Reverse-Engineered Irises Fool Eye-Scanners

Maximum Prophet writes "If you've ever had your eyes scanned, be sure to install new ones every 90 days. Wired reports on research being released at Black Hat: 'The replica images, they say, can trick commercial iris-recognition systems into believing they’re real images and could help someone thwart identification at border crossings or gain entry to secure facilities protected by biometric systems. The work goes a step beyond previous work on iris-recognition systems. Previously, researchers have been able to create wholly synthetic iris images that had all of the characteristics of real iris images — but weren’t connected to real people. The images were able to trick iris-recognition systems into thinking they were real irises, though they couldn’t be used to impersonate a real person. But this is the first time anyone has essentially reverse-engineered iris codes to create iris images that closely match the eye images of real subjects, creating the possibility of stealing someone’s identity through their iris.'"

Re:

[Jeremiah Cornelius]

Who'd have thought they could do this? I mean the TSA has been duplicating SPHINCTERS for years, now - but irises are a Van Gough level of complexity!

Re:

[Jeremiah Cornelius]

Dutch.

The gift that keeps on giving.

Problem with biometrics

[Anonymous Coward]

If these types of scanners ever become common, all you would need is one untrustworthy scanning station to steal your identity (and then impersonate you at all other stations). And the problem with biometrics, of course, is that they can't be changed. Biometrics were never a good idea.

Re:Problem with biometrics

[leonardluen]

biometrics are fine, this just illustrates why you need 2 factor security.

Re:

[MerceanCoconut]

biometrics are fine, this just illustrates why you need 2 factor security.

Exactly. Biometrics are not secrets. They uniquely identify an individual, but you still need a secret for security.

Re:

[nautsch]

Exactly. Biometrics are not secrets. They uniquely identify an individual, but you still need a secret for security.

And even that is not true, if they are easily copied. The parent is obviously right

Re:

[h4rr4r]

They do not uniquely identify an individual anymore than having my drivers license makes you me. They like all other forms of identification are copyable.

Re:

[Jeng]

They do not uniquely identify an individual anymore than having my drivers license makes you me. They like all other forms of identification are copyable.

The problem is not the copying, it is the verification that is the problem. At this time the verification process can be spoofed, that most probably will not always be the case.

Much like if I went and made a photocopy of your drivers license. The copy may fool other devices that read a license in the same way that the copy was made, but it won't fool more advanced devices. And that photocopy definitely will not fool a police officer.

Re:

[MerceanCoconut]

Your driver's licence uniquely identifies you whether I have it or you have it. Copying your driver's licence doesn't reduce its ability to identify you. However, merely possessing your driver's licence should not be sufficient for me to authenticate your identity. Only you should be able to do that. So biometrics are useful for identification but not authentication.

Re:

[viperidaenz]

No they don't. They uniquely identify part of an individual. All I need to do to impersonate you is to remove your eye, finger or any other part of you that gets scanned.
You can torture out someones password, but the easiest way to fool an iris scanner is to pluck out some poor bastards eye. Finger print scanner? Chop off their finger.

Re:

[Thundaaa Struk]

What if you have a wonky eye like Forest Whitaker...does that make you hack proof?

Re:

[cayenne8]

What if you have a wonky eye like Forest Whitaker...does that make you hack proof?

Actually close...I think to be totally 'hack proof' you'd have to be Marty Feldman [wikipedia.org]

Re:

[Thundaaa Struk]

Talk about bedroom eyes!!!

Re:

[Jeng]

If these types of scanners ever become common, all you would need is one untrustworthy scanning station to steal your identity (and then impersonate you at all other stations).

So, um, where would one of these untrustworthy scanning stations be set up?

And the problem with biometrics, of course, is that they can't be changed. Biometrics were never a good idea.

Biometrics is a very good idea, it just needs to be implemented in a way that doesn't allow one to cheat. Such as when you get your fingerprint scanned the scanner should also do a check to make sure it is actual skin instead of a silicone copy.

To securely do an iris scan though, that would not only be tough to design, it would also mean that people who wear contacts would not be able to use an iris scanner.

Re:

[h4rr4r]

They would be setup at the same place as the trustworthy stations.

Biometrics is a bad idea, no implementations can save it. The fingerprint scanner will then have to deal with better and better synthetics.

Requiring a user to slide a contact over is not a huge burden.

Re:

[Jeng]

They would be setup at the same place as the trustworthy stations.

Like airports and border crossings? Yes, I guess if it is state sponsored they could put an untrustworthy station in place there, it is just unlikely to ever happen, at that level they probably already have the information. More likely I guess is private organizations that use iris scanners, it would still need to be an inside job though.

The fingerprint scanner will then have to deal with better and better synthetics.

And so will those looking to get past the scanner. I would imagine that at some point with fingerprint scanners that they will be looking beyond the fingerprint and also

Re:

[xQuarkDS9x]

Someone has been watching Demolition Man a bit too much I think...

Re:

[Samantha Wright]

Doesn't really invalidate the point—I mean, what it amounts to is that iris scanners, traditionally thought of as extremely high-security items, are only really practical for low-security stuff where it wouldn't be worth the cost/risk/bloodshed/etc. to (a) kidnap someone to prototype from their eyes or (b) take what you need a la carte. You still wouldn't want to use it for a military installation.

Re:

[green1]

It seems to me that it would be easy to prevent that particular attack just by checking pupil reaction. If it doesn't react, the eye isn't attached to a living organism and shouldn't be allowed. Additionally, nothing high security should ever be single factor authentication anyway.
Biometrics done right are really good, biometrics done wrong are our worst nightmare.

Re:

[Samantha Wright]

That's a good trick—albeit one probably fairly easy to simulate with a decent e-paper display put in place, or a transparent LCD.

Re:

[Black Parrot]

Why create an iris when the movies showed you can just pull someone's eye out and hold it in front of the scanner?

Yeah, Loki can leave his fancy gadget home next time.

(But I like the palm scanner scene on Red Dwarf better.)

Passwords can be changed when compromised...

[Kenja]

your iris can not. Well, not without some B grade horror movie level surgery. This is the fundamental issue with biometrics.

Re:

[WillAffleckUW]

Actually, you can engineer a virus to alter the DNA. We do it all the time with mice.

We also do it with adult humans with cancer, so that their cancer growths glow in the dark during surgery. Use the docking receptors on the cells.

Re:

[interkin3tic]

Well, even if you were willing to alter your DNA in an effort to make biometric ID systems viable (and you would be insane), and even if you engineer a retrovirus that can reliably alter a given sequence in your DNA (they tend to insert their small payload at random locations in each cell) there's still the issue of your irises and fingerprints aren't based on DNA and certainly aren't maintained by continued DNA expression.

Transgenic mice are generally made by homologous recombination in single embryonic

Re:

[camperdave]

Actually, you can engineer a virus to alter the DNA.

Changing your DNA won't change your iris. It has already been built using the previous DNA. You'd have to use the new DNA and grow a whole new eye from it.

Re:

[WillAffleckUW]

No, viral insertion works by literal infection of cells. You're confusing germ distribution, where you alter the DNA once, with viral DNA insertion at a spot, which infects a literal cell and uses the cell mechanism via a docking ligand to deliver a target viral payload which inserts itself into the cells DNA.

We make cancer cells glow so that we can perform surgery on them. It's not the cancer cells we target per se, but all cells. The cancerous cells have certain biochemical characteristics which are used

Re:

[camperdave]

Nevertheless, changing your DNA will not change your iris, or the gross physical structure of any organ; not until the cells within the organ are replicated according to the new DNA. For example, if I replace the blue iris DNA with brown iris DNA, I will not suddenly have brown eyes. It will take months, or possibly even years for that kind of change to take place, depending on the rate at which iris cells replicate.

not quite

[poetmatt]

If I recall correctly, I do believe it has been said that even wearing contacts due to development of new veins can change your iris over time. Unless that was specific to your retina?

Re:

[Maximum Prophet]

The clandestine services will simple send their people through with fake iris contact lenses the first time, and once for every identity needed. Then when they need to be "Joe Shablocknic" today, they just select the "Joe Shablocknic" eyes from the kit, and viola, new identity. They'll make the the spy's real eyes are never scanned by a 3rd party.

What this research shows is that they could send an iris printer with the spy. Then send him the codes for new eyes.

Re:

[Jeng]

And if security pulls the person aside and asks the person to please remove their contacts and have another scan?

Re:

[Maximum Prophet]

Well, since you ask, that's when you go to plan 'B'.

Seriously, you would test the system, first by observing how the guards work, then by sending people through who are expendable, or diplomats with get-out-of-jail black passports. If all that fails, and you get pulled aside for a random search, have a co-worker create a diversion and slip away.

Re:

[MozeeToby]

Something you have and something you know is the current standard, I see no problem with adding "something you are" into the mix as a third layer.

Re:

[Translation Error]

Not to mention that it can make some of your body parts valuable to other people. And not in the good way.

Re:

[Beryllium Sphere(tm)]

The photo on your driver's license is a biometric.

It doesn't have to be kept secret.

The security comes from the verification process. If you're pulled over while carrying someone else's driver's license, then holding up a picture of that person to the police officer is not going to let you impersonate that person.

The reason we're used to thinking in terms of secrecy is that it's the only way to make passwords exclusive to particular users.

I've even seen security professionals get this wrong.

Re:

[mcgrew]

your iris can not. Well, not without some B grade horror movie level surgery.

You're calling Minority Report a B grade horror movie??

This is why my sister installed Hazel (tm) eyes

[WillAffleckUW]

The advantage is her eye color changes all the way from purple to blue to brown so just think of her eyes as Enhanced Security Eyes.

Re:

[NotBornYesterday]

Retina != iris.

Where did the article's photos come from?

[NotBornYesterday]

The image editor didn't even bother to use Photoshop to add the fake iris images ... looks like they used MS Paint or something.

Require 2 Factor Verification

[DCisforBoners]

No single or combined biometric is secure. If you want to verify identity you must have at the least, a second factor like a password.

Re:Require 2 Factor Verification

[Maximum Prophet]

3 factors.

• Something you know -> i.e. Password
• Something you are -> i.e. Fingerprint
• Something you have -> i.e. RFID keyfob

The major problem with *magic* solutions, is that leader types look at them and say "Wow, Iris Scanners, I could never fool one of those, so nobody could fool one." People have the same reaction to physical locks.
This leads to security theater. Yes, it stops stupid criminals, and yes it can be a good thing when you stop stupid criminals, but when you want to stop people flying airplanes into buildings, or stock traders from racking up $2 billion in fraudulent losses, magic dohickys aren't the solution.

Re:

[shentino]

Maybe we politicians don't want to stop some kinds of criminals.

Especially white collar criminals giving us part of their take in the form of bribe money.

Re:

[Maximum Prophet]

Good observation. Some forms of crime are more acceptable than others.

I'm not sure I'm not on board with that. Imagine a world where there was no violent crime or real property theft. If your bank account was stolen, you get it back in 90 days.
In such a world, keep several bank accounts and several credit cards, and regular normal people are safe.

If you could live in a world where all crime was crime against large corporations, and all war was cyberware, would you? What would you give up to live

Re:

[treeves]

Doesn't this story mean that "Something you are" is really just a second "Something you have"?

Re:

[PPH]

"Something you have" is more like a key, RFID card, or other authentication device issued by some authority.

"Something you are" is not as easily detached from your person as pickpocketing a key card.

Re:

[Jade_Wayfarer]

Point is, with advancement of remote scanning techniques your iris could be just as easily picked from distance as any RFID - no need for physical contact as with the physical key, for example. So, unless you are planning on wearing some advanced sunglasses all the time, your iris essentially becomes "something you have", nothing more.

Re:

[booch]

I believe that there's a 4th kind of factor: something you can do. For example, you might be able to pick out some of your favorite items, even though you don't remember which favorite items you registered. Or you might be able to type your password in a different rhythm than anyone else can (without a lot of practice); again, it's not something that you can memorize/remember/know, and it's not really something that you are or have. Bruce Schneier has an article on one of these kinds of authentication fact [schneier.com]

less unique

[harvey the nerd]

This news makes me feel less unique as an American.

Lock and the lock pick.

[steelfood]

New technology is nice and all, but for every lock ever created there will be a lock pick for it.

The only thing is, the more expensive the lock, the more expensive the lock pick is supposed to be. That's the real measure of the effectiveness of a lock. I.e., an expensive lock that can be picked in an inexpensive manner is an ineffective lock.

Re:

[Maximum Prophet]

You don't have to fool the criminals to sell an expensive lock. You just have to fool management at the corporate or government level.

Re:

[s.petry]

People had to know this was coming, it's painfully obvious and is obvious with all such technology. Algorithms are used to validate, and one only needs to do reverse engineering of 2 aspects. 1) Math function to match data. 2) input mechanism used to get test data.

The same thing was done with fingerprint scanners, and why we did not have a mass adoption. Jello was found to be the easiest way to lift and place fingerprints (This trick was used at a DOD site during our pilots.)

This is why most secure are

Re:

[Mitreya]

That's the real measure of the effectiveness of a lock. I.e., an expensive lock that can be picked in an inexpensive manner is an ineffective lock.

Locks can also be changed once someone steals and duplicates your key. Even the crappiest lock can be replaced.
Good luck replacing your iris once a copy is out in the wild.

Ob. Demolition Man reference

[Tastecicles]

If Simon Phoenix wants my iris code, hell he can just have a photocopy! Fuckhead... I'll keep both my eyes.

["Tastecicles, you are fined one credit for violation of the Verbal Morality Statute."]

Re:

[nautsch]

Please read the story! This is exactly what this is about. They can copy your iris (what you are), steal your key and hurt you to give them the password. After that there is no need to keep you alive.

Re:

[green1]

And this is exactly why duresse codes exist. if you can give them a "something you know" that gets help dispatched quickly, without tipping off the bad guys, you're in a lot better position. (and they don't dare kill you until they've verified that the information they extracted from you is accurate)
Also improvements to the technology authenticating the "something you are" to make copying impossible is a good thing because it forces them to take you to the authentication device, giving you some measure of t

Re:

[green1]

The point isn't to stop them before detaching your eyeball, it's to make it pointless for them to bother. If they know that a detached eyeball won't work, why would they detach it? someone could come cut my eyeball out right now, but the lack of any authentication system making use of it means there is no reason to do so. similarly if all authentication devices require a LIVE eyeball, criminals will have no use for a detached one.
There is no police force, alarm system, or other security force in existence t

Re:

[ZeroSumHappiness]

Unfortunately, all three of those are really just "something you know."

If I have a 5-pin tumbler key and each pin has a depth setting of 0-5 then I really just need to know a 5-digit, hex (not hexadecimal) number and I can recreate the key. If I have a reading of a fingerprint all I need to do is experiment with fingerprint printing or fingerprint re-forming technology until I get a copy that can pass for the original.

Even an RSA keyfob, technically, can be copied if I can rip it apart in a manner that let

Re:

[bpkiwi]

Two of those three factors - the "something you have" and the "something you know" can be changed. You can be issued a new security card, and you can change your password. The third factor - "something you are" can not be changed. This makes it a lot weaker than the other two factors because if at any time in your history it has been stolen, then it is no longer secure and useful - ever again.

What do you do when your security system requires all three factors, but you already know the "something you are

"Just eyes"

[The Mister Purple]

Somehow, I'm picturing the eye builder from Bladerunner when I think about reverse-engineered irises.

All your iris

[seanzig]

All your iris are belong to us

Pattern of uniqueness

[jovius]

The perfect identification system - is there none? Can everything be faked and replicated? In the end what is the most defining characteristics of a person's identity? One can for example create a complete fake identity and mimic a body with the help of non intrusive / intrusive technology. Perhaps the uniqueness comes from the constant flux - the actual logic or pattern of the changes in the person's life and body. Proving an identity completely means that the technology would follow the person anywhere and monitor the changes. How far is it necessary to actually go? The kind of systems can be abandoned once there's enough trust to not need them at all and/or there's nothing to guard.

Well...

[Ryanrule]

...shit.

Pupil dilation

[ian_po]

Ok, so current systems can be tricked with photographs, and that seem pretty silly. But future versions could record stereo images while altering the illumination of the subject's eye. Properly functioning (attached) human eyes should have irises that dilate with extreme changes to illumination. By masking the subjects eye or eyes from the surrounding environment and changing the illumination levels over time, a complex system could measure pupil dilation characteristics to evaluate if the eye before it is

Re:

[Maximum Prophet]

Yes, these can be improved, but they are trying to be simple, fast, and cheap. When you have 200 people standing in line waiting to get on an airplane, Voight-Kampf'ing everyone is a non-starter.
Simply going to retinal scans makes fooling the system much harder, but retinal scanning is slower than iris scanning.

Re:

[The Mister Purple]

When you have 200 people standing in line waiting to get on an airplane, Voight-Kampf'ing everyone is a non-starter.

And al-Qaeda doesn't even accept replicants as members...

So some researchers found a vulnerability...

[drdread]

That neeeeeever happens in today's world of OS security, now does it? And what happens when researchers find a vulnerability in a computer system? It usually gets patched pretty quickly.

This one will not take long to patch. In the "can you tell which is which?" pictures, I picked the synthetic iris with 100% accuracy, in less than 3 seconds of inspection. Yes, I work actively in the biometrics field...but guess what? So do the folks who build these systems. I will hazard a guess that Neurotech (and L-1,

Re:

[Bucky24]

Well the problem happens when the researchers that find the vulnerability are working for people who would rather exploit a vulnerability then patch it. Of course you're right in saying that no system is without it's flaws (at least I think that's what you're saying).

Seems like a bad implementation to me

[ggendel]

I worked on early iris recognition software and we had already worked through this scenario way back then. If the scanner was worth it's salt, it would be doing what we did years ago...

1) Verify that the eye reacts to changing light conditions... Pupils should contract or dilate when required.
2) Verify that the eye isn't flat (i.e. a picture). Proper specularity orientation from changing light sources (we used infrared) to identify the curvature.
3) Glowing pupil under infrared, dark with different lighting.

Re:

[manu0601]

Please mod parent up, it is insightful.

Simple fix

[wirehead_rick]

All biometrics can be fooled if the biometric sensor system alone is all you are using for the security.

Biometrics only uniquely identifies a person. You still need another person (security guard, for example) or technology (detect a live human being and/or a real eye) to verify it is a person that provides the biometric input. This is to prove an actual person is there.

Until someone switches eyes out (improbable) or finds a way to implant the iris image of another individuals eye within their own eye (impr

used these machines in probation

[jsh1972]

the eye scanners they had there measured iris geometry and pupil size and response. They were easily spoofed with psychoactive substances, because calibrated from a baseline measurements. If you could make the the baseline wasn't really baseline, subsequent tests would look a-ok