Black Hat: Biometric experts reverse-engineer iris scanning systems to create clones

Share this article:
Outside of fingerprints and face recognition, scanning a person's iris may seem like a dependable level of authentication, but researchers have proved otherwise.

At this year's Black Hat conference in Las Vegas, Javier Galbally, researcher and professor at the Universidad Autonoma de Madrid, presented new  conducted by scholars in Spain and West Virginia University that reveals ways for cyber criminals to thwart iris scans by duplicating an image of the eye membrane.

Iris recognition systems are currently deployed by both corporations and law enforcement entities around the world to permit access to sensitive tools and information. After a person's eye is scanned, the recognition tool produces an iris code, which is then filed in a database and used for future matching

To exploit this mode of authentication, a hacker would first have to access the database that holds the iris scans, typically stored as templates or digital records of an individual's biometric features.

According to Galbally, once they have access to the original templates, the hackers can use a genetic algorithm to alter the synthetic code over several iterations until a nearly identical template is produced.

That permits an image of the iris to be duplicated. Then creating a match is as simple as printing it out and showing it to the recognition system, he said. This could be done by patching the image onto a contact lens, which the attacker can then wear.

"The commercial [iris] system only looks for the iris [code and not an actual eye," Galbally, who also conducted the research with help from colleagues at the Biometric Recognition Group-ATVS, said in an interview after his talk.

The iris provides among the most reliable forms of identification, even better than fingerprints, Galbally said.

"The main problem with the iris is the acquisition," he said. "Sensors are more expensive, and it's more difficult to acquire because you need more cooperation from the users."

There have not been any breaches reported as a result of a bypassing these systems through synthetic iris images, Galbally said.

"You never know if it's going to be dangerous or not, but the vulnerability is there," he said. "It's good that people are aware that these vulnerabilities exist."
Share this article:

Sign up to our newsletters

More in News

Cyber Command tests gov't collaboration in wake of attacks

The two-week exercise, "Cyber Guard 14-1," was completed this month.

Text message spammer settles charges filed by FTC

Text message spammer settles charges filed by FTC

Rishab Verma and his company agreed to settle charges filed by the FTC that Verma sent millions of spam text messages that deceitfully promised free merchandise.

Rhode Island hospital to pay $150K for past data breach

More than 12,000 patients' personal and health information was compromised in a breach at The Women & Infants Hospital of Rhode Island.