Black Hat presentation shows iris-scanning breach


( -- A research team from Universidad Autonoma de Madrid and West Virginia University have troubling findings for those who think iris scanning is one of the safest methods of biometric security. Their reverse-engineered, “replicated eye” image was able to bypass iris scanning, fooled into thinking the synthetic image was real and correct. Javier Galbally and his team printed out synthetic images of irises taken from codes of real irises stored in security databases to test iris-scanning vulnerabilities.

An iris code is the data stored by recognition systems when they scan a person's eye. This is information that the researchers could replicate in their synthetic images.

A commercial iris system only looks for the iris code and not an actual eye, Galbally noted. He and his team tested their fake irises against a leading commercial-. In 80 percent of attempts, the scanner believed that the attempt was a real eye.

The findings of their tests were shared at the annual Black Hat security conference that took place July 21 to July 26in Las Vegas.

“A binary iris code is a very compact representation of an iris image, and, for a long time, it has been assumed that it did not contain enough information to allow the reconstruction of the original iris,” said the Black Hat conference note. The team’s approach was described as a probabilistic approach to reconstruct iris images from binary templates, and they also sought to analyze to what extent the reconstructed samples were similar to the original ones While a human expert would not be easily deceived by them, “there is a high chance that they can break into an iris recognition system,” it was noted.

Further commenting at the Black Hat event, assistant professor Galbally, of the Biometric Recognition Group-of ATVS, said “The idea is to generate the iris image, and once you have the image you can actually print it and show it to the recognition system, and it will say okay,” determining that the image is the real person.

To carry out the exploit, a hacker would need to access the database that holds the iris scans, stored as templates or digital records of an individual's biometric features. Upon access to the templates, the hackers could use a genetic algorithm to alter the synthetic code over several iterations until a nearly identical template was produced. Creating the match would be as simple as printing it out and showing it to the recognition system. This in turn could be achieved by patching the image onto a contact lens to be worn by the attacker.

One may argue that an exploit of this nature is not likely “but the vulnerability is there," he said, and it is always useful for awareness that such vulnerabilities exist. Galbally is actively involved in European projects focused on vulnerability assessments of biometrics

The significance of the findings presented at is that this is evidence of an identity-stealing technique where the fake image can be generated from the iris code of a real person. Past work in iris scanning vulnerabilities centered on creating synthetic iris images that had characteristics of real images but were not connected to real people.

Explore further

QUT researcher eyes off a biometric future

© 2012

Citation: Black Hat presentation shows iris-scanning breach (2012, July 27) retrieved 17 September 2019 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Feedback to editors

User comments

Jul 27, 2012
If you can make it; a hacker can break it.

Jul 27, 2012
First step to fix this is to make the iris scanner flash a bright light at the subject. The iris must contract and retract within a certain time period to verify it is a real living eyeball and not just a photo.
Even better would be to scan the iris, check the iris contraction then zoom in and take a photo of the retina. The retina is at the back of the eyeball and is curved so you would have to recreate the retina, the contracting iris and then print the retina pattern on the backside of a 3D fake eye.
Yes, someone could make a fake eye that does all these things but it would be very expensive.
If you want real security, nothing will ever beat 2 factor authentication. Smart card plus a secret password. Nothing will ever beat that.

Jul 28, 2012
If you can make it; a hacker can break it.

Silly kids with their crypto don't know hackers can factorize integers in polynomial time.

Jul 28, 2012
Why can't it be stored in a processed format that is mathematically not reversible.
(or did they think that was not really needed)

Jul 28, 2012
What about storing only hash from that data? Wouldn't that remove that vulnerability?

Jul 28, 2012
Why can't it be stored in a processed format that is mathematically not reversible.

I'm pretty sure the databases of the real scanners are encrypted. But here they 'just' wanted to show that if you have access to that data (or can arrange it to have a retina scan of an authorized person taken...e.g. at the dentist) you can easily fool the scanner without any complicated tech.

Jul 28, 2012
China is taking notes on everything you say for later use

Jul 29, 2012
Anything man made can be man broken. Prayer, and the Paraclete of truth, cannot be counterfeited through manipulation.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more