Black Hat: Biometric experts reverse-engineer iris scanning systems to create clones

Share this article:
Outside of fingerprints and face recognition, scanning a person's iris may seem like a dependable level of authentication, but researchers have proved otherwise.

At this year's Black Hat conference in Las Vegas, Javier Galbally, researcher and professor at the Universidad Autonoma de Madrid, presented new  conducted by scholars in Spain and West Virginia University that reveals ways for cyber criminals to thwart iris scans by duplicating an image of the eye membrane.

Iris recognition systems are currently deployed by both corporations and law enforcement entities around the world to permit access to sensitive tools and information. After a person's eye is scanned, the recognition tool produces an iris code, which is then filed in a database and used for future matching

To exploit this mode of authentication, a hacker would first have to access the database that holds the iris scans, typically stored as templates or digital records of an individual's biometric features.

According to Galbally, once they have access to the original templates, the hackers can use a genetic algorithm to alter the synthetic code over several iterations until a nearly identical template is produced.

That permits an image of the iris to be duplicated. Then creating a match is as simple as printing it out and showing it to the recognition system, he said. This could be done by patching the image onto a contact lens, which the attacker can then wear.

"The commercial [iris] system only looks for the iris [code and not an actual eye," Galbally, who also conducted the research with help from colleagues at the Biometric Recognition Group-ATVS, said in an interview after his talk.

The iris provides among the most reliable forms of identification, even better than fingerprints, Galbally said.

"The main problem with the iris is the acquisition," he said. "Sensors are more expensive, and it's more difficult to acquire because you need more cooperation from the users."

There have not been any breaches reported as a result of a bypassing these systems through synthetic iris images, Galbally said.

"You never know if it's going to be dangerous or not, but the vulnerability is there," he said. "It's good that people are aware that these vulnerabilities exist."
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.