July 27, 2012 at 6:29 PM ET
Security researchers have successfully fooled commercial iris-recognition scans with a computer-generated replica of a human eye, raising questions as to the effectiveness of such biometric systems. Generating the fake iris only takes a few minutes, and does not require the original eye to be present.
Iris scans have for years been considered a secure and fairly straightforward biometric security measure; existing scanners can collect quite a bit of information, building a model of the user's iris and comparing it against future scans. But the process is not without its weaknesses.
Several years of research at West Virginia University and the Universidad Autonoma de Madrid have focused on how such a system might be defeated. The i-PRoBe lab at WVU has been looking into biometrics methods for over a decade, producing not just ideas for new systems but ways to circumvent existing ones, and similar projects exist in Europe. They were producing synthetic irises as early as 2005, though the mathematically generated images were more a proof of concept.
Javier Galbally, at UAM's Biometric Recognition Group, has pursued the practical applications of artificial irises, in particular the application to biometric security. In the research he and the others are presenting this week at the Black Hat security conference in Las Vegas, they explain how they were able to create not just a convincing iris, but one that would return more or less the same result as a given real-life iris. Wired's Threat Level blog first reported on the presentation.
The researchers began by looking at the data such a security system generates when it looks at an iris — various measures such as patterns, striations, the size of certain features, all produce a unique "password" that, until this week's presentation, was only able to be replicated by the eye that produced it.
Once they had that output information, they created an iris image and scanned it through the system, then modified it and looked at whether it produced results that were more or less like the target iris's — which, again, they have no actual image of, just this metadata. They kept changes that seemed to make their iris more like the target, and threw away changes with a negative effect. After 100 or 200 iterations and less than 10 minutes, the algorithm produces a simulated iris that will reliably scan in as the one that's still safe inside some user's eyeball.
Right now the research assumes that whoever is trying to beat the iris scanner has access to the codes that scanner would generate from a real iris. (In this case, the team used codes made public for research purposes.) In reality, those would hopefully be carefully protected and encrypted, meaning it would be another security task entirely to get hold of them. But unlike a password, you can't just scrap your eyeball and get a new one. If a single large user database was breached, this technique could render thousands, or even millions, of irises insecure in an instant.
In-place systems, such as those in some airports and other secure facilities, likely have additional security measures, like guards who might notice someone holding up a printout of an eye to an iris scanner. And Galbally says that liveness detection, i.e. determining whether the iris is on a living person or not, will also be critical, and the team has a technique to ID fakes as well. But the mere possibility of falsifying an iris successfully is enough to put the users of such biometric security systems on edge.
Devin Coldewey is acontributing writer for NBC News Digital. His personal website iscoldewey.cc.