Black Hat: Biometric experts reverse-engineer iris scanning systems to create clones
At this year's Black Hat conference in Las Vegas, Javier Galbally, researcher and professor at the Universidad Autonoma de Madrid, presented new conducted by scholars in Spain and West Virginia University that reveals ways for cyber criminals to thwart iris scans by duplicating an image of the eye membrane.
Iris recognition systems are currently deployed by both corporations and law enforcement entities around the world to permit access to sensitive tools and information. After a person's eye is scanned, the recognition tool produces an iris code, which is then filed in a database and used for future matching
To exploit this mode of authentication, a hacker would first have to access the database that holds the iris scans, typically stored as templates or digital records of an individual's biometric features.
According to Galbally, once they have access to the original templates, the hackers can use a genetic algorithm to alter the synthetic code over several iterations until a nearly identical template is produced.
That permits an image of the iris to be duplicated. Then creating a match is as simple as printing it out and showing it to the recognition system, he said. This could be done by patching the image onto a contact lens, which the attacker can then wear.
"The commercial [iris] system only looks for the iris [code and not an actual eye," Galbally, who also conducted the research with help from colleagues at the Biometric Recognition Group-ATVS, said in an interview after his talk.
The iris provides among the most reliable forms of identification, even better than fingerprints, Galbally said.
"The main problem with the iris is the acquisition," he said. "Sensors are more expensive, and it's more difficult to acquire because you need more cooperation from the users."
There have not been any breaches reported as a result of a bypassing these systems through synthetic iris images, Galbally said.
"You never know if it's going to be dangerous or not, but the vulnerability is there," he said. "It's good that people are aware that these vulnerabilities exist."