying on passengers without their knowledge by using travelers’ mobile data to track their physical location throughout Dublin Airport.
Dublin Airport Authority (DAA), which operates Dublin Airport (DUB), has been accused of spying on travelers after it was revealed that it has been tracking passenger movements via their mobile data.
It appears that the authority has been monitoring passengers through their Wi-Fi signals and Bluetooth-enabled devices since as far back as 2013.
DAA’s actions were revealed only this week, following the report of a security breach in the Irish Independent.
DAA has said that it uses the collected data to track the amount of time that passengers spend in the building’s security areas and to ensure that it levies the right airport charges.
The technology currently in use at the airport allows monitors to record the Media Access Control (MAC) address or unique identifier number of a device as it, and presumably its owner, moves through the building. Thus, DAA can pinpoint a passenger’s physical whereabouts in the airport at any given time.
While this type of tracking can be used positively to manage passenger flow or for marketing purposes, critics are concerned about both the security of this information and as well as the privacy of individual passengers.
There are concerns that if this information is compromised, it could actually allow criminals to monitor a traveler’s future movements.
DAA attempted to allay fears in a statement published on Road Warrior Voices, explaining that, “This is an anonymized service, with the MAC address being used only to identify a device for the purposes of checking queue times and dwell times. No personal information in relation to the identity of the device’s owner or operator is either sought or recorded.”
However, writing on publishing platform Medium, security expert Rory Byrne countered this statement, saying, “…the tracking of a unique WI-FI or Bluetooth MAC address is a piece of extremely personal data. MAC addresses link us to everything we do online.”
DAA has agreed to encrypt this data, but it’s still not clear if passengers are aware that their whereabouts within the airport are being tracked.
[Photo: Getty]
You’re Reading
Encrypting the data only prevents hackers from getting at them. Even if they're one-way encrypted (can't decrypt directly), it does _not_ prevent_ the airport, security services or anyone else who knows how they're encrypted from working out the underlying MAC. Technical explanation: The MAC address is a (usually) 48-bit number, divided in practice between a 24-bit organisation code and a 24-bit device code. There aren't that many organisations making radios for smartphones - let's say about 200. So that makes a total of around 32 bits of known unique information in the 48 bits total. If you know how they're encrypted - security services and airport services will - then all you need to do is generate the encrypted version of every one of those 4bn possibilities. It's not a huge amount of data: 4bn * six bytes times two (encrypted and plaintext). That's called a "rainbow table". Then you look up any encrypted MAC address in that table, and within moments you've looked up the original MAC address.
Isn't that what the UK advocates for for years? What about the past motions to make passengers wear RFID bracelets and barring them from entering toilets and food courts if they do not wear one???