Black Hat Iris Biometrics Attacks Don’t Tell The Whole Story

An iris biometrics expert clarifies the truth behind the technology in response to the Black Hat conference paper claiming to have hacked an iris template, recreated the image and fooled a recognition system

Is it really that easy to re-engineer an iris image? Not so fast…

Planet Biometrics released an article today “Iris attacks no surprise to iris recognition inventor” which details an interview with John Daugman, Professor of Computer Vision and pattern Recognition at Cambridge in response to the recent Black Hat conference paper that hacked into an iris system and re-engineered images to fool a recognition device.  Professor Daugman is credited with developing and patenting the first algorithm for iris recognition which is still widely used across the world.

Professor Daugman acknowledges in the article:

“This is a classic ‘hill-climbing’ attack that is a known vulnerability for all biometrics….the vulnerability in question, which involves using an iterative process to relatively quickly reconstruct a workable iris image from an iris template, is a classic “hill-climbing” attack that is a known vulnerability for all biometrics.”

The primary vulnerability in the Black Hat conference paper was the full disclosure and access to the Iris Code template, as well as having the ability “to generate an IrisCode template from an image, and to do so repeatedly and iteratively.” In other words, without access to the encoding algorithm or to a hardware device that implements it, the “attack” would not have been possible. Be that as it may, the Black Hat scientists did have access to the encoding algorithm but not all iris biometrics algorithm research and developers give access to the Software Development Kit (SDK) that is needed in order to perform the “attack.”

According to Daugman, this should be a sign, “to maintain cryptographic security on IrisCode templates” to maintain the highest level of security and thwart would be system attacks. Daugman went on to say that in addition to cryptographic security, there is also the issue of iris hardware detecting an artificial iris vs. a real one. Most of the higher quality iris biometrics recognition systems on the market are equipped with sophisticated technology to detect the presence of an artificial eye and tell when they are being spoofed. The bottom line is that a quality, modern iris biometrics recognition system would not have been fooled by the re-engineered iris image used in the Black Hat conference paper .

What is rather unfortunate about the content of this article is that virtually no one who was exposed to the Black Hat Conference paper will have the opportunity to hear the points brought out by Daugman and will automatically deduce that iris biometrics systems should be avoided at all costs since they can be easily hacked and your iris template stolen. Daugman’s view will be known by few, fueled in large part by organizations like the Electronic Frontier Foundation who immediately pounced on the Black Hat conference paper and began their mission to spread the word that iris biometrics are just as susceptible to attacks as any other biometric modality, without reporting both sides of the issue.

We hope that you will take the time to educate yourself on the entire issue so you can formulate your own intelligent opinion when presented with all of the facts. Please share your thoughts with us on where you stand on the issue and why in the comments section below.

Mizan Rahman, Founder and CEO of M2SYS Speaking at 2011 Biometrics Exhibition and Conference

Biometric technology

Mizan Rahman, Founder and CEO of M2SYS Technology

Mizan Rahman, Founder and CEO of M2SYS Technology will be speaking at the 2011 Biometrics Exhibiton and Conference, held in Westminster, London UK from October 18 – 20.   The Conference assembles some of the world’s leading experts in biometric technology to discuss its use in commercial and governmental applications.  A list of the speakers and the topics they will be discussing can be found here.

Mizan will be providing a global perspective about the maturity of biometrics in the commercial marketplace, sharing his experience on developing applications that adapt to various externalities that exist in different countries stemming from cultural, political and social conditions and variances.  With experience developing biometric applications that are now being used in almost 100 countries on all corners of the globe, Mizan is honored to have the opportunity to share his knowledge and engage with other Conference attendees to learn about their experiences.

If you are a biometrics professional looking to expand your knowledge of the market and interact with some of the brightest minds in the industry, this conference is a must attend event.  Many thanks to Mark Lockie (on twitter as @Biometric_Man) and his team at Planet Biometrics for hosting the conference and assembling such an impressive speaker list and agenda.

Will you be attending the Conference?  Please drop us a note so we can make arrangements to meet!