Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Biotech Security Technology

Reverse-Engineered Irises Fool Eye-Scanners 98

Posted by Soulskill
from the now-you-eyes-are-slightly-safer dept.
Maximum Prophet writes "If you've ever had your eyes scanned, be sure to install new ones every 90 days. Wired reports on research being released at Black Hat: 'The replica images, they say, can trick commercial iris-recognition systems into believing they’re real images and could help someone thwart identification at border crossings or gain entry to secure facilities protected by biometric systems. The work goes a step beyond previous work on iris-recognition systems. Previously, researchers have been able to create wholly synthetic iris images that had all of the characteristics of real iris images — but weren’t connected to real people. The images were able to trick iris-recognition systems into thinking they were real irises, though they couldn’t be used to impersonate a real person. But this is the first time anyone has essentially reverse-engineered iris codes to create iris images that closely match the eye images of real subjects, creating the possibility of stealing someone’s identity through their iris.'"
This discussion has been archived. No new comments can be posted.

Reverse-Engineered Irises Fool Eye-Scanners

Comments Filter:
  • by Anonymous Coward

    If these types of scanners ever become common, all you would need is one untrustworthy scanning station to steal your identity (and then impersonate you at all other stations). And the problem with biometrics, of course, is that they can't be changed. Biometrics were never a good idea.

    • by leonardluen (211265) on Wednesday July 25, 2012 @01:44PM (#40767585)

      biometrics are fine, this just illustrates why you need 2 factor security.

      • biometrics are fine, this just illustrates why you need 2 factor security.

        Exactly. Biometrics are not secrets. They uniquely identify an individual, but you still need a secret for security.

        • by nautsch (1186995)

          Exactly. Biometrics are not secrets. They uniquely identify an individual, but you still need a secret for security.

          And even that is not true, if they are easily copied. The parent is obviously right

        • by h4rr4r (612664)

          They do not uniquely identify an individual anymore than having my drivers license makes you me. They like all other forms of identification are copyable.

          • by Jeng (926980)

            They do not uniquely identify an individual anymore than having my drivers license makes you me. They like all other forms of identification are copyable.

            The problem is not the copying, it is the verification that is the problem. At this time the verification process can be spoofed, that most probably will not always be the case.

            Much like if I went and made a photocopy of your drivers license. The copy may fool other devices that read a license in the same way that the copy was made, but it won't fool more advanced devices. And that photocopy definitely will not fool a police officer.

          • Your driver's licence uniquely identifies you whether I have it or you have it. Copying your driver's licence doesn't reduce its ability to identify you. However, merely possessing your driver's licence should not be sufficient for me to authenticate your identity. Only you should be able to do that. So biometrics are useful for identification but not authentication.
        • No they don't. They uniquely identify part of an individual. All I need to do to impersonate you is to remove your eye, finger or any other part of you that gets scanned.
          You can torture out someones password, but the easiest way to fool an iris scanner is to pluck out some poor bastards eye. Finger print scanner? Chop off their finger.
    • What if you have a wonky eye like Forest Whitaker...does that make you hack proof?
    • by Jeng (926980)

      If these types of scanners ever become common, all you would need is one untrustworthy scanning station to steal your identity (and then impersonate you at all other stations).

      So, um, where would one of these untrustworthy scanning stations be set up?

      And the problem with biometrics, of course, is that they can't be changed. Biometrics were never a good idea.

      Biometrics is a very good idea, it just needs to be implemented in a way that doesn't allow one to cheat. Such as when you get your fingerprint scanned the scanner should also do a check to make sure it is actual skin instead of a silicone copy.

      To securely do an iris scan though, that would not only be tough to design, it would also mean that people who wear contacts would not be able to use an iris scanner.

      • by h4rr4r (612664)

        They would be setup at the same place as the trustworthy stations.

        Biometrics is a bad idea, no implementations can save it. The fingerprint scanner will then have to deal with better and better synthetics.

        Requiring a user to slide a contact over is not a huge burden.

        • by Jeng (926980)

          They would be setup at the same place as the trustworthy stations.

          Like airports and border crossings? Yes, I guess if it is state sponsored they could put an untrustworthy station in place there, it is just unlikely to ever happen, at that level they probably already have the information. More likely I guess is private organizations that use iris scanners, it would still need to be an inside job though.

          The fingerprint scanner will then have to deal with better and better synthetics.

          And so will those looking to get past the scanner. I would imagine that at some point with fingerprint scanners that they will be looking beyond the fingerprint and also

  • by Kenja (541830) on Wednesday July 25, 2012 @01:40PM (#40767523)
    your iris can not. Well, not without some B grade horror movie level surgery. This is the fundamental issue with biometrics.
    • Actually, you can engineer a virus to alter the DNA. We do it all the time with mice.

      We also do it with adult humans with cancer, so that their cancer growths glow in the dark during surgery. Use the docking receptors on the cells.

      • Well, even if you were willing to alter your DNA in an effort to make biometric ID systems viable (and you would be insane), and even if you engineer a retrovirus that can reliably alter a given sequence in your DNA (they tend to insert their small payload at random locations in each cell) there's still the issue of your irises and fingerprints aren't based on DNA and certainly aren't maintained by continued DNA expression.

        Transgenic mice are generally made by homologous recombination in single embryonic
      • Actually, you can engineer a virus to alter the DNA.

        Changing your DNA won't change your iris. It has already been built using the previous DNA. You'd have to use the new DNA and grow a whole new eye from it.

        • No, viral insertion works by literal infection of cells. You're confusing germ distribution, where you alter the DNA once, with viral DNA insertion at a spot, which infects a literal cell and uses the cell mechanism via a docking ligand to deliver a target viral payload which inserts itself into the cells DNA.

          We make cancer cells glow so that we can perform surgery on them. It's not the cancer cells we target per se, but all cells. The cancerous cells have certain biochemical characteristics which are used

          • Nevertheless, changing your DNA will not change your iris, or the gross physical structure of any organ; not until the cells within the organ are replicated according to the new DNA. For example, if I replace the blue iris DNA with brown iris DNA, I will not suddenly have brown eyes. It will take months, or possibly even years for that kind of change to take place, depending on the rate at which iris cells replicate.
    • If I recall correctly, I do believe it has been said that even wearing contacts due to development of new veins can change your iris over time. Unless that was specific to your retina?

    • The clandestine services will simple send their people through with fake iris contact lenses the first time, and once for every identity needed. Then when they need to be "Joe Shablocknic" today, they just select the "Joe Shablocknic" eyes from the kit, and viola, new identity. They'll make the the spy's real eyes are never scanned by a 3rd party.

      What this research shows is that they could send an iris printer with the spy. Then send him the codes for new eyes.
      • by Jeng (926980)

        And if security pulls the person aside and asks the person to please remove their contacts and have another scan?

        • Well, since you ask, that's when you go to plan 'B'.

          Seriously, you would test the system, first by observing how the guards work, then by sending people through who are expendable, or diplomats with get-out-of-jail black passports. If all that fails, and you get pulled aside for a random search, have a co-worker create a diversion and slip away.
    • Something you have and something you know is the current standard, I see no problem with adding "something you are" into the mix as a third layer.

    • Not to mention that it can make some of your body parts valuable to other people. And not in the good way.
    • The photo on your driver's license is a biometric.

      It doesn't have to be kept secret.

      The security comes from the verification process. If you're pulled over while carrying someone else's driver's license, then holding up a picture of that person to the police officer is not going to let you impersonate that person.

      The reason we're used to thinking in terms of secrecy is that it's the only way to make passwords exclusive to particular users.

      I've even seen security professionals get this wrong.

    • by mcgrew (92797) *

      your iris can not. Well, not without some B grade horror movie level surgery.

      You're calling Minority Report a B grade horror movie??

  • The advantage is her eye color changes all the way from purple to blue to brown so just think of her eyes as Enhanced Security Eyes.

  • The image editor didn't even bother to use Photoshop to add the fake iris images ... looks like they used MS Paint or something.
  • No single or combined biometric is secure. If you want to verify identity you must have at the least, a second factor like a password.
    • by Maximum Prophet (716608) on Wednesday July 25, 2012 @02:01PM (#40767833)
      3 factors.
      • Something you know -> i.e. Password
      • Something you are -> i.e. Fingerprint
      • Something you have -> i.e. RFID keyfob

      The major problem with *magic* solutions, is that leader types look at them and say "Wow, Iris Scanners, I could never fool one of those, so nobody could fool one." People have the same reaction to physical locks.
      This leads to security theater. Yes, it stops stupid criminals, and yes it can be a good thing when you stop stupid criminals, but when you want to stop people flying airplanes into buildings, or stock traders from racking up $2 billion in fraudulent losses, magic dohickys aren't the solution.

      • by shentino (1139071)

        Maybe we politicians don't want to stop some kinds of criminals.

        Especially white collar criminals giving us part of their take in the form of bribe money.

        • Good observation. Some forms of crime are more acceptable than others.

          I'm not sure I'm not on board with that. Imagine a world where there was no violent crime or real property theft. If your bank account was stolen, you get it back in 90 days.
          In such a world, keep several bank accounts and several credit cards, and regular normal people are safe.

          If you could live in a world where all crime was crime against large corporations, and all war was cyberware, would you? What would you give up to live
      • by treeves (963993)

        Doesn't this story mean that "Something you are" is really just a second "Something you have"?

        • by PPH (736903)

          "Something you have" is more like a key, RFID card, or other authentication device issued by some authority.

          "Something you are" is not as easily detached from your person as pickpocketing a key card.

          • Point is, with advancement of remote scanning techniques your iris could be just as easily picked from distance as any RFID - no need for physical contact as with the physical key, for example. So, unless you are planning on wearing some advanced sunglasses all the time, your iris essentially becomes "something you have", nothing more.
      • by booch (4157) *
        I believe that there's a 4th kind of factor: something you can do. For example, you might be able to pick out some of your favorite items, even though you don't remember which favorite items you registered. Or you might be able to type your password in a different rhythm than anyone else can (without a lot of practice); again, it's not something that you can memorize/remember/know, and it's not really something that you are or have. Bruce Schneier has an article on one of these kinds of authentication fact [schneier.com]
  • This news makes me feel less unique as an American.
  • by steelfood (895457) on Wednesday July 25, 2012 @01:53PM (#40767717)

    New technology is nice and all, but for every lock ever created there will be a lock pick for it.

    The only thing is, the more expensive the lock, the more expensive the lock pick is supposed to be. That's the real measure of the effectiveness of a lock. I.e., an expensive lock that can be picked in an inexpensive manner is an ineffective lock.

    • You don't have to fool the criminals to sell an expensive lock. You just have to fool management at the corporate or government level.
    • by s.petry (762400)

      People had to know this was coming, it's painfully obvious and is obvious with all such technology. Algorithms are used to validate, and one only needs to do reverse engineering of 2 aspects. 1) Math function to match data. 2) input mechanism used to get test data.

      The same thing was done with fingerprint scanners, and why we did not have a mass adoption. Jello was found to be the easiest way to lift and place fingerprints (This trick was used at a DOD site during our pilots.)

      This is why most secure are

    • by Mitreya (579078)

      That's the real measure of the effectiveness of a lock. I.e., an expensive lock that can be picked in an inexpensive manner is an ineffective lock.

      Locks can also be changed once someone steals and duplicates your key. Even the crappiest lock can be replaced.
      Good luck replacing your iris once a copy is out in the wild.

  • by Tastecicles (1153671) on Wednesday July 25, 2012 @01:54PM (#40767743)

    If Simon Phoenix wants my iris code, hell he can just have a photocopy! Fuckhead... I'll keep both my eyes.

    ["Tastecicles, you are fined one credit for violation of the Verbal Morality Statute."]

  • Somehow, I'm picturing the eye builder from Bladerunner when I think about reverse-engineered irises.

  • All your iris are belong to us
  • by jovius (974690) on Wednesday July 25, 2012 @02:06PM (#40767887)

    The perfect identification system - is there none? Can everything be faked and replicated? In the end what is the most defining characteristics of a person's identity? One can for example create a complete fake identity and mimic a body with the help of non intrusive / intrusive technology. Perhaps the uniqueness comes from the constant flux - the actual logic or pattern of the changes in the person's life and body. Proving an identity completely means that the technology would follow the person anywhere and monitor the changes. How far is it necessary to actually go? The kind of systems can be abandoned once there's enough trust to not need them at all and/or there's nothing to guard.

  • ...shit.

  • Ok, so current systems can be tricked with photographs, and that seem pretty silly. But future versions could record stereo images while altering the illumination of the subject's eye. Properly functioning (attached) human eyes should have irises that dilate with extreme changes to illumination. By masking the subjects eye or eyes from the surrounding environment and changing the illumination levels over time, a complex system could measure pupil dilation characteristics to evaluate if the eye before it is

    • Yes, these can be improved, but they are trying to be simple, fast, and cheap. When you have 200 people standing in line waiting to get on an airplane, Voight-Kampf'ing everyone is a non-starter.
      Simply going to retinal scans makes fooling the system much harder, but retinal scanning is slower than iris scanning.
      • When you have 200 people standing in line waiting to get on an airplane, Voight-Kampf'ing everyone is a non-starter.

        And al-Qaeda doesn't even accept replicants as members...

  • That neeeeeever happens in today's world of OS security, now does it? And what happens when researchers find a vulnerability in a computer system? It usually gets patched pretty quickly.

    This one will not take long to patch. In the "can you tell which is which?" pictures, I picked the synthetic iris with 100% accuracy, in less than 3 seconds of inspection. Yes, I work actively in the biometrics field...but guess what? So do the folks who build these systems. I will hazard a guess that Neurotech (and L-1,
    • by Bucky24 (1943328)
      Well the problem happens when the researchers that find the vulnerability are working for people who would rather exploit a vulnerability then patch it. Of course you're right in saying that no system is without it's flaws (at least I think that's what you're saying).
  • I worked on early iris recognition software and we had already worked through this scenario way back then. If the scanner was worth it's salt, it would be doing what we did years ago...

    1) Verify that the eye reacts to changing light conditions... Pupils should contract or dilate when required.
    2) Verify that the eye isn't flat (i.e. a picture). Proper specularity orientation from changing light sources (we used infrared) to identify the curvature.
    3) Glowing pupil under infrared, dark with different lighting.

  • All biometrics can be fooled if the biometric sensor system alone is all you are using for the security.

    Biometrics only uniquely identifies a person. You still need another person (security guard, for example) or technology (detect a live human being and/or a real eye) to verify it is a person that provides the biometric input. This is to prove an actual person is there.

    Until someone switches eyes out (improbable) or finds a way to implant the iris image of another individuals eye within their own eye (impr

  • the eye scanners they had there measured iris geometry and pupil size and response. They were easily spoofed with psychoactive substances, because calibrated from a baseline measurements. If you could make the the baseline wasn't really baseline, subsequent tests would look a-ok

What is mind? No matter. What is matter? Never mind. -- Thomas Hewitt Key, 1799-1875

Working...