Black Hat presentation shows iris-scanning breach

July 27, 2012 by Nancy Owano, report

( -- A research team from Universidad Autonoma de Madrid and West Virginia University have troubling findings for those who think iris scanning is one of the safest methods of biometric security. Their reverse-engineered, “replicated eye” image was able to bypass iris scanning, fooled into thinking the synthetic image was real and correct. Javier Galbally and his team printed out synthetic images of irises taken from codes of real irises stored in security databases to test iris-scanning vulnerabilities.

An iris code is the data stored by recognition systems when they scan a person's eye. This is information that the researchers could replicate in their synthetic images.

A commercial iris system only looks for the iris code and not an actual eye, Galbally noted. He and his team tested their fake irises against a leading commercial-. In 80 percent of attempts, the scanner believed that the attempt was a real eye.

The findings of their tests were shared at the annual Black Hat security conference that took place July 21 to July 26in Las Vegas.

“A binary iris code is a very compact representation of an iris image, and, for a long time, it has been assumed that it did not contain enough information to allow the reconstruction of the original iris,” said the Black Hat conference note. The team’s approach was described as a probabilistic approach to reconstruct iris images from binary templates, and they also sought to analyze to what extent the reconstructed samples were similar to the original ones While a human expert would not be easily deceived by them, “there is a high chance that they can break into an iris recognition system,” it was noted.

Further commenting at the Black Hat event, assistant professor Galbally, of the Biometric Recognition Group-of ATVS, said “The idea is to generate the iris image, and once you have the image you can actually print it and show it to the recognition system, and it will say okay,” determining that the image is the real person.

To carry out the exploit, a hacker would need to access the database that holds the iris scans, stored as templates or digital records of an individual's biometric features. Upon access to the templates, the hackers could use a genetic algorithm to alter the synthetic code over several iterations until a nearly identical template was produced. Creating the match would be as simple as printing it out and showing it to the recognition system. This in turn could be achieved by patching the image onto a contact lens to be worn by the attacker.

One may argue that an exploit of this nature is not likely “but the vulnerability is there," he said, and it is always useful for awareness that such vulnerabilities exist. Galbally is actively involved in European projects focused on vulnerability assessments of biometrics

The significance of the findings presented at is that this is evidence of an identity-stealing technique where the fake image can be generated from the iris code of a real person. Past work in iris scanning vulnerabilities centered on creating synthetic iris images that had characteristics of real images but were not connected to real people.

Explore further: QUT researcher eyes off a biometric future

Related Stories

QUT researcher eyes off a biometric future

December 4, 2007

It is not science fiction to think that our eyes could very soon be the key to unlocking our homes, accessing our bank accounts and logging on to our computers, according to Queensland University of Technology researcher ...

New research raises questions about iris recognition systems

July 12, 2012

Since the early days of iris recognition technologies, it has been assumed that the iris was a "stable" biometric over a person's lifetime — "one enrollment for life." However, new research from University of Notre Dame ...

National eye scan database grows

December 30, 2006

Twenty-six states are participating in an eye-scanning project that helps identify missing children or adults afflicted with memory loss.

BlackBerry may soon capture your eye and identity

April 3, 2012

Bringing back a bit of the sexiness of gadgets more suited to Ethan Hunt, James Bond or Captain Kirk, Research in Motion is making your BlackBerry an "eye-device," with information from your iris stored inside.

Recommended for you

Cellular microRNA detection with miRacles

March 26, 2019

MicroRNAs (miRNAs) are short noncoding regulatory RNAs that can repress gene expression post-transcriptionally and are therefore increasingly used as biomarkers of disease. Detecting miRNAs can be arduous and expensive as ...

What happened before the Big Bang?

March 26, 2019

A team of scientists has proposed a powerful new test for inflation, the theory that the universe dramatically expanded in size in a fleeting fraction of a second right after the Big Bang. Their goal is to give insight into ...

Probiotic bacteria evolve inside mice's GI tracts

March 26, 2019

Probiotics—which are living bacteria taken to promote digestive health—can evolve once inside the body and have the potential to become less effective and sometimes even harmful, according to a new study from Washington ...


Adjust slider to filter visible comments by rank

Display comments: newest first

2.3 / 5 (6) Jul 27, 2012
If you can make it; a hacker can break it.
5 / 5 (2) Jul 27, 2012
First step to fix this is to make the iris scanner flash a bright light at the subject. The iris must contract and retract within a certain time period to verify it is a real living eyeball and not just a photo.
Even better would be to scan the iris, check the iris contraction then zoom in and take a photo of the retina. The retina is at the back of the eyeball and is curved so you would have to recreate the retina, the contracting iris and then print the retina pattern on the backside of a 3D fake eye.
Yes, someone could make a fake eye that does all these things but it would be very expensive.
If you want real security, nothing will ever beat 2 factor authentication. Smart card plus a secret password. Nothing will ever beat that.
1 / 5 (1) Jul 28, 2012
If you can make it; a hacker can break it.

Silly kids with their crypto don't know hackers can factorize integers in polynomial time.
not rated yet Jul 28, 2012
Why can't it be stored in a processed format that is mathematically not reversible.
(or did they think that was not really needed)
1 / 5 (1) Jul 28, 2012
What about storing only hash from that data? Wouldn't that remove that vulnerability?
1 / 5 (1) Jul 28, 2012
Why can't it be stored in a processed format that is mathematically not reversible.

I'm pretty sure the databases of the real scanners are encrypted. But here they 'just' wanted to show that if you have access to that data (or can arrange it to have a retina scan of an authorized person taken...e.g. at the dentist) you can easily fool the scanner without any complicated tech.
not rated yet Jul 28, 2012
China is taking notes on everything you say for later use
1 / 5 (2) Jul 29, 2012
Anything man made can be man broken. Prayer, and the Paraclete of truth, cannot be counterfeited through manipulation.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.