Iris attacks no surprise to iris recognition inventor

30/07/12

The "hacking" of iris recognition has caused a flurry of news stories in recent days, ranging from the technology-focused media, all the way up to the BBC. The stories are based on a recent Black Hat conference paper that claims iris images have been reconstructed from iris templates (IrisCodes) and used to carry out an attack on a commercial iris recognition system, with a success rate of around 80%. The inference is that iris recognition is no longer as secure as once believed.

This development, according to the paper's authors (the Biometric Recognition Group-ATVS at the Universidad Autonoma de Madrid, and researchers at West Virginia University), is significant because it had been assumed that the IrisCode did not contain enough information to allow the reconstruction of a workable iris.

"Not so," says John Daugman, Professor of Computer Vision and Pattern Recognition at Cambridge, who developed and patented the first algorithm for iris recognition, which remains in widespread use worldwide. (Although he does believe this news will be a wake-up call to some manufacturers whose literature may claim this is the case…)

This is a classic 'hill-climbing' attack that is a known vulnerability for all biometrics.

Daugman says the vulnerability in question, which involves using an iterative process to relatively quickly reconstruct a workable iris image from an iris template, is a classic "hill-climbing" attack that is a known vulnerability for all biometrics.

Daugman told Planet Biometrics: "I think that the primary vulnerability is the disclosure of an IrisCode template, which this attack depends upon completely. Of course if such an IrisCode template can be obtained, then it could be used directly in a digital attack. There would be no advantage in first converting it back into an image, and then launching an analogue attack using that image."

Daugman continued: "This attack also depends on having the ability to generate an IrisCode template from an image, and to do so repeatedly and iteratively. This is only possible with access to the encoding algorithm or to a device which implements it."

Of course this is what the researchers did using a VeriEye algorithm from Neurotechnology. However, most iris recognition algorithm developers do not openly give access to the SDK required to perform such a task, and as Daugman notes: "The result will be specific to that algorithm."

Perhaps then, this will be an interesting dilemma for Neurotechnology to solve, who of course has made its successful algorithm public for several years.

So what?

So if a hill-climbing attack is possible, and the attack doesn't really surprise industry experts, then what does this mean for iris recognition?

According to Daugman: "I think the key is to maintain cryptographic security on IrisCode templates." 

Of course, as Daugman told Planet Biometrics, it is important to remember that the analogue image of a person's eye is not really a secret in the first place, albeit quite difficult to obtain. He commented: "In countries whose populations tend to have very darkly pigmented irises (as India), it is somewhat difficult to capture a good iris image surreptitiously using conventional cameras; rather, NIR (near-infrared) illumination and NIR cameras are required."

Artificial or Alive?

Of course, on top of cryptographic security there is the major issue of artifice detection. Most higher-quality iris recognition systems employ countermeasures against spoof attacks to detect whether they are being presented with a live eye, or, in this case, a piece of paper with an image on it.

The industry freely admits that the business of countermeasures against "spoofing" represents the classic arms race, so often played out by security system manufacturers and hackers.

At least, it seems, a well designed modern system wouldn't likely accept the sort of image described in the research presented.

Subscribe to our free newsletter
Follow us on Twitter
Join us on LinkedIn

Article Comments

No reviews have been submitted

Please add a comment on this article from the Add Comment below.

Please Login or Register.

Login or Register

This article appears in :-

Iris codes vulnerable?
Iris codes vulnerable?

Other Site News

UK Biometrics Commissioner wants simpler process for early deletion of DNA and fingerprints 24 October 2014

Commissioner says it would be desirable to have an early deletion process which is significantly less restrictive than that which is proposed in the draft Guidance

UK gov introduces biometric signature capture at job centres 24 October 2014

The UK government is introducing new digital technology at job centres across the country, including biometric signature capture.

VAMPIRE device brings real-time fingerprint analysis to incident scenes 24 October 2014

Booz Allen has announced a new device designed to help law enforcement and the military conduct immediate fingerprint analysis at an incident scene

Biometrics Institute proposes biometric trust mark 24 October 2014

The Biometrics Institute has unveiled its proposals for a ‘trust mark’ system to boost consumer and public confidence in systems using biometric technology.

Microsoft targets two factor authentication for Windows 10 23 October 2014

A Microsoft blog focusing on security in Windows 10 details how the new operating system is looking at two factor authentication including biometrics, such as fingerprints.

More articles >>

SDW conference and connect:ID news

connect:ID 2014 in stats

The overwhelming success of the inaugural connect:ID exhibition and conference at the Ronald Reagan Center in Washington, DC exceeded expectations for event hosts - the IBIA and Science Media Partners.

Plans underway for connect:ID 2015

Preparations are well underway for connect:ID 2015

Share |

Sponsored Links

id3 Technologies Id3 Technologies is a biometrics expert company providing winning awards algorithms, biometrics devices and ID systems. Established since 1990 and originally involved in electronics, id3 is a biometrics veteran developing innovative, secure and convenient solutions like match on card, multimodal enrolment, AFIS and ABIS.
Speed Identity Speed Identity is an innovative Swedish technology company supplying integrated biometric data capture solutions. The new Speed Capture G3 is the first cross-functional form factor.