Security researchers have successfully fooled commercial iris-recognition scans with a computer-generated replica of a human eye, raising questions as to the effectiveness of such biometric systems. Generating the fake iris only takes a few minutes, and does not require the original eye to be present.
Iris scans have for years been considered a secure and fairly straightforward biometric security measure; existing scanners can collect quite a bit of information, building a model of the user's iris and comparing it against future scans. But the process is not without its weaknesses.
Several years of research at West Virginia University and the Universidad Autonoma de Madrid have focused on how such a system might be defeated. The i-PRoBe lab at WVU has been looking into biometrics methods for over a decade, producing not just ideas for new systems but ways to circumvent existing ones. They were producing synthetic irises as early as 2005, though the mathematically generated images were more a proof of concept.
Javier Galbally, at UAM's Biometric Recognition Group, has pursued the practical applications of artificial irises, in particular the application to biometric security. In the research he and the others are presenting this week at the Black Hat security conference in Las Vegas, they explain how they were able to create not just a convincing iris, but one that would return more or less the same result as a given real-life iris. Wired's Threat Level blog first reported on the presentation.
The researchers began by looking at the data such a security system generates when it looks at an iris — various measures such as patterns, striations, the size of certain features, all produce a unique "password" that, until this week's presentation, was only able to be replicated by the eye that produced it.
Once they had that output information, they created an iris image and scanned it through the system, then modified it and looked at whether it produced results that were more or less like the target iris's — which, again, they have no actual image of, just this metadata. They kept changes that seemed to make their iris more like the target, and threw away changes with a negative effect. After 100 or 200 iterations and less than 10 minutes, the algorithm produces a simulated iris that will reliably scan in as the one that's still safe inside some user's eyeball.
To read more about this story CLICK HERE.