27 Jul 2012

Biometric Security Scanners Defeated at BlackHat


For many years, biometric authentication has been regarded as the most effective means of securing assets. The king of biometrics, the iris scanner, has just been defeated by a group of scientists at the Universidad Autonoma de Madrid, who presented a replica of the human eye that can bypass iris-scanning security systems.

Once thought to be among the safest methods of biometric security, the iris scanner was proven vulnerable by researchers from universities in Madrid and West Virginia who managed to recreate a synthetic iris image from digital codes of real irises. The false iris images were so accurate that a commercial recognition system thought it was dealing with a real iris in 80% of the cases.

If fake iris images have been created for a while now, this would be the first instance when a real iris is used as a model for the counterfeit one which can be used to steal someone’s identity, and, implicitly, their authentication rights into the system. Iris-based authentication systems work by converting the iris image into code, which is later added to the database. It contains around 5,000 different pieces of information that were thought to be insufficient for reassembling the human iris before.

The discovery has deeper implications, as biometric scanners usually condition access to mission-critical resources. Unlike antivirus software that protects virtual assets, biometrics are usually used to control access to military or government facilities, among others.