Attack widely publicized but safeguards protect real world deployments
A team of researchers in the United States and Spain set out to understand the iris biometric algorithm and determine whether any structure in the code could be exploited. They claim to have found a potential to fool an iris matching system, but as is often the case with publicized ‘hacks,’ others note that they did so only in lab setting without the protections employed by commercial biometric deployments.
The experiment started with the code that’s generated when a biometric system captures the image of an iris. “The biometric system would process that iris image using some software algorithms and would generate a mathematical number that now represents this iris image,” explained researcher Arun Ross. “This number in the case of iris is often a sequence of zeroes and ones called a binary string.”
Ross is an associate professor at West Virginia University and assistant director of CITeR, the Center for Identification Technology Research. He was part of the five-member team looking into the feasibility of reconstructing the original iris image using the iris code information. “That was the context in which this specific research was conducted,” says Ross.
The research was led by Javier Galbally from the Universidad Autonoma de Madrid. He was a visiting scholar in Ross’ West Virginia lab who had worked on similar projects involving biometric modalities. “We had a paper in 2007 which talked about reverse engineering fingerprint templates,” says Ross. “So, when Javier came here, we decided to go forth and see if we could do the same thing with iris data.”
The team used a matching algorithm and a database of sample iris images that had been made available by universities for academic research. “We took these iris images and converted them into iris code,” says Ross. Then, they tried to determine if it was possible to reverse engineer the code to create the original image.
A development system was used to reconstruct iris images and determine whether the reconstructed versions would result in a numeric template that matched the original. The team employed a genetic algorithm, one that learns from itself, to slightly change the iris image over and over again until it matched.
This experiment was done completely in a machine-constructed environment, explains Ross. He emphasizes this machine perspective because, he says, a human expert would immediately recognize that the recreated iris images were different. Still, in some cases, they were able to match within the test system. “These images could be fed into a commercial system which would then match against a true iris image and indicate that it’s a successful match,” says Ross.
Others disagree with the concept that this technique could succeed in a commercial system.
Joseph Pritikin, director of Product Marketing for AOptix Technologies, reviewed the report. “No encryption is broken, no synthetic is either presented to or accepted by any real iris scanner and no liveness or anti-spoofing capability is overridden,” says Pritikin.
The team never employed an eye scanner, either. Ross says the entire attack was launched in the software domain. “What we reported was not an attack on the scanner itself,” says Ross. “However, it should be possible to take the synthetic iris and perhaps place it in a modified contact lens in order to see if a scanner can be fooled.” The team hasn’t tried that yet.
“Our intention was to demonstrate the potential of creating synthetic iris images from real iris code,” says Ross.
In a briefing about the report, author Javier Galbally writes: “The experimental results show that the reconstructed images are very realistic and that, even though a human expert would not be easily deceived by them, there is a high chance that they can break into an iris recognition system.”
Pritikin finds fault with the “iris matching algorithm” being referred to in the report as an iris recognition system. “This is a misnomer. In general use, an iris recognition system is a system that includes the iris capture device, an application layer for control, a database and the matching algorithm,” says Pritikin. “Anti-spoofing and encryption technologies are present throughout the various components of a true iris recognition system.”
While Ross says the results indicate the proposed technique had an 80% chance of matching with a true iris image, Pritikin sees the findings differently. He says a more accurate paraphrasing of the paper would be: “In a particular use case where five synthetic samples were presented to a commercial matching algorithm, the matching algorithm accepted at least one out of the five samples as the original iris more than 80% of the time.”
Ross acknowledges that their process would likely be thwarted in a commercial iris recognition system. The team relied on a genetic algorithm that operates similar to a hill-climbing attack.
“It requires the system to provide match codes repeatedly. After two or three (unsuccessful) queries, most commercial systems will shut out the user,” says Ross. “So here, since we had access to a genetic code, we could launch this attack iteratively using this genetic algorithm, which in a real world scenario may not always be feasible.”
The team’s algorithm relies on the generation of match codes by a matcher in order to launch the attack. Ross admits it would be difficult for an imposter to access the matcher and then use the iris code to reverse engineer and reconstruct the iris image itself.
Lessons for the biometric industry
Ross stresses that any security-based system is vulnerable to attack, and it’s important to let the community know about potential weaknesses. His team is working on a report explaining the counter measures they developed to mitigate the vulnerability addresses in their work.
“We cannot believe in security by obscurity,” says Ross. “I think these vulnerabilities have to be reported because it allows researchers to further develop algorithms that make their systems robust to future attacks.”
The team is also working to understand how a software system might look at an iris image and determine whether it’s real or synthetic and whether the image has a contact lens in it that is being used to circumvent the system.
“This certainly is not the end of iris recognition,” says Ross. “I think what it allows vendors to do is to put in safeguards and then move forward designing robust systems that can be used in real time operation.”