Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Reverse-Engineered Irises Fool Eye-Scanners

Soulskill posted about 2 years ago | from the now-you-eyes-are-slightly-safer dept.

Biotech 98

Maximum Prophet writes "If you've ever had your eyes scanned, be sure to install new ones every 90 days. Wired reports on research being released at Black Hat: 'The replica images, they say, can trick commercial iris-recognition systems into believing they’re real images and could help someone thwart identification at border crossings or gain entry to secure facilities protected by biometric systems. The work goes a step beyond previous work on iris-recognition systems. Previously, researchers have been able to create wholly synthetic iris images that had all of the characteristics of real iris images — but weren’t connected to real people. The images were able to trick iris-recognition systems into thinking they were real irises, though they couldn’t be used to impersonate a real person. But this is the first time anyone has essentially reverse-engineered iris codes to create iris images that closely match the eye images of real subjects, creating the possibility of stealing someone’s identity through their iris.'"

cancel ×

98 comments

First Post (0)

xQuarkDS9x (646166) | about 2 years ago | (#40767477)

Wow such potential for security.. get your eyes changed every 90 days. :P

Re:First Post (0)

Anonymous Coward | about 2 years ago | (#40767511)

Wow such potential for security.. get your eyes changed every 90 days. :P

That's why I have a password for my biometrics.

Re:First Post (1, Funny)

Jeremiah Cornelius (137) | about 2 years ago | (#40767821)

Who'd have thought they could do this? I mean the TSA has been duplicating SPHINCTERS for years, now - but irises are a Van Gough level of complexity!

Re:First Post (0)

Anonymous Coward | about 2 years ago | (#40768269)

Yeah, sphincters are more like a Picasso...

Re:First Post (0)

Anonymous Coward | about 2 years ago | (#40770041)

Van Gough. Seriously?

Re:First Post (1)

Jeremiah Cornelius (137) | about 2 years ago | (#40770353)

Dutch.

The gift that keeps on giving.

Re:First Post (0)

Anonymous Coward | about 2 years ago | (#40770101)

It's written as Van Gogh.

what if i have 3 eyes (0)

Anonymous Coward | about 2 years ago | (#40768321)

get a extra eye in your head or ten

Problem with biometrics (1)

Anonymous Coward | about 2 years ago | (#40767483)

If these types of scanners ever become common, all you would need is one untrustworthy scanning station to steal your identity (and then impersonate you at all other stations). And the problem with biometrics, of course, is that they can't be changed. Biometrics were never a good idea.

Re:Problem with biometrics (3, Insightful)

leonardluen (211265) | about 2 years ago | (#40767585)

biometrics are fine, this just illustrates why you need 2 factor security.

Re:Problem with biometrics (2)

MerceanCoconut (1145401) | about 2 years ago | (#40767811)

biometrics are fine, this just illustrates why you need 2 factor security.

Exactly. Biometrics are not secrets. They uniquely identify an individual, but you still need a secret for security.

Re:Problem with biometrics (1)

nautsch (1186995) | about 2 years ago | (#40767865)

Exactly. Biometrics are not secrets. They uniquely identify an individual, but you still need a secret for security.

And even that is not true, if they are easily copied. The parent is obviously right

Re:Problem with biometrics (1)

h4rr4r (612664) | about 2 years ago | (#40767921)

They do not uniquely identify an individual anymore than having my drivers license makes you me. They like all other forms of identification are copyable.

Re:Problem with biometrics (1)

Jeng (926980) | about 2 years ago | (#40768019)

They do not uniquely identify an individual anymore than having my drivers license makes you me. They like all other forms of identification are copyable.

The problem is not the copying, it is the verification that is the problem. At this time the verification process can be spoofed, that most probably will not always be the case.

Much like if I went and made a photocopy of your drivers license. The copy may fool other devices that read a license in the same way that the copy was made, but it won't fool more advanced devices. And that photocopy definitely will not fool a police officer.

Re:Problem with biometrics (2)

MerceanCoconut (1145401) | about 2 years ago | (#40768685)

Your driver's licence uniquely identifies you whether I have it or you have it. Copying your driver's licence doesn't reduce its ability to identify you. However, merely possessing your driver's licence should not be sufficient for me to authenticate your identity. Only you should be able to do that. So biometrics are useful for identification but not authentication.

Re:Problem with biometrics (0)

Anonymous Coward | about 2 years ago | (#40768395)

"...They uniquely identify an individual...."

They were SOLD as uniquely identifying an individual, but it turns out that all they do is pick a bodily feature, measure some points on it, run an algorithm against that data and CLAIM that the result is unique. It turns out that it often isn't, even before people look into how it can be spoofed...

There, that's fixed that for you....

Re:Problem with biometrics (1)

viperidaenz (2515578) | about 2 years ago | (#40771515)

No they don't. They uniquely identify part of an individual. All I need to do to impersonate you is to remove your eye, finger or any other part of you that gets scanned.
You can torture out someones password, but the easiest way to fool an iris scanner is to pluck out some poor bastards eye. Finger print scanner? Chop off their finger.

Re:Problem with biometrics (0)

Anonymous Coward | about 2 years ago | (#40788963)

Of course if this is that secure of an environment, and the extra security is needed, then there should be someone near that scanner that can also see you putting up the pulled out eye, or chopped off finger.

But... that probably means paying a security guard or cop or ex-cop or ex-military guy, and that would mean.... {gasp}... less profits.

Re:Problem with biometrics (1)

Thundaaa Struk (1375331) | about 2 years ago | (#40767615)

What if you have a wonky eye like Forest Whitaker...does that make you hack proof?

Re:Problem with biometrics (1)

cayenne8 (626475) | about 2 years ago | (#40768591)

What if you have a wonky eye like Forest Whitaker...does that make you hack proof?

Actually close...I think to be totally 'hack proof' you'd have to be Marty Feldman [wikipedia.org]

Re:Problem with biometrics (1)

Thundaaa Struk (1375331) | about 2 years ago | (#40777603)

Talk about bedroom eyes!!!

Re:Problem with biometrics (1)

Jeng (926980) | about 2 years ago | (#40767917)

If these types of scanners ever become common, all you would need is one untrustworthy scanning station to steal your identity (and then impersonate you at all other stations).

So, um, where would one of these untrustworthy scanning stations be set up?

And the problem with biometrics, of course, is that they can't be changed. Biometrics were never a good idea.

Biometrics is a very good idea, it just needs to be implemented in a way that doesn't allow one to cheat. Such as when you get your fingerprint scanned the scanner should also do a check to make sure it is actual skin instead of a silicone copy.

To securely do an iris scan though, that would not only be tough to design, it would also mean that people who wear contacts would not be able to use an iris scanner.

Re:Problem with biometrics (1)

h4rr4r (612664) | about 2 years ago | (#40767947)

They would be setup at the same place as the trustworthy stations.

Biometrics is a bad idea, no implementations can save it. The fingerprint scanner will then have to deal with better and better synthetics.

Requiring a user to slide a contact over is not a huge burden.

Re:Problem with biometrics (1)

Jeng (926980) | about 2 years ago | (#40768161)

They would be setup at the same place as the trustworthy stations.

Like airports and border crossings? Yes, I guess if it is state sponsored they could put an untrustworthy station in place there, it is just unlikely to ever happen, at that level they probably already have the information. More likely I guess is private organizations that use iris scanners, it would still need to be an inside job though.

The fingerprint scanner will then have to deal with better and better synthetics.

And so will those looking to get past the scanner. I would imagine that at some point with fingerprint scanners that they will be looking beyond the fingerprint and also start looking at the capillaries in your fingertip as well.

Re:Problem with biometrics (0)

Anonymous Coward | about 2 years ago | (#40769471)

So, um, where would one of these untrustworthy scanning stations be set up?

At your local optician. Watch out for those human clones [imdb.com] , stealing your identity, family and really thinking that they are you when you challenge them for it.

Why? (0)

Anonymous Coward | about 2 years ago | (#40767497)

Why create an iris when the movies showed you can just pull someone's eye out and hold it in front of the scanner?

Re:Why? (2)

xQuarkDS9x (646166) | about 2 years ago | (#40767563)

Someone has been watching Demolition Man a bit too much I think...

Re:Why? (1)

Samantha Wright (1324923) | about 2 years ago | (#40767853)

Doesn't really invalidate the point—I mean, what it amounts to is that iris scanners, traditionally thought of as extremely high-security items, are only really practical for low-security stuff where it wouldn't be worth the cost/risk/bloodshed/etc. to (a) kidnap someone to prototype from their eyes or (b) take what you need a la carte. You still wouldn't want to use it for a military installation.

Re:Why? (1)

green1 (322787) | about 2 years ago | (#40768399)

It seems to me that it would be easy to prevent that particular attack just by checking pupil reaction. If it doesn't react, the eye isn't attached to a living organism and shouldn't be allowed. Additionally, nothing high security should ever be single factor authentication anyway.
Biometrics done right are really good, biometrics done wrong are our worst nightmare.

Re:Why? (1)

Samantha Wright (1324923) | about 2 years ago | (#40768967)

That's a good trick—albeit one probably fairly easy to simulate with a decent e-paper display put in place, or a transparent LCD.

Re:Why? (1)

Black Parrot (19622) | about 2 years ago | (#40770051)

Why create an iris when the movies showed you can just pull someone's eye out and hold it in front of the scanner?

Yeah, Loki can leave his fancy gadget home next time.

(But I like the palm scanner scene on Red Dwarf better.)

Passwords can be changed when compromised... (4, Insightful)

Kenja (541830) | about 2 years ago | (#40767523)

your iris can not. Well, not without some B grade horror movie level surgery. This is the fundamental issue with biometrics.

Re:Passwords can be changed when compromised... (1)

WillAffleckUW (858324) | about 2 years ago | (#40767629)

Actually, you can engineer a virus to alter the DNA. We do it all the time with mice.

We also do it with adult humans with cancer, so that their cancer growths glow in the dark during surgery. Use the docking receptors on the cells.

Re:Passwords can be changed when compromised... (1)

interkin3tic (1469267) | about 2 years ago | (#40769227)

Well, even if you were willing to alter your DNA in an effort to make biometric ID systems viable (and you would be insane), and even if you engineer a retrovirus that can reliably alter a given sequence in your DNA (they tend to insert their small payload at random locations in each cell) there's still the issue of your irises and fingerprints aren't based on DNA and certainly aren't maintained by continued DNA expression.

Transgenic mice are generally made by homologous recombination in single embryonic stem cells which are then turned into whole mice through a complicated process. So you would need to grow a new human to be able to manipulate DNA like we can in mice, and that's not been done yet. I have yet to hear about DNA sequences correlating to iris patterns, though it could be that no one is particularly interested in looking at something so trivial.

So... no. We can't. You could conceivably identify DNA regions that correlate to iris pattern, clone yourself and alter the DNA of the one-cell stage, make a chimeric male and female from that, have them mate, then get a fully transgenic human which you could then steal the irises from the abomination that would result and thereby change your iris pattern, but that would require you to break a whole lot of ethics, do several noble-prize level research accomplishments, and wait about 20 years for the two generations of clones to mature, all for something that would be lot simpler to do with a good model or printout.

Re:Passwords can be changed when compromised... (1)

camperdave (969942) | about 2 years ago | (#40771447)

Actually, you can engineer a virus to alter the DNA.

Changing your DNA won't change your iris. It has already been built using the previous DNA. You'd have to use the new DNA and grow a whole new eye from it.

Re:Passwords can be changed when compromised... (1)

WillAffleckUW (858324) | about 2 years ago | (#40771715)

No, viral insertion works by literal infection of cells. You're confusing germ distribution, where you alter the DNA once, with viral DNA insertion at a spot, which infects a literal cell and uses the cell mechanism via a docking ligand to deliver a target viral payload which inserts itself into the cells DNA.

We make cancer cells glow so that we can perform surgery on them. It's not the cancer cells we target per se, but all cells. The cancerous cells have certain biochemical characteristics which are used to trigger the phosphorescence tags.

Then we let the cell death cycle clear it out.

Modern medicine has changed dramatically in the past few years.

Re:Passwords can be changed when compromised... (1)

camperdave (969942) | about 2 years ago | (#40772599)

Nevertheless, changing your DNA will not change your iris, or the gross physical structure of any organ; not until the cells within the organ are replicated according to the new DNA. For example, if I replace the blue iris DNA with brown iris DNA, I will not suddenly have brown eyes. It will take months, or possibly even years for that kind of change to take place, depending on the rate at which iris cells replicate.

not quite (1)

poetmatt (793785) | about 2 years ago | (#40767729)

If I recall correctly, I do believe it has been said that even wearing contacts due to development of new veins can change your iris over time. Unless that was specific to your retina?

Re:Passwords can be changed when compromised... (0)

Anonymous Coward | about 2 years ago | (#40767733)

I contest that. Minority Report was definitely not B grade horror.

Re:Passwords can be changed when compromised... (0)

Anonymous Coward | about 2 years ago | (#40768183)

You know, it's not necessary to crucify him over getting the horror part wrong.

Re:Passwords can be changed when compromised... (1)

Maximum Prophet (716608) | about 2 years ago | (#40767997)

The clandestine services will simple send their people through with fake iris contact lenses the first time, and once for every identity needed. Then when they need to be "Joe Shablocknic" today, they just select the "Joe Shablocknic" eyes from the kit, and viola, new identity. They'll make the the spy's real eyes are never scanned by a 3rd party.

What this research shows is that they could send an iris printer with the spy. Then send him the codes for new eyes.

Re:Passwords can be changed when compromised... (1)

Jeng (926980) | about 2 years ago | (#40768277)

And if security pulls the person aside and asks the person to please remove their contacts and have another scan?

Re:Passwords can be changed when compromised... (1)

Maximum Prophet (716608) | about 2 years ago | (#40768921)

Well, since you ask, that's when you go to plan 'B'.

Seriously, you would test the system, first by observing how the guards work, then by sending people through who are expendable, or diplomats with get-out-of-jail black passports. If all that fails, and you get pulled aside for a random search, have a co-worker create a diversion and slip away.

Re:Passwords can be changed when compromised... (0)

Anonymous Coward | about 2 years ago | (#40768307)

your iris can not. Well, not without some B grade horror movie level surgery. This is the fundamental issue with biometrics.

B grade? B grade! Harrumph, I'll remind you, sir, that this very trick was used by Tom Cruise in Minority Rep... oh, right.

Re:Passwords can be changed when compromised... (1)

MozeeToby (1163751) | about 2 years ago | (#40768425)

Something you have and something you know is the current standard, I see no problem with adding "something you are" into the mix as a third layer.

Re:Passwords can be changed when compromised... (1)

Translation Error (1176675) | about 2 years ago | (#40768589)

Not to mention that it can make some of your body parts valuable to other people. And not in the good way.

Re:Passwords can be changed when compromised... (1)

Beryllium Sphere(tm) (193358) | about 2 years ago | (#40773995)

The photo on your driver's license is a biometric.

It doesn't have to be kept secret.

The security comes from the verification process. If you're pulled over while carrying someone else's driver's license, then holding up a picture of that person to the police officer is not going to let you impersonate that person.

The reason we're used to thinking in terms of secrecy is that it's the only way to make passwords exclusive to particular users.

I've even seen security professionals get this wrong.

Re:Passwords can be changed when compromised... (1)

mcgrew (92797) | about 2 years ago | (#40783531)

your iris can not. Well, not without some B grade horror movie level surgery.

You're calling Minority Report a B grade horror movie??

This is why my sister installed Hazel (tm) eyes (2)

WillAffleckUW (858324) | about 2 years ago | (#40767599)

The advantage is her eye color changes all the way from purple to blue to brown so just think of her eyes as Enhanced Security Eyes.

Will this be a problem for... (0)

Anonymous Coward | about 2 years ago | (#40767621)

...the folks at the Genesis Project? They seem to keep all their important files secured via retina scans. Wouldn't want that technology falling into the wrong hands.

Re:Will this be a problem for... (2)

NotBornYesterday (1093817) | about 2 years ago | (#40768303)

Retina != iris.

Where did the article's photos come from? (2)

NotBornYesterday (1093817) | about 2 years ago | (#40767645)

The image editor didn't even bother to use Photoshop to add the fake iris images ... looks like they used MS Paint or something.

Require 2 Factor Verification (1)

DCisforBoners (1880920) | about 2 years ago | (#40767653)

No single or combined biometric is secure. If you want to verify identity you must have at the least, a second factor like a password.

Re:Require 2 Factor Verification (4, Insightful)

Maximum Prophet (716608) | about 2 years ago | (#40767833)

3 factors.
  • Something you know -> i.e. Password
  • Something you are -> i.e. Fingerprint
  • Something you have -> i.e. RFID keyfob

The major problem with *magic* solutions, is that leader types look at them and say "Wow, Iris Scanners, I could never fool one of those, so nobody could fool one." People have the same reaction to physical locks.
This leads to security theater. Yes, it stops stupid criminals, and yes it can be a good thing when you stop stupid criminals, but when you want to stop people flying airplanes into buildings, or stock traders from racking up $2 billion in fraudulent losses, magic dohickys aren't the solution.

Re:Require 2 Factor Verification (1)

shentino (1139071) | about 2 years ago | (#40768195)

Maybe we politicians don't want to stop some kinds of criminals.

Especially white collar criminals giving us part of their take in the form of bribe money.

Re:Require 2 Factor Verification (1)

Maximum Prophet (716608) | about 2 years ago | (#40768431)

Good observation. Some forms of crime are more acceptable than others.

I'm not sure I'm not on board with that. Imagine a world where there was no violent crime or real property theft. If your bank account was stolen, you get it back in 90 days.
In such a world, keep several bank accounts and several credit cards, and regular normal people are safe.

If you could live in a world where all crime was crime against large corporations, and all war was cyberware, would you? What would you give up to live there?

Re:Require 2 Factor Verification (1)

treeves (963993) | about 2 years ago | (#40768849)

Doesn't this story mean that "Something you are" is really just a second "Something you have"?

Re:Require 2 Factor Verification (1)

PPH (736903) | about 2 years ago | (#40772417)

"Something you have" is more like a key, RFID card, or other authentication device issued by some authority.

"Something you are" is not as easily detached from your person as pickpocketing a key card.

Re:Require 2 Factor Verification (0)

Anonymous Coward | about 2 years ago | (#40774271)

But something you have is a lot safer for you than something you are, when the thug with the big knife wants it.

In either case, he's going to take it, whether you are able to hand it over voluntarily or not.

Re:Require 2 Factor Verification (1)

Jade_Wayfarer (1741180) | about 2 years ago | (#40774601)

Point is, with advancement of remote scanning techniques your iris could be just as easily picked from distance as any RFID - no need for physical contact as with the physical key, for example. So, unless you are planning on wearing some advanced sunglasses all the time, your iris essentially becomes "something you have", nothing more.

Re:Require 2 Factor Verification (0)

Anonymous Coward | about 2 years ago | (#40774071)

That's a nice eye/hand/finger you have there... Would be a shame if something were to happen to it...

Re:Require 2 Factor Verification (1)

booch (4157) | about 2 years ago | (#40778841)

I believe that there's a 4th kind of factor: something you can do. For example, you might be able to pick out some of your favorite items, even though you don't remember which favorite items you registered. Or you might be able to type your password in a different rhythm than anyone else can (without a lot of practice); again, it's not something that you can memorize/remember/know, and it's not really something that you are or have. Bruce Schneier has an article on one of these kinds of authentication factors [schneier.com] .

less unique (1)

harvey the nerd (582806) | about 2 years ago | (#40767667)

This news makes me feel less unique as an American.

Lock and the lock pick. (4, Insightful)

steelfood (895457) | about 2 years ago | (#40767717)

New technology is nice and all, but for every lock ever created there will be a lock pick for it.

The only thing is, the more expensive the lock, the more expensive the lock pick is supposed to be. That's the real measure of the effectiveness of a lock. I.e., an expensive lock that can be picked in an inexpensive manner is an ineffective lock.

Re:Lock and the lock pick. (0)

Anonymous Coward | about 2 years ago | (#40767905)

The value of the lock is not the cost of the lock, but rather the value of what is being locked up.

Re:Lock and the lock pick. (0)

Anonymous Coward | about 2 years ago | (#40768299)

Idiotic. A $0.05 cardboard box with a lock drawn on it with a $1mil painting inside is not as valuable as a high-security safe with a $1mil painting inside.

Re:Lock and the lock pick. (1)

Maximum Prophet (716608) | about 2 years ago | (#40768027)

You don't have to fool the criminals to sell an expensive lock. You just have to fool management at the corporate or government level.

Re:Lock and the lock pick. (0)

Anonymous Coward | about 2 years ago | (#40768739)

Recent Story illustrating this exact point

http://hardware.slashdot.org/story/12/07/25/1326225/open-millions-of-hotel-rooms-with-arduino

Re:Lock and the lock pick. (1)

s.petry (762400) | about 2 years ago | (#40769109)

People had to know this was coming, it's painfully obvious and is obvious with all such technology. Algorithms are used to validate, and one only needs to do reverse engineering of 2 aspects. 1) Math function to match data. 2) input mechanism used to get test data.

The same thing was done with fingerprint scanners, and why we did not have a mass adoption. Jello was found to be the easiest way to lift and place fingerprints (This trick was used at a DOD site during our pilots.)

This is why most secure areas have numerous layers of security. Door 1) 2 factor Auth, Door 2) fingerprint or Iris, Door 3) a 2 factor Auth with different information than Door 1.

Re:Lock and the lock pick. (1)

Mitreya (579078) | about 2 years ago | (#40769567)

That's the real measure of the effectiveness of a lock. I.e., an expensive lock that can be picked in an inexpensive manner is an ineffective lock.

Locks can also be changed once someone steals and duplicates your key. Even the crappiest lock can be replaced.
Good luck replacing your iris once a copy is out in the wild.

Re:Lock and the lock pick. (0)

Anonymous Coward | about 2 years ago | (#40784621)

Similar to American gun control laws ( typed with a hint of sarcasm).
Laws taking guns away from the masses will leave only the criminals armed resulting in a 99% reduction of innocent life loss. Unfortunately there will still be death but a lot less due to the lack of easy access.

Ob. Demolition Man reference (4, Funny)

Tastecicles (1153671) | about 2 years ago | (#40767743)

If Simon Phoenix wants my iris code, hell he can just have a photocopy! Fuckhead... I'll keep both my eyes.

["Tastecicles, you are fined one credit for violation of the Verbal Morality Statute."]

Does anyone remember the 3-factor security? (0)

Anonymous Coward | about 2 years ago | (#40767765)

Something you have, something you know, something you are.
A (physical) key, a password, and a retina-/iris-/finger-print. That way they have to keep you alive until the door is open

Re:Does anyone remember the 3-factor security? (1)

nautsch (1186995) | about 2 years ago | (#40767913)

Please read the story! This is exactly what this is about. They can copy your iris (what you are), steal your key and hurt you to give them the password. After that there is no need to keep you alive.

Re:Does anyone remember the 3-factor security? (1)

green1 (322787) | about 2 years ago | (#40768941)

And this is exactly why duresse codes exist. if you can give them a "something you know" that gets help dispatched quickly, without tipping off the bad guys, you're in a lot better position. (and they don't dare kill you until they've verified that the information they extracted from you is accurate)
Also improvements to the technology authenticating the "something you are" to make copying impossible is a good thing because it forces them to take you to the authentication device, giving you some measure of temporary safety.
preventing people from using a detached eyeball is easy in several different ways. first of all you can check pupil response or similar to make sure the eye behaves as if it's alive. secondly (and most importantly) you can put the checking device in a supervised place where someone walking up to it with a detached eyeball might attract some attention. this also helps when dealing with coersion/kidnapping issues, and makes even simple attacks like showing a picture to the scanner much more difficult as you now have to have that picture attached to your retina to make it work.
Biometrics done right are wonderful, biometrics done wrong are our worst nightmare.

Re:Does anyone remember the 3-factor security? (0)

Anonymous Coward | about 2 years ago | (#40774415)

Once they have detached your eyeball, you probably won't care about whether or not the device is able to detect the situation.

In fact, once you see the scalpel up close, I'm sure you'll be thinking that you should have gone for the easy to give up RFID device, rather than the iris scanner.

Re:Does anyone remember the 3-factor security? (1)

green1 (322787) | about 2 years ago | (#40778099)

The point isn't to stop them before detaching your eyeball, it's to make it pointless for them to bother. If they know that a detached eyeball won't work, why would they detach it? someone could come cut my eyeball out right now, but the lack of any authentication system making use of it means there is no reason to do so. similarly if all authentication devices require a LIVE eyeball, criminals will have no use for a detached one.
There is no police force, alarm system, or other security force in existence that makes crime impossible. They all just seek to make crime more difficult, or to stop criminals after the fact. The thing is, criminals know this, and the mere existence of these systems prevents large amounts of crime.

Re:Does anyone remember the 3-factor security? (1)

ZeroSumHappiness (1710320) | about 2 years ago | (#40768477)

Unfortunately, all three of those are really just "something you know."

If I have a 5-pin tumbler key and each pin has a depth setting of 0-5 then I really just need to know a 5-digit, hex (not hexadecimal) number and I can recreate the key. If I have a reading of a fingerprint all I need to do is experiment with fingerprint printing or fingerprint re-forming technology until I get a copy that can pass for the original.

Even an RSA keyfob, technically, can be copied if I can rip it apart in a manner that lets me read the secret encoded within it. There's no such thing as "something you are" or "something you have" when you're translating it to "something you know" anyway.

Re:Does anyone remember the 3-factor security? (1)

bpkiwi (1190575) | about 2 years ago | (#40768785)

Two of those three factors - the "something you have" and the "something you know" can be changed. You can be issued a new security card, and you can change your password. The third factor - "something you are" can not be changed. This makes it a lot weaker than the other two factors because if at any time in your history it has been stolen, then it is no longer secure and useful - ever again.

What do you do when your security system requires all three factors, but you already know the "something you are" has been compromised? Let's say it's a staff member with high level security clearance who you know has had their biometrics copied. Do you fire them because they can no longer meet the three factor requirements? or do you just allow them to continue on with two factor? and if the latter, then why did you have the third to begin with?.

"Just eyes" (1)

The Mister Purple (2525152) | about 2 years ago | (#40767805)

Somehow, I'm picturing the eye builder from Bladerunner when I think about reverse-engineered irises.

All your iris (1)

seanzig (834642) | about 2 years ago | (#40767813)

All your iris are belong to us

Biometric identity was never going to work (0)

Anonymous Coward | about 2 years ago | (#40767869)

There was only a brief window between the time it became possible and the time it became insecure. Fingerprint sensors have been foolable for years; now iris scanners are broken. Realtime DNA scanners aren't even practical yet, but they won't be feasible and secure for long once they become available, either.

Pattern of uniqueness (2)

jovius (974690) | about 2 years ago | (#40767887)

The perfect identification system - is there none? Can everything be faked and replicated? In the end what is the most defining characteristics of a person's identity? One can for example create a complete fake identity and mimic a body with the help of non intrusive / intrusive technology. Perhaps the uniqueness comes from the constant flux - the actual logic or pattern of the changes in the person's life and body. Proving an identity completely means that the technology would follow the person anywhere and monitor the changes. How far is it necessary to actually go? The kind of systems can be abandoned once there's enough trust to not need them at all and/or there's nothing to guard.

Re:Pattern of uniqueness (0)

Anonymous Coward | about 2 years ago | (#40769759)

I'm not sure, but I have a suspicion that any kind of biometric security can be bypassed.
I think that once you are able to "measure" some biometric quality like irises, fingerprints, brain patterns, you will also be able to copy these same things and use the result to fool the system.

Well... (1)

Ryanrule (1657199) | about 2 years ago | (#40767945)

...shit.

Pupil dilation (2)

ian_po (234542) | about 2 years ago | (#40768059)

Ok, so current systems can be tricked with photographs, and that seem pretty silly. But future versions could record stereo images while altering the illumination of the subject's eye. Properly functioning (attached) human eyes should have irises that dilate with extreme changes to illumination. By masking the subjects eye or eyes from the surrounding environment and changing the illumination levels over time, a complex system could measure pupil dilation characteristics to evaluate if the eye before it is valid and alive. Randomly timed flashes would be hard to predict and might cause predictable blinking in most humans in addition to dilation changes. By using stereo images, the system could also verify the 3 dimensional shape of the changing iris, which would be much harder to fake with pictures.

Add an infrared camera to mesure eye temperature and faking iris with a screen gets even harder.

Re:Pupil dilation (1)

Maximum Prophet (716608) | about 2 years ago | (#40768267)

Yes, these can be improved, but they are trying to be simple, fast, and cheap. When you have 200 people standing in line waiting to get on an airplane, Voight-Kampf'ing everyone is a non-starter.
Simply going to retinal scans makes fooling the system much harder, but retinal scanning is slower than iris scanning.

Re:Pupil dilation (2)

The Mister Purple (2525152) | about 2 years ago | (#40768337)

When you have 200 people standing in line waiting to get on an airplane, Voight-Kampf'ing everyone is a non-starter.

And al-Qaeda doesn't even accept replicants as members...

Bad Title/Comments (0)

Anonymous Coward | about 2 years ago | (#40768073)

"be sure to install new ones every 90 days" The premise of the post is stupid, the article is fine. The problem is not systemic - it is implementation specific. Claiming that iris scanning is a failed technique is like saying that a 1000 character random password is insecure because it was stored in plain-text or scrambling in a less than keen way. Obviously the problem here is the hashing system being used. If you improve the hashing system then iris' are still FAR better passwords because they contain FAR more information. Just like any other password you shouldn't, I don't know, enter it at a site that you don't think will be secure e.g. Joe Schmoe down the street has an iris scanner for his house, "lets scan your eye"! (this is equivalent to a keylogger). The article isn't debunking iris scanners, its debunking an idiotic claim by a company that their method is good.

So some researchers found a vulnerability... (1)

drdread (770953) | about 2 years ago | (#40768517)

That neeeeeever happens in today's world of OS security, now does it? And what happens when researchers find a vulnerability in a computer system? It usually gets patched pretty quickly.

This one will not take long to patch. In the "can you tell which is which?" pictures, I picked the synthetic iris with 100% accuracy, in less than 3 seconds of inspection. Yes, I work actively in the biometrics field...but guess what? So do the folks who build these systems. I will hazard a guess that Neurotech (and L-1, and IrsID, and Fujitsu, and...) has a patch out to defeat this is less than a month.

Then another group of researchers will discover another vulnerability, and the game will continue.

FWIW, liveness checks are part of lots of biometric systems, especially fingerprint systems. My prediction is that we will see liveness check technology appear in iris systems pretty quick now.

Re:So some researchers found a vulnerability... (1)

Bucky24 (1943328) | about 2 years ago | (#40769379)

Well the problem happens when the researchers that find the vulnerability are working for people who would rather exploit a vulnerability then patch it. Of course you're right in saying that no system is without it's flaws (at least I think that's what you're saying).

Seems like a bad implementation to me (2)

ggendel (1061214) | about 2 years ago | (#40768579)

I worked on early iris recognition software and we had already worked through this scenario way back then. If the scanner was worth it's salt, it would be doing what we did years ago...

1) Verify that the eye reacts to changing light conditions... Pupils should contract or dilate when required.
2) Verify that the eye isn't flat (i.e. a picture). Proper specularity orientation from changing light sources (we used infrared) to identify the curvature.
3) Glowing pupil under infrared, dark with different lighting.

I'm sure there were a number of other things we did, but it has been awhile. Bottom line is that we only used a representative frame from a video sequence for the iris coding; we used the sequence to verify that what we had was not a picture, a contact lens imprinted with an iris pattern, even a live person (not a corpse).

When I left that project, we were able to do iris recognition at a significant distance even if the subject was walking fast using high speed, high resolution video capture.

Re:Seems like a bad implementation to me (1)

manu0601 (2221348) | about 2 years ago | (#40772691)

Please mod parent up, it is insightful.

Simple fix (1)

wirehead_rick (308391) | about 2 years ago | (#40770357)

All biometrics can be fooled if the biometric sensor system alone is all you are using for the security.

Biometrics only uniquely identifies a person. You still need another person (security guard, for example) or technology (detect a live human being and/or a real eye) to verify it is a person that provides the biometric input. This is to prove an actual person is there.

Until someone switches eyes out (improbable) or finds a way to implant the iris image of another individuals eye within their own eye (improbable) a security person can verify an eye is actually being scanned by the biometric scanner. Add an independent security feature (ID, password, etc.) and it's a pretty darn good security system.

I wear my sun glasses at night (0)

Anonymous Coward | about 2 years ago | (#40770407)

so I can
so I can
keep my identity safe

Biometrics must be monitored (0)

Anonymous Coward | about 2 years ago | (#40770413)

When biometrics are used, there should always be someone there to monitor the person, ie. guard.

Old joke (0)

Anonymous Coward | about 2 years ago | (#40770823)

Your data has been compromised. We have sent you a new finger. Failure to attach immediately releases us from any legal obligations.
Have a nice day.

used these machines in probation (2)

jsh1972 (1095519) | about 2 years ago | (#40773623)

the eye scanners they had there measured iris geometry and pupil size and response. They were easily spoofed with psychoactive substances, because calibrated from a baseline measurements. If you could make the the baseline wasn't really baseline, subsequent tests would look a-ok
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...