In Origins, a movie released last year, appears a worldwide biometric signature file different to the fingerprint’s one; an iris readings record. Although this disturbing reality is still unthinkable, there have been many steps in incorporating eye scanners as a method of personal identification.
This technology is already being used in some companies to control their employees’ entrance and exit, as well as in corporations with strict security measures. But, its daily use is getting closer. Mobile phones manufacturers like Samsung, Nokia and Fujitsu have announced that their upcoming models will have an iris scanner among its features.
Maybe in the future it would be enough to peer at the screen to unlock your mobile phone or access some of its features. If so, you’d better check the pictures you upload on the Internet. Jan Krissler, expert in computer security for Telekom Innovation Laboratories, proved that some of these biometric systems can be evaded simply using snapshots taken from Google Images.
Krissler had previously exposed the vulnerabilities of fingerprint readers. In December he copied none other than the German’s defense minister, Ursula Von der Leyen
On that occasion he used the Verifinger recognition program to read Von der Leyen’s fingerprint, that he had photographed himself in a public event. Then he printed the result on a transparent surface, applied latex and there it was a fingerprint clone! However, he wasn’t been able to do further verification or testing.
This time, Krissler claimed he can do something similar with eye scanners without using his own camera. As we mentioned, you just need to search with certain premises in Google Images. The first one is that the target’s eyes must have enough brightness, as the researcher used a system based on infrared light, Panasonic’s Authenticam BM-ET200 which is one of the most extended technologies.
You also need a high quality image; size and clarity are important, to a certain point. In his tests he succeeded to use iris with diameters that did not exceed 75 pixels. It’s easier to deceive an eye scanner than a fingerprint reader, you don’t even have to make a clone, just print the picture and show it to the device, and it will mix it up with the real one.
Surely we all have a picture with these qualities, but it will never surpass the amount there is of any famous person, including politicians. Just type Barack Obama or François Hollande on Google and thousands of snapshots will emerge, of all sizes and shapes.
Krissler searched the faces of Vladimir Putin, Hillary Clinton, and David Cameron among others, before choosing Angela’s Merkel to carry out his verification. He chose an iris with a 175 diameter of the German Chancellor which Panasonic’s scanner recognize without a problem.
However, in an actual attack, the process wouldn’t end here, and the remaining steps are complicated. Accessing the biometric readers which Merkel or other politicians would use is not as simple as getting their picture.
Furthermore, although Fujitsu’s technology is also based on infrared light there are other methods, and there is the possibility to apply protection filters to the pictures. Despite these obstacles and reservations, Krissler wants his findings to be a warning to manufactures so they implement safety measures to future developments and to future users so they watch what they post, never better said!
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
