Iris attacks no surprise to iris recognition inventor

30/07/12

The "hacking" of iris recognition has caused a flurry of news stories in recent days, ranging from the technology-focused media, all the way up to the BBC. The stories are based on a recent Black Hat conference paper that claims iris images have been reconstructed from iris templates (IrisCodes) and used to carry out an attack on a commercial iris recognition system, with a success rate of around 80%. The inference is that iris recognition is no longer as secure as once believed.

This development, according to the paper's authors (the Biometric Recognition Group-ATVS at the Universidad Autonoma de Madrid, and researchers at West Virginia University), is significant because it had been assumed that the IrisCode did not contain enough information to allow the reconstruction of a workable iris.

"Not so," says John Daugman, Professor of Computer Vision and Pattern Recognition at Cambridge, who developed and patented the first algorithm for iris recognition, which remains in widespread use worldwide. (Although he does believe this news will be a wake-up call to some manufacturers whose literature may claim this is the case…)

This is a classic 'hill-climbing' attack that is a known vulnerability for all biometrics.

Daugman says the vulnerability in question, which involves using an iterative process to relatively quickly reconstruct a workable iris image from an iris template, is a classic "hill-climbing" attack that is a known vulnerability for all biometrics.

Daugman told Planet Biometrics: "I think that the primary vulnerability is the disclosure of an IrisCode template, which this attack depends upon completely. Of course if such an IrisCode template can be obtained, then it could be used directly in a digital attack. There would be no advantage in first converting it back into an image, and then launching an analogue attack using that image."

Daugman continued: "This attack also depends on having the ability to generate an IrisCode template from an image, and to do so repeatedly and iteratively. This is only possible with access to the encoding algorithm or to a device which implements it."

Of course this is what the researchers did using a VeriEye algorithm from Neurotechnology. However, most iris recognition algorithm developers do not openly give access to the SDK required to perform such a task, and as Daugman notes: "The result will be specific to that algorithm."

Perhaps then, this will be an interesting dilemma for Neurotechnology to solve, who of course has made its successful algorithm public for several years.

So what?

So if a hill-climbing attack is possible, and the attack doesn't really surprise industry experts, then what does this mean for iris recognition?

According to Daugman: "I think the key is to maintain cryptographic security on IrisCode templates." 

Of course, as Daugman told Planet Biometrics, it is important to remember that the analogue image of a person's eye is not really a secret in the first place, albeit quite difficult to obtain. He commented: "In countries whose populations tend to have very darkly pigmented irises (as India), it is somewhat difficult to capture a good iris image surreptitiously using conventional cameras; rather, NIR (near-infrared) illumination and NIR cameras are required."

Artificial or Alive?

Of course, on top of cryptographic security there is the major issue of artifice detection. Most higher-quality iris recognition systems employ countermeasures against spoof attacks to detect whether they are being presented with a live eye, or, in this case, a piece of paper with an image on it.

The industry freely admits that the business of countermeasures against "spoofing" represents the classic arms race, so often played out by security system manufacturers and hackers.

At least, it seems, a well designed modern system wouldn't likely accept the sort of image described in the research presented.

Subscribe to our free newsletter
Follow us on Twitter
Join us on LinkedIn

Article Comments

No reviews have been submitted

Please add a comment on this article from the Add Comment below.

Please Login or Register.

Login or Register

This article appears in :-

Iris codes vulnerable?
Iris codes vulnerable?

Other Site News

Planet Biometrics reveals Annual Review for 2014 18 December 2014

Planet Biometrics has created an annual review featuring insights from experts across the industry.

Gartner: Internet of Things will redefine identity management 19 December 2014

The Internet of Things will drive device and user relationship requirements in 20% of new identity and access management, says Gartner, with new biometrics emerging in a key role.

Ghana launches upgrade of biometric passport systerm 19 December 2014

West African country Ghana has revealed plans to upgrade its biometric passports to also include microchips.

Natural Security Alliance reveals launch of compliant payment devices 19 December 2014

France-based biometric standards-setting body the Natural Security Alliance has announced the launch of the first connected devices that implement its proximity payment standards.

OASIS seeks public review of biometric device protocol 19 December 2014

The Organization for the Advancement of Structured Information Standards has launched a 15-day public review of a command and control protocol for biometric devices.

More articles >>

SDW conference and connect:ID news

connect:ID 2014 in stats

The overwhelming success of the inaugural connect:ID exhibition and conference at the Ronald Reagan Center in Washington, DC exceeded expectations for event hosts - the IBIA and Science Media Partners.

Plans underway for connect:ID 2015

Preparations are well underway for connect:ID 2015

Commentaries

Comment: Biometrics and the chances of owning a hoverboard

Biometrics technology is almost invariably depicted in movies as a big brother's best friend. If it was instead portrayed with realism and positivity, the public would better understand the potential life-changing benefits.

Comment: Commercial vein sensor spoofed - so what?

The vein recognition industry has been somewhat immune from the problem of biometric spoof attacks. This perception could gradually change as researchers spoof - at least under specific limitations - a commercial sensor. But one could argue - so what, at least for the majority of use cases…

On the cusp of mobile biometric technology adoption?

In the months since our first white paper on Mobile Biometrics was first posted, there have been several developments that suggest we are on the cusp of a surge in mobile biometric technology adoption.

Special Report on the April SC37 Meetings in Winchester, England

The April meetings of the working groups of ISO/IEC JTC1 SC37 subcommittee on biometrics were held in Winchester, England. This article is a Special Report by our Expert Editor, Cathy Tilton, into the meetings and main outcomes from the various Working Groups.

Special Report on the SC37 Meetings in Paris

A full and exclusive report into the recent Paris meetings by the SC37 subcommittee on biometrics and its working groups as they continue their task of setting international standards related to biometrics.

Special Report on the January SC37 Meetings in Phuket

Get a feel for where things are going on the international standards front. A special report on the SC37 standards meetings in Phuket which took place earlier this month (January 2012).

Special Report on the SC37 Meetings in Kyoto

Get a feel for where things are going on the international standards front. This article reveals all the highlights from the recent SC37 biometric standard meetings in Kyoto, Japan
 

Share |

Sponsored Links

Speed Identity Speed Identity is an innovative Swedish technology company supplying integrated biometric data capture solutions. The new Speed Capture G3 is the first cross-functional form factor.
id3 Technologies Id3 Technologies is a biometrics expert company providing winning awards algorithms, biometrics devices and ID systems. Established since 1990 and originally involved in electronics, id3 is a biometrics veteran developing innovative, secure and convenient solutions like match on card, multimodal enrolment, AFIS and ABIS.