Slashdot Mirror
Reverse-Engineered Irises Fool Eye-Scanners
Maximum Prophet writes "If you've ever had your eyes scanned, be sure to install new ones every 90 days. Wired reports on research being released at Black Hat: 'The replica images, they say, can trick commercial iris-recognition systems into believing they’re real images and could help someone thwart identification at border crossings or gain entry to secure facilities protected by biometric systems. The work goes a step beyond previous work on iris-recognition systems. Previously, researchers have been able to create wholly synthetic iris images that had all of the characteristics of real iris images — but weren’t connected to real people. The images were able to trick iris-recognition systems into thinking they were real irises, though they couldn’t be used to impersonate a real person. But this is the first time anyone has essentially reverse-engineered iris codes to create iris images that closely match the eye images of real subjects, creating the possibility of stealing someone’s identity through their iris.'"
your iris can not. Well, not without some B grade horror movie level surgery. This is the fundamental issue with biometrics.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Someone has been watching Demolition Man a bit too much I think...
You must master your joystick like a fisherman masters bait! - Gimpy
biometrics are fine, this just illustrates why you need 2 factor security.
The advantage is her eye color changes all the way from purple to blue to brown so just think of her eyes as Enhanced Security Eyes.
-- Tigger warning: This post may contain tiggers! --
The image editor didn't even bother to use Photoshop to add the fake iris images ... looks like they used MS Paint or something.
I prefer rogues to imbeciles because they sometimes take a rest.
New technology is nice and all, but for every lock ever created there will be a lock pick for it.
The only thing is, the more expensive the lock, the more expensive the lock pick is supposed to be. That's the real measure of the effectiveness of a lock. I.e., an expensive lock that can be picked in an inexpensive manner is an ineffective lock.
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
If Simon Phoenix wants my iris code, hell he can just have a photocopy! Fuckhead... I'll keep both my eyes.
["Tastecicles, you are fined one credit for violation of the Verbal Morality Statute."]
Operation Guillotine is in effect.
biometrics are fine, this just illustrates why you need 2 factor security.
Exactly. Biometrics are not secrets. They uniquely identify an individual, but you still need a secret for security.
The major problem with *magic* solutions, is that leader types look at them and say "Wow, Iris Scanners, I could never fool one of those, so nobody could fool one." People have the same reaction to physical locks.
This leads to security theater. Yes, it stops stupid criminals, and yes it can be a good thing when you stop stupid criminals, but when you want to stop people flying airplanes into buildings, or stock traders from racking up $2 billion in fraudulent losses, magic dohickys aren't the solution.
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
The perfect identification system - is there none? Can everything be faked and replicated? In the end what is the most defining characteristics of a person's identity? One can for example create a complete fake identity and mimic a body with the help of non intrusive / intrusive technology. Perhaps the uniqueness comes from the constant flux - the actual logic or pattern of the changes in the person's life and body. Proving an identity completely means that the technology would follow the person anywhere and monitor the changes. How far is it necessary to actually go? The kind of systems can be abandoned once there's enough trust to not need them at all and/or there's nothing to guard.
Ok, so current systems can be tricked with photographs, and that seem pretty silly. But future versions could record stereo images while altering the illumination of the subject's eye. Properly functioning (attached) human eyes should have irises that dilate with extreme changes to illumination. By masking the subjects eye or eyes from the surrounding environment and changing the illumination levels over time, a complex system could measure pupil dilation characteristics to evaluate if the eye before it is valid and alive. Randomly timed flashes would be hard to predict and might cause predictable blinking in most humans in addition to dilation changes. By using stereo images, the system could also verify the 3 dimensional shape of the changing iris, which would be much harder to fake with pictures.
Add an infrared camera to mesure eye temperature and faking iris with a screen gets even harder.
Retina != iris.
I prefer rogues to imbeciles because they sometimes take a rest.
I worked on early iris recognition software and we had already worked through this scenario way back then. If the scanner was worth it's salt, it would be doing what we did years ago...
1) Verify that the eye reacts to changing light conditions... Pupils should contract or dilate when required.
2) Verify that the eye isn't flat (i.e. a picture). Proper specularity orientation from changing light sources (we used infrared) to identify the curvature.
3) Glowing pupil under infrared, dark with different lighting.
I'm sure there were a number of other things we did, but it has been awhile. Bottom line is that we only used a representative frame from a video sequence for the iris coding; we used the sequence to verify that what we had was not a picture, a contact lens imprinted with an iris pattern, even a live person (not a corpse).
When I left that project, we were able to do iris recognition at a significant distance even if the subject was walking fast using high speed, high resolution video capture.
Your driver's licence uniquely identifies you whether I have it or you have it. Copying your driver's licence doesn't reduce its ability to identify you. However, merely possessing your driver's licence should not be sufficient for me to authenticate your identity. Only you should be able to do that. So biometrics are useful for identification but not authentication.
the eye scanners they had there measured iris geometry and pupil size and response. They were easily spoofed with psychoactive substances, because calibrated from a baseline measurements. If you could make the the baseline wasn't really baseline, subsequent tests would look a-ok