Darlene Storm

Black Hat: Hacking iris recognition systems

July 17, 2012 2:47 PM EDT

You’ve undoubtedly seen iris scanners being tricked by some high-tech contact or even via a scavenged eyeball in action/adventure or thriller movies when a secret agent or criminal wants to break into a vault or other high tech facility. Yet what if iris scans could be faked for real via a simple printed image to fool iris recognition systems? What if iris recognition biometric systems could be hacked? 

From the Iriscode to the Iris: A New Vulnerability of Iris Recognition Systems is a Black Hat USA briefing scheduled for July 25. This strikes me as particularly interesting in light of the FBI’s plans to test a database “for searching iris scans nationwide to more quickly track criminals.” The Black Hat talk will be presented by Javier Galbally who described it as:

A binary iriscode is a very compact representation of an iris image, and, for a long time, it has been assumed that it did not contain enough information to allow the reconstruction of the original iris. The present work proposes a novel probabilistic approach to reconstruct iris images from binary templates and analyzes to what extent the reconstructed samples are similar to the original ones (that is, those from which the templates were extracted). The performance of the reconstruction technique is assessed by estimating the success chances of an attack carried out with the synthetic iris patterns against a commercial iris recognition system. The experimental results show that the reconstructed images are very realistic and that, even though a human expert would not be easily deceived by them, there is a high chance that they can break into an iris recognition system.

Javier Galbally has been involved with numerous biometric recognition security research projects and vulnerability assessments such as “synthetic generation of biometric traits.” One European project focuses on finding potential vulnerabilities to exploit in the Tabula Rasa biometric project. According to Trusted Biometrics under Spoofing Attacks, the range of Tabula Rasa biometrics considered includes: “2D face, 3D face, multi-spectral face, iris, fingerprint, voice, gait, vein and electro-physiology, in addition to multi-modal biometrics.”

Galbally has published numerous research papers on exploiting biometrics such as Vulnerabilities in Biometric Systems: Attacks and Recent Advances in Liveness Detection [PDF] and Direct attacks using fake images in iris verification. The latter used a database of fake iris images created from real iris images via the BioSec baseline database. “Iris images are printed using a commercial printer and then, presented at the iris sensor.” The conclusion stated, “Results showed that the system is highly vulnerable to the two evaluated attacks. We also observed that about 40% of the fake images were correctly segmented by the system. When that this happens, the intruder is granted access with high probability, being the success rate of the two attacks of 50% or higher.”

Another of Galbally’s research papers, On the Vulnerability of Iris-based Systems to a Software Attack based on a Genetic Algorithm was described as “a novel indirect attack based on a genetic algorithm has been presented and used to evaluate a standard iris verification system to this type of threat. As many as 90% of the accounts are successfully broken in a similar number of generations for all the operating points considered, proving the vulnerabilities of such systems to this new attacking scheme.” The main objective was “not to design a perfect method to break the security of biometric systems, but to encourage developers of algorithms and systems to seriously take into account this kind of attack and to implement specific protections and countermeasures.”

Last year the FBI announced plans to roll out a nationwide face search and recognition system with one of the goals being “to put a name to every photo already collected by law enforcement.” At the time, NextGov reported, “the system is being overhauled to a tune of $1 billion to be faster and more accurate as well as add other biometric markers like ‘iris scans and voice recordings’.” This budget justification states “one of the ‘planned accomplishments for BY13’ -- the budget year that begins Oct. 1 -- is to ‘demonstrate iris recognition capabilities via the iris pilot’.”

President and Chief Executive Officer Sean G. Mullin of BI2 Technologies said the “FBI plans to conduct an iris pilot in 2014. Local agencies in 47 states now participate in B12’s nationwide Inmate Identification and Recognition System, or IRIS, which has been operating for six years.” He added that “the average iris recognition time -- from when an image is captured to when an officer receives a response -- is 7.8 seconds.”

“Although privacy advocates have little criticism of the use of iris scanning in correctional settings,” according to AllGov, “the fact that the FBI and state prison officials are using a database owned and maintained by a private corporation, BI2 Technologies, gives many pause.” Yet the company’s website states that BI2’s iris images are “encrypted using strong cryptographic algorithms to secure and protect them. Thus, standing alone, biometric templates cannot be reconstructed, decrypted, reverse-engineered or otherwise manipulated to reveal a person's identity. In short, biometrics can be thought of as a very secure key: Unless a biometric gate is unlocked by using the right key, no one can gain access to a person's identity.”

When it comes to biometrics, we’ve come a long way. The military has long been using three primary biometrics: iris, finger and face. Homeland Security also uses iris scan biometrics at the border as do police when correctly identifying criminals is considered “crucial.” Yet that is just the tip since intelligence agencies can use satellite imagery to track terrorists’ movements by their shadows. There are DNA voice prints, heartbeat detectors, gait recognition and biometric sensors to detect abnormal sweating. Fingerprints instead of passwords can unlock encrypted hard drives, and fingerprints can be scanned from over six feet away. Unlike a credit card that be canceled if stolen, most people wouldn't go so far as biometric fraud and replace their fingerprints or irises. The EFF warned, "Some biometrics, like faces, voices, and fingerprints, are easily 'grabbed.' While Galbally’s Black Hat presentation may or may not apply to BI2 Technologies, it will be interesting to hear about how iris recognition systems can be hacked.