A team of researchers at the Universidad Autonoma de Madrid (UAM), Spain, are claiming to have developed a way to bypass iris-scanning security devices using synthetic irises derived from data, according to Wired. For security purposes, iris scanning machines don't keep actual images of a verified person's eye — instead, they use nearly 5,000 points of data on the unique aspects of person's iris to check against later. Using this data in conjunction with biometric sample data from West Virginia University (WVU), the UAM researchers were able to generate a synthetic iris so close to the original that it fooled Neurotechnology's VeriEye security system 80 percent of the time.
The team's software uses a genetic algorithm to make 100-200 iterative changes to WVU's iris templates, adding more user-specific data with each pass, then gauging the results using a comparative similarity index. Javier Galbally, one of the researchers at UAM, told Wired that the process needs only 5-10 minutes to create a sufficiently accurate iris.
While an exploit with this kind of speed and efficacy is bad news for both security system vendors and their big-name clients, UAM's entire process hinges on access to the aforementioned 5,000 point database. BI2 Technologies is one such vendor, and its website explains that this biometric data is "encrypted using strong cryptographic algorithms," indicating that a serious data breach would have to happen to make the UAM's exploit a possibility in a real-world setting. However, the site goes on to say that "standing alone, biometric templates cannot be reconstructed, decrypted, reverse-engineered, or otherwise manipulated to reveal a person's identity." Galbally presented his team's work at yesterday's Black Hat security conference, proving this assumption to be decidedly false.