Iris Scanners Hacked At Black Hat USA 2012

Security experts at the Black Hat conference in Las Vegas have shown how it is possible to circumvent Iris scanners, believed to be one of the most secure biometric authentication methods in use today.

Iris scanners reduce an image to a string of code and store it in a database. It was previously thought that reverse-engineering the code back into an image would not be possible, but a team from a Spanish university has done it with an 80 percent success rate.

Eye spy

Iris scanners, first developed in 1987, use the unique pattern of the coloured part of the eye to identify people. They are widely used in airports, including London’s Heathrow and Gatwick, for immigration control and speeding up check-in procedures.

A team from the Universidad Autonoma de Madrid led by Javier Galbally, together with researchers from West Virginia University, has managed to produce synthetic images of the iris that can successfully pass trough the scanner.

When the device takes a picture of the eye, it reduces the image to a code which consists of about 5,000 bits of data. The code is then used for recognition and stored in a database. The researchers have proved that if an attacker manages to hack the database and steal the codes, he or she can reverse-engineer them to create images which then can be printed out to create “fake eyes”.

Iris scanning technology is considered to be one of the most dependable security solutions, much more reliable than fingerprint or voice recognition. However, when researchers tested their synthetic images against popular iris recognition system VeriEye, they managed to deceive it four out of five times, reports the BBC.

While creating a fake image of an iris from scratch is simple, it was previously thought that reconstructing one from an iris code was impossible. According to Wired, the researchers are using clever “genetic algorithms” inspired by evolution to produce natural-looking iris pictures.

Yet in the UK, some major organisations have moved away from iris recognition. In February, Iris Recognition Immigration System (IRIS) terminals were closed at Birmingham and Manchester airports, with Heathrow and Gatwick set to abandon the scheme after the London 2012 Olympics.

The IRIS programme was axed in favour of chipped ePassports and e-gates using facial recognition technology, after many users complained that instead of saving time, going though the scanner could actually take longer than regular passport control.

Can you look after your personal data online? Take our quiz!