Digital Iris Fakes Made with Evolving Algorithm Fool Biometric Scanners

There’s more to iris scans than meets the eye, and that could end up being their undoing. New academic research coming out at the Black Hat Security conference this week shows a way to recreate iris images from the digital codes underlying iris-scanning security protocols–images that are so good that they can trick commercial-grade iris-scanning security devices into thinking they’re the real thing.

When iris-scanning biometric security systems create a digital imprint of an iris, they don’t actually store that image of the iris for future comparison to the real thing. Rather, when a person scans his or her iris into a biometric system for the first time, the system turns the iris into a code consisting of about 5,000 bits of data. This code is based on about 240 points that are measured in the actual iris image, and is for all intents and purposes a unique digital analog of the iris.

The actual iris image is then discarded. The next time the person needs to authenticate himself or herself, he or she scans the iris again. The device converts this scan into an iris code as well, and the two codes are compared. If the digital codes match–within a reasonable margin of error–then identity is authenticated and access is granted.

But researchers at the Universidad Autonoma de Madrid and West Virginia University have found a way to reverse-engineer an iris image from the digital code itself using genetic algorithms–an iris image so good it can fool a biometric scanner. Genetic algorithms are those that improve results each time they process data. Like generations of a species over time, they adapt; each iteration of the algorithm produces an iris image with an iris code that is a little more similar to the code being reconstructed. After 100-200 iterations, the algorithm generates an iris image with an iris code that is adequately similar to the original code.

That should worry those relying on biometric security measures. What this essentially means is that if a database containing iris codes were hacked, the hackers could construct iris images that would dupe scanners, and they would never even have to get near the actual owner of that iris. Moreover, the hackers wouldn’t even necessarily have to hack the database of the entity they wish to compromise. Consider a defense contractor whose iris can access both facilities at his firm as well as restricted areas of a military base. Someone wishing to access the military base could hack the defense contractor, steal the iris code, reconstruct the iris, print it to a contact lens, and access the military facility. It’s all very Mission Impossible, but according to the research, it’s not so very far-fetched.

More over at Threat Level.

Threat Level