The Malpensa e-Gates Project

A user perspective on e-Gates security and usability at the Malpensa Airport

Automated Border Control (ABC) systems have been in place at airports for more than fifteen years. One of the components of an ABC system is the electronic passport gate (e-Gate), which consists of physical automated self-service barriers managed by border agencies. Malpensa e-Gates Project studies the security and usability of the e-Gates at Malpensa Airport through the perspective of the user of the e-Gates, the Italian Police (Polizia di Stato). E-Gates represent a practical security solution to an increasing flow of travellers. Integrating e-Gates within airport processes and IT systems remains a challenge. Moreover, as with other border security systems, e-Gates can be vulnerable to: physical and IT attacks, violation of data privacy and risks connected to theft of biometric information.

Improper use and maintenance can also lead to malfunctioning of the e-Gates. Based on the FastPass (https://www.fastpass-project.eu) method and data collection on the daily use of the e-Gates, the Malpensa project assesses the security of the e-Gate installations at the Malpensa airport and provides the user of the e-Gates with an assessment framework.

Security assessment of the e-Gates at Malpensa
The e-Gates at Malpensa include a double-door ABC system: the traveller scans his passport before being admitted inside the gate. Facial matching is performed while the passenger is between the two doors of the e-Gate. The passengers have to look at the camera so that their faces are matched to the photograph held in the chip of the passport. They can exit through the second set of doors once the matching is performed and depending on the success of the matching, they can proceed further or they would be directed to see a police officer.

In the project a total of 30 e-Gates in five locations of Malpensa, both at the arrivals and at the departures were considered.

The study cases for the security assessment were defined by the type of traveller who uses the gates: Italian traveller; Schengen traveller (non Italian); EU traveller (non Schengen); non EU traveller from authorized countries (Australia, Canada, Holy See, Israel, Japan, New Zealand, South Korea, USA); all other travellers and a test traveller.

The workflow of the Italian traveller is the most complex (all other workflows are subgroups of the Italian traveller’s workflow). The workflow of the Italian traveller includes the following seven phases:
• Document reading
• Opening of the entry door
• Closing of the exit door
• Face match
• Fingerprint match
• Opening of the exit door
• Closing of the exit door

Proceeding through the e-Gates is supervised by the following different actors, always under control of the Polizia di Stato.
• Codista (Queue handler)
• Facilitator
• Guardia Particolare Giurata (Airport Security Guard)
• Police first line inspection – e-Gate
• Police first line inspection – manual
• Police Second line inspection

The security assessment of the e-Gates at Malpensa was based on a methodology developed by the EU-funded project Fastpass. FastPass Project used the STRIDE/DREAD methodology for risk analysis to categorise the vulnerabilities and threats to the security of e-Gates. The methods were adapted to the ABC domain. The STRIDEFastPass method evolved to include:
S – Spoofing information,
T – Tampering (comprises system, eMRTD, tokens, information, et. al.),
H – Hijacking,
I – Information disclosure,
D – Denial of service,
P – Privilege escalation.
For DREADFastPass method, the number of categories evolved into two (out of five in the original assessment model):

  • Damage Potential (D): what is the impact on the ABC system,
  • Exploitability (E): how easily an attack can be performed.
    FastPass proposed a scale to score the Damage Potential (D) including three values:
  1. Low: Short-term malfunction or failure of the e-Gate,
  2. Medium: Long-term malfunction or failure of the e-Gate; subject may overcome single security checks of the e-Gate but not the complete process,
  3. High: The attacker can subvert the security system and pass through the e-Gate.
    The scale to score Exploitability (E) also has three values:
  4. (Low): The attack requires an extremely skilled person and in-depth knowledge of the e-Gate/ABC to exploit the system.
  5. (Medium): Only skilled person is capable to replicate a known attack by repeating each of the steps.
  6. (High): Even an unskilled person is capable to replicate a known attack by repeating each of the steps

Using the FastPass method, 81 threats to border security, when and where they could happen and their potential impact were assessed during the Malpensa Project. For example, threats included:
The assessment helped to identify the mitigation measures already in place and measures that had to be adopted to respond to each of the 81 threats to e-Gates security at Malpensa.

Assessment of the functional limits of the e-Gates at Malpensa
The second objective of the Malpensa project was to develop a method to assess the functional limits of the e-Gates. The method was based on a list of operational data defined by the Italian Border Police and the researchers. Such data have to be periodically requested from the provider of the e-Gates. The monitoring of operational data is a measure to guarantee a high security and performance levels as far as, in Italy, provider, owner and user of the e-Gates are different actors. Data collection helps to:
• Estimate the performance of e-Gates;
• Monitor the performance of e-Gates;
• Document the status of the e-Gates;
• Monitor the use of e-Gates;
• Document and record errors;
• Develop and support training for users.

The process to define the data to be requested is based on the workflow of e-Gates. The data are distinguished by e-Gate and by nation and include information on:
• Reading time and failures to read the document;
• Opening and closing time of the entry door and failures of the entry door to open and close;
• Time of image capturing; time needed to match face/fingerprint; failure of image capturing and face/fingerprint match;
• Time from the end of the face/fingerprint match to the opening of the exit door and failure to open;
• Closing time of exit door and failure to close;
• Face and finger print match related statistic;
• Statistic related to operator interactions with the e-Gates, tailgating per e-Gate etc.;
• Number of passengers sent to the second line and types of second line inspections;
• Statistic on control activity (e-Gate operations, crossings by age etc.)
• Global document readings, notifications to the border guard, total time of crossing the e-Gate, error of system components.

Further assessment of the e-Gates at Malpensa
After a thorough assessment of the security and the functional limits of the e-Gates using the FastPass method and data based on the workflow of the e-Gates, a final element of the Malpensa study would include an assessment of the well-functioning of the e-Gates through a set of personalised passports presenting anomalies.

  • Security Evaluation (Version 1). FastPass Deliverable D10.2, FastPass Consortium (2015).
  • Sirra Toivonen & Heta Kojo 2017 (Eds). Recommendations for future ABC installation. Best Practices. VTT. ISBN 978-951-38-8559-5 (URL: http://www.vttresearch.com/impact/publications).
    For a more detailed description of the steps and processes at the e-Gates, see G. Ferraro, J. Löschner, Automated Border Control Systems at the Malpensa Airport, JRC, Ispra, 2019, JRC116379

By: G. Ferraro, J. Loeschner, M. Tzvetkova (European Commission, Joint Research Centre, Ispra, Italy)
P. Loverre, A. Passarelli (Italian Police, Department of Immigration and Border Police, Rome)
F. Maretti, E. Poletto, G. Romagnoli (Italian Police, Malpensa Airport)