Black Hat: Biometric experts demonstrate reverse-engineering capability in iris scanning systems
Black Hat: Biometric experts demonstrate reverse-engineering capability in iris scanning systems

Researchers at the Black Hat conference in Las Vegas have demonstrated a method of breaking retina authentication.

Javier Galbally, assistant researcher and professor at the Universidad Autonoma de Madrid, presented new research conducted by scholars in Spain and West Virginia University that reveals ways that iris scans can be thwarted, by duplicating an image of the eye membrane.

Iris recognition systems are currently deployed by both corporations and law enforcement entities around the world to permit access to sensitive tools and information. After a person's eye is scanned, the recognition tool produces an iris code, which is then filed in a database and used for future matching.

To exploit this mode of authentication, a hacker would first have to access the database that holds the iris scans, typically stored as templates or digital records of an individual's biometric features. 

According to Galbally, once they have access to the original templates, the hackers can use a genetic algorithm to alter the synthetic code over several iterations until a nearly identical template is produced. That permits an image of the iris to be duplicated.

He said that creating a match is as simple as printing it out and showing it to the recognition system and this could be done by patching the image onto a contact lens, which the attacker can then wear.

“The commercial [iris] system only looks for the iris [code] and not an actual eye," Galbally, who also conducted the research with help from colleagues at the Biometric Recognition Group-ATVS, said.

“The main problem with the iris is the acquisition. Sensors are more expensive and it's more difficult to acquire because you need more cooperation from the users. You never know if it's going to be dangerous or not, but the vulnerability is there. It's good that people are aware that these vulnerabilities exist.”

There have not been any breaches reported as a result of bypassing these systems through synthetic iris images, Galbally said.