hack

hack, healthcare, ID assurance, Industry News, IoT

The healthcare Internet of Things: Promise and Risks

Exposed Devices and Supply Chain Attacks: Overlooked Risks in Healthcare Networks (Trend Micro)

“We discovered exposed medical systems — including those that store medical-related images, healthcare software interfaces, and even misconfigured hospital networks — which should not be viewable publicly. While a device or system being exposed does not necessarily mean that it is vulnerable, exposed devices and systems can potentially be used by cybercriminals and other threat actors to penetrate into organizations, steal data, run botnets, install ransomware, and so on. Furthermore, it shows that a massive amount of sensitive information is publicly available when they shouldn’t be.”

The article linked above and the companion Trend Micro blog post, along with the entire 61 page pdf report (available here) do a really good job of covering the range of threats confronting healthcare networks today.

The internet of things (IoT) offers so much of benefit — remote monitoring, diagnosis, collaboration, home healthcare, devices, etc. — to healthcare providers and patients that it is inconceivable that it will be abandoned. There are, however, significant privacy and health outcome risks associated with putting practically every software application, sensor, device and record within reach of the internet.

How large healthcare providers harness the IoT for better care delivery while minimizing the associated risks will go a long way toward sorting out the winners and losers in the business of healthcare.

Cyber security, identity assurance, and training are of critical importance if the promise of the healthcare IoT is to be kept for healthcare providers and patients alike.

fingerprint, government, hack, US

US: Office of Personnel Management raises assessment of biometric hack to 5.6 million individuals

OPM: Stolen biometric data list grows by 4.5 million (Fedscoop)

The Office of Personnel Management underestimated the number of people who had their biometric data stolen in this year’s high-profile hack, with an additional 4.5 million people being affected.

In a Wednesday press release, an OPM spokesman said the subset of individuals whose fingerprints have been stolen has increased from approximately 1.1 million to 5.6 million. That number, according to the agency, comes after OPM and the Defense Department identified archived records containing additional fingerprint data that were not previously analyzed.

fingerprint, fraud, government, hack, intelligence

Assessing the damage related to fingerprints in hacked government database

How Much Damage Can OPM Hackers Do With a Million Fingerprints? (Nextgov)

Though the idea of hacked fingerprints conjures up troubling scenarios gleaned from Hollywood’s panoply of espionage capers, not much is currently known about those that OPM said were swiped in the data breach, which began last year and has been privately linked by officials to China. In fact, the agency said it didn’t even know yet specifically which personnel have had their prints compromised.

The linked article is really good in that it spends a great deal of analysis of the unknowns, and there are many.

While a collection of images of the fingerprints of US government employees — if that is an accurate description of that was taken — certainly has its uses, not all potential uses are equal or equally likely.

In terms of identity fraud, the 1.1 million government employees who had their fingerprints stolen may not be a whole lot worse off than the 20 million or so other government employees who had their personal information stolen minus the fingerprints, though that is cold comfort indeed to the victims. If the individuals whose information was stolen are given the precise details of the personal information that is now “out there” they will be able to make informed decisions about how they wish to manage their affairs going forward. That includes how they might interact with biometric ID management technologies in the future both in and outside of government applications.

The intelligence value of the fingerprints of government employees is different story. With time, money, and pictures of a million fingerprints, it is possible to build a fingerprint watch-list. Probably, not all of the pictures of fingerprints will be of a high enough quality to be enrolled in an automated system today but more time and more money could help. From there, the new watch-list could be accessed by a new or existing biometric ID technology deployment such as a checkpoint serving whatever purposes its owner has for it.

There is probably a lot the government still doesn’t know about what was stolen, and even more that hasn’t been shared with the public and more importantly with the individuals whose information has been compromised. It will also take some time for the stolen information to be put to use. The Office of Personnel Management has a lot of work ahead of it.

finger print, google, hack, hardware, mobile, Samsung, security, software, technology

Older Andriod versions had more vulnerabilities

Is Samsung’s Galaxy S5 ‘leaking’ YOUR fingerprints? Flaw means hackers can intercept and steal biometric data (Daily Mail); Forbes piece, here.

The pair told Thomas Fox-Brewster from Forbes that the flaw lies in older versions of the Android operating system, up to and including Android 4.4.

Subsequently, anyone running Android 5.0 or above are not at risk and the security experts are advising people on older models to update as soon as possible.

The semi-technical press seizes upon biometrics as a proxy for personal data. This is old news, but here’s a great example.

A close reading of the article reveals that earlier releases of Google’s version of the Android mobile OS weren’t as secure as they are now. This will come as news to few. The article points out that, “Once inside they can monitor all data sent to and from the phone, as well as data recorded by the handset’s built-in sensors, including the fingerprint scanner.”

Get it? Exploiting the security flaw means that the whole device is compromised: Email apps, microphone, location information, and possibly even the contents of phone calls themselves, but according to the author and editor(s), the news value is in the possibility of capturing a fingerprint image. Of course, it’s their outfit; it’s their call.

For readers here, instead of “OMG fingerprinst[!],” I’d emphasize that:

Not all mobile operating systems are created equal.
Different mobile applications offer a different mix of privacy costs and benefits.
Installing OS updates and patches is very important.
If the OS is compromised, the applications it runs are vulnerable.

Left out of the information readily available online about this hack is how the people at FireEye got their malware onto the hardware in the first place. Past “hacks” of biometric systems have been executed on a playing field that is far more favorable than the real world to the the hackers, where all the other layers of the security regime are stripped away from the one security link they want to test. Here’s a particularly striking example. If FireEye rooted the phone, side-loaded their malware onto the device, and went from there, this isn’t a hack in any real sense — it’s a malware test.

That hypothetical scenario would mimic a real world example where a user lost their phone and bad guys got it, loaded software on it and then returned the mobile device to the user who continued as if nothing had happened. In the security world, if you lose control of the hardware, all bets are off for anything that isn’t encrypted (with a strong key).

So, without more information, it’s hard to say how big a deal this is, or in many (most?) cases, was. In the bigger picture, this is a Google Android OS story. The subtext is that users who care about mobile device security should be thoughtful about what device/OS/app combinations they adopt, keep their device’s software up to date, and be careful about malware.

As automated and convenient security including biometrics becomes better and more common, the highway robbers of the 21st Century are increasingly forced to turn to social engineering techniques rather than frontal assaults on security technology.

See: The Con is Mightier than the Hack

administrator, database, hack

Database hacks stoke demand for customer-facing biometrics

As hacking grows, biometric security gains momentum (Bizcommunity)

With hackers seemingly running rampant online and millions of users compromised, efforts for stronger online identity protection – mainly using biometrics – are gaining momentum…

It’s true. The recent hacks have focused attention on biometrics. The spotlight, however, has fallen on consumer-level biometric applications. That’s fine by us, but the recent high profile hacks haven’t been perpetrated by hackers using customer credentials to gain access to systems. That kind of hack is hugely inconvenient for individual users, but it doesn’t make the news.

Most of the big, news-making hacks involve taking huge repositories of data that can be sold wholesale to organized criminals who sell the information on to the retail crooks who perpetrate their fraud using the individual accounts.

We have argued for years that the first, best place to apply biometrics to the problem of large-scale data theft is at the database level.

From an organizational point of view, for many many service providers, allowing customers and users to protect their individual accounts with passwords, exposes the organization as a whole to minimal risk. Some relatively predictable number of users who use passwords will choose poor passwords, some will become victims of phishing scams. If the costs of sorting these cases out are less than the costs associated with burdening all users with more onerous security protocols, then the password is the appropriate solution. But at some point, all databases of user/customer information should be protected with biometric access control methods because, while having occasional users pick weak passwords or get tricked into giving them away is one thing, hackers making off with the entire database of user/password information is something else altogether. Requiring biometric verification of all human database Administrator logins would go a long way to lowering the biggest risk of passwords: their wholesale theft. In many ways the Admin level is the perfect point to introduce these more rigorous security protocols. There aren’t (or shouldn’t be) too many Admins, so the inconvenience falls on as few individuals as possible. Admins are tech savvy, so they should be able to adapt to the new security environment quickly. They should have an understanding of why the extra step is worth the effort. It’s their responsibility to keep the keys of the kingdom. Perhaps most compelling, they’re the ones on the hot seat when the CEO is out apologizing to all and sundry following a data breach.

Granted, after a hack, having biometrics there to protect individual accounts should change the retail fraudster’s Return on Investment (ROI) calculations. With biometrics it should be harder for him to turn the user information into money. Still the Benjamin Franklin axiom that “an ounce of prevention is worth a pound of cure” would seem to carry the day here.

fraud, hack, Health Care, ID management, identity theft, modality

“Get me some biometrics, stat!”

How biometrics could improve health security (Fortune)

For the last two years, the health industry suffered the highest number of hackings of any sector. Last year, it accounted for 43% of all data breaches, according to the Identity Theft Resource Center. To help prevent these costly issues, medical companies have begun adopting an array of biometrics security systems that use data from a patient’s fingerprint, iris, veins, or face.

There really isn’t an identity management challenge that health care doesn’t have.

database, FIDO, hack, passwords

Being realistic about passwords

Ping Identity engineer: On second thought, passwords may be okay (FierceEnterpriseCommunications)

In the first part of a new discussion with Paul Madsen, a senior technical architect in Ping’s office of the CTO, I first asked whether Ping truly did intend to resurrect the password as a viable mechanism by way of supporting FIDO 1.0.

Paul Madsen, Senior Technical Architect, Ping Identity: It’s less a resurrection than just trying to be a little bit realistic about what FIDO does, and what it can do. Half of the FIDO specification set–U2F, specifically–pretty much assumes that there are still passwords in the mix. FIDO, arguably more so than killing off passwords, just mitigates some of their worst problems, particularly the risk of bulk compromise of the password database, as we see more and more.

Two things jump right out of this article. The first is the realistic treatment of the fact that passwords aren’t going the way of the dodo any time soon. The second is that passwords that control access to databases of passwords are very different than passwords that control access to an individual account.

The big scores are database hacks.

See also:
FIDO is not the end of passwords (and that’s OK) at the Ping Identity blog. It’s well worth it.

access control, database, hack, logical

Protecting customer data

After Massive Data Breaches, Businesses Move to Make ID More Personal (ABC News)

The cost of a data breach is terrifyingly high. Home Depot estimates that the massive data breach that affected 56 million customers this summer will cost the company several hundred million dollars—and that’s the figure they are using to assuage fears on the Street. The reality is probably much higher. Target’s breach may top out at the $1 billion mark. While the jury hasn’t even been empanelled as to what the JPMorgan breach will cost, it will leave a mark that will no doubt make news down the line.

With so much to lose, the implementation of biometrics-based consumer authentication may be the cheaper option for companies that handle the kinds of information hackers find so irresistible.

We’ve been saying it for years. All databases containing sensitive customer information should be biometrically protected. It’s just good business.

apple, fingerprint, hack, sensor

More iTouch hack push-back

Why I Hacked Apple’s TouchID, And Still Think It Is Awesome. (Lookout)

Despite being hacked, TouchID is an exciting step forwards for smartphone security and I stand by our earlier blog on fingerprint security. Hacking TouchID gave me respect for its design and some ideas about how we can make it strong moving forward. I hope that Apple will keep in touch with the security industry as TouchID faces its inevitable growing pains. There is plenty of room for improvement, and an exciting road ahead of us if we do this right.

Read the whole thing. It’s good.

Our post on the CCC hack are here.

UPDATE:
Touch ID was hacked, but no one cares (ITWeb)

fingerprint, hack, spoofing

More context for fake fingers

Here’s what you need to know about the Apple TouchID “hack” (GigaOM)

So for most people this won’t be a problem. And indeed, if you’re the type who forgoes passcodes because they slow you down, it’s better to use TouchID than to use no security at all. Also, it’s not like we’re talking about someone hacking into the phone’s secure A7 chip.

But do remember that, compared with passcodes, the inclusion of biometric access can in certain circumstances make it just that little bit easier for someone to get into your phone. And if that phone carries secrets that others really want to steal, you may want to bear this new risk in mind.

apple, fingerprint, hack

Chaos Computer Club’s re-run of the old rubber finger trick

Apple’s stated purpose for installing a fingerprint reader on its new iPhone is to give people who aren’t currently protecting their mobile hardware at all a more convenient way than passwords to do so.

Great, right? The number of mobile devices left unprotected will go down, sparing some non-trivial number of individuals the heartache of having their devices accessed in a way they didn’t authorize. Hooray Apple!

Not so fast!
The Chaos Computer Club thinks that’s a really “stupid” way to look at things. They think that because it was so “easy” for them to create a rubber finger (likely with the full participation of the user) in a matter of (at least) hours, that only a moron would use the technology.

 Chaos Computer Club breaks Apple TouchID.

The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple’s TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.

“We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can’t change and that you leave everywhere every day as a security token”, said Frank Rieger, spokesperson of the CCC. “The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.” Fingerprint biometrics in passports has been introduced in many countries despite the fact that by this global roll-out no security gain can be shown. [ed. bold emphasis added]

While both of the parts above in bold type are false, they are false in different ways. The first part, “using easy everyday means” is only a fib. The process described is “easy and everyday” kind of like manufacturing dentures is easy and everyday. Sure, it happens every day, but it isn’t like making brownies.

The second bolded part is indistinguishable from the ranting of a conspiracy theorist.

There’s something vaguely embarrassing about people who claim to know a lot about technology, but who display no understanding of its use or appreciation for its context. When they also presume to tell everyone else what to do, it begs a response.

The CCC shows either a total ignorance of the purposes of security technologies or a belief that the world is a one-size-fits-all security market. Either way, they come off as contemptuous of ordinary people who might want a more convenient way to increase their own security and the people working to give it to them.

It’s one thing to point out how new technologies are fallible. All technologies are and it is important that consumers understand how that is the case. It’s another thing to try to scare people away from adopting security techniques that will leave them safer than they are now and are convenient to use.

Apple’s implicit point is that when it comes to protecting access to the device, fingerprint access is better compared to doing nothing, which is the option many people currently choose. It’s not a question of perfect security, it’s a question of security that is convenient enough that it actually gets adopted.

Other posts where the question “…compared to what?” arises:
The old Gummi Bear trick
Visa to drop signatures on credit card purchases by 2013
Unisys Poll: 63% of credit card users would prefer fingerprint
German gov downplays biometric ID card hack

UPDATE:
Marco Tabini at Macworld seems to agree. Apple’s Touch ID may not be bulletproof, but it’s still useful.

Brazil, fingerprint, fraud, ghost, hack, Health Care, time-and-attendance

Brazilian ghost doctors have rubber fingers

Note: all links in this post go to Portuguese language sources. Translations are a collaboration between Google and me.

My brother in São Paulo tipped me off to a rubber finger scandal in the Greater S.P. health service.

Doctor busted in SP for falsifying colleagues fingerprints with silicone (Floha de S. Paulo – Portuguese)

A doctor was arrested red-handed on Sunday, March 10 for using silicone fingers to fake the fingerprints use to mark the attendance of colleagues. She and the other doctors are employees of Samu Service (Emergency Medical Care) for Ferraz de Vasconcelos, in Greater São Paulo.

According to police, Thauane Nunes Ferreira, 28, registered the attendance of 11 doctors and 20 nurses. She told police she practiced the irregularity because she was coerced by her boss. 

Greater SPDoctors suspected of faking attendance are removed (Floha de S. Paulo – Portuguese)

Six Samu Service (Emergency Medical Care) doctors  in Ferraz de Vasconcelos, Greater São Paulo, paid R$ 4,800 [ed. $2,450 US] to the coordinator of the service in the city, Jorge Luiz Cury, in order to avoid working four 24-hours shifts per month for which they were paid, City Hall says. Police are investigating the case. The city pulled the servers allegedly involved in the fraud.

The day before yesterday [ed. see above], when the scheme was discovered, doctor Thauane Nunes Ferreira, 28, was arrested in the act of using mock fingers with silicone fingerprints to mark the attendance of six colleagues.

Where they have been adopted, biometrics have made ghostbusting easier. In this case, with time-and-attendance biometrics deployed someone had to create and use 31 rubber fingers (pictured at both links above). That draws attention. Without biometrics, scaling up the time-and-attendance fraud while decreasing the risk of detection would have been much easier. If this allegedly corrupt boss was willing to go up to at least 31 rubber fingers, how many paper employees would he have tried?

According to Wikipedia, Ferraz de Vasconcelos, where the fraud took place, is second-poorest of Greater São Paulo’s 39 municipalities. Congratulations to all involved for stopping this instance of the corrupt stealing resources meant to provide health care to people far less fortunate than the doctors and administrators involved.

UPDATE:
[Via] Drudge and the BBC are now on the story. If you didn’t want to wade through the Portuguese pieces linked above, you may be interested in these.

UPDATE II:
Upon closer examination of the the photos of the fake fingers used, another thought comes to mind. It certainly appears as though the fake fingers were created with the participation of their owners, making them evidence for the prosecution that they were complicit in the fraud.  As it is, the fake fingers used in the fraud come from a variety of live finger models. In the two examples pictured below, the one on the left appears to belong to a male and the one on the right appears to belong to a female. If the counterfeiter wasn’t working from live models, there would be no reason to add a fingernail to the back of the fake finger.

Image edited from original photo at Folha de S. Paulo

Had the doctors’ prints been somehow lifted via subterfuge and placed onto a silicone finger without their knowledge, we might expect all of the fake fingers to look very similar as the finger counterfeiter might have used his own finger as a model and simply placed the doctors’ prints on it. Alternatively, as with The Old Gummi Bear Trick, the item bearing the fingerprints needn’t look much like a finger at all.

Without biometrics (and with a more careful set of individuals), it might have been very difficult to prove that the doctors involved weren’t just victims of identity theft by a corrupt official. With the evidence on hand (!) it should be a simple matter to determine if the fake fingers match those of the ghost doctors.

A larger question is whether this story argues for or against the adoption of biometric systems for time-and-attendance. Nobody should claim that biometrics or any other security or ID management measure is perfect and infallible. Nothing is infallible. In this case, however, it appears that having a biometric rather than a paper-based time-and-attendance system increased the costs and complexity of committing the fraud. It made executing its daily function (clocking in) more difficult to do without being noticed. And (at least in this case) it forced those complicit in the scheme to create pretty significant evidence of their involvement.

As a manager or law enforcement official, which case would you rather prosecute: one with rubber fingers or one with only a paper trail?

Note: This post has undergone a few revisions for the purposes of updating the post, correcting typographical or grammatical errors and to add clarity.

access control, hack, logical, social media

Social media critique with a bleg for some biometrics already

The recent Burger King and Jeep twitter account hacks inspired Charlie Wollborg’s Having your social media feed hacked is forgivable; being boring is not at Crain’s Detroit Business.

Of course there’s a biometrics tie-in but the article is a fun read for those who are interested in the social media as well.

The biometrics part:

Can we unleash a few of our most talented geeks on making biometric security apps to the smartphone? Every sci-fi and spy movie in the last 50 years has shown our heroes using fingerprint scanners, retinal scanners and voice print identification. Forget the flying car, just bring me a biometric security app!

We’re working on it!

And then there’s the social media critique.

So yes, Burger King and Jeep had to deal with being hacked, but look at the opportunity! All eyes were on their social media feeds! What did they respond with? More of the same boring, bland content. Reading the last 30 twitter updates for both brand will give Lunesta a run for it’s money. Overly promotional. Instantly forgettable. Yawn.

Being hacked is forgivable. Being boring is not. A status update should not be a to do item. Don’t just post to post…

Good advice follows. I’d like to think we…

hack, Hill climbing, iris, science, technology

Bypassing an Iris Scanner? There’s Got To Be a Better Way.

In honor of today’s twitter biometric chat on iris biometrics, here’s a post from July 30 containing thoughts on the implications of a recent iris biometrics hack…

A couple of weeks ago, when the news broke that someone had claimed to have “hacked” iris biometrics by reverse engineering a template into an image of an iris that would be accepted by an iris recognition system, I said: It’s not a real biometric modality until someone hacks it.

That’s because a hacking claim can generate a lot of media publicity even if it doesn’t constitute proof that a technology is fatally flawed. Where’s the publicity value of hacking something that nobody uses, anyway? Claims like this can also be taken as a sign that a new technology, iris biometrics in this case, has crossed some sort of adoption and awareness threshold.

So what about the hack? Now that more information is available and assuming that Wired has things about right, “experiment” is a far better descriptor than “hack” for what actually went down. “Hack” would seem to indicate that a system can be manipulated into behaving unexpectedly and with exploitable consequences in its real world conditions. Think of picking a lock. A doorknob with a key hole can be manipulated by tools that aren’t the proper key to open a locked door in its normal operating environment.

The method that the researchers relied upon to develop the fake iris from the real template bears no resemblance to the lock-picking example. What  the researchers did is known as hill-climbing. In simple terms, it’s like playing the children’s game Cold-Warm-Hot but the feedback is more detailed. A hill-climbing experiment relies upon the system being experimented on giving detailed information back to the experimenter about how well the experimenter is doing. The experimenter presents a sample and the system gives a score (cold, warm, hot). The experimenter refines the sample and hopes the score will improve. Lather, rinse, repeat. A few hundred iterations later, the light turns green.

Technically, you don’t even need to have a sample (template) to start hill climbing. You could just start feeding the system random characters until you hit upon a combination that fit the template’s template(?).

This is one of those exercises that is academically interesting but doesn’t provide much useful information to system engineers or organization managers. Scientific experiments deal with their subjects by isolating and manipulating one variable at a time. Real world security systems are deployed with careful consideration of the value of what is being protected and a dependence upon all sorts of environmental factors.

A person who wanted to bypass an iris scanner using this method in the real world would:

1. Hack into a biometric database to steal a template of an authorized user; pray templates aren’t encrypted
2. Determine which biometric algorithm (which company’s technology) generated the template
3. Buy (or steal) that company’s software development kit
4. Build and successfully run the hill-climbing routine
5. Print the resulting image using a high quality printer
6. Go to the sensor
7. Place print-out in front of iris scanner
8. Cross fingers

Simple, right? Compared to what?

Once you’re talking about hacking into unencrypted biometric template databases (and depending upon your CRUD privileges) almost anything is possible and little of it requires Xeroxing yourself a pair of contact lenses.

Why not just blow away the whole database of iris templates? Problem solved. The scanners, now just locks with no key, would have to be disabled at least temporarily.

If stealth is more your style, just hack into the database, create a credential for yourself by placing your very own iris template in there and dispense with the whole rigmarole of the hill-climbing business. Delete your template (and why not all the others) after the heist.

If your hacking skillz aren’t up to the task, you could stalk someone who is already enrolled with a Nikon D4 and a wildlife photography lens and skip steps one thru four (and eight) on the above list.

You could trick, threaten or bribe someone into letting you in.

Break the door or a window.

The elaborateness of the process undertaken by the researchers pretty much proves that the iris sensor isn’t going to be the weak link in any real world security deployment.

hack, Hill climbing, iris, science, technology

Bypassing an Iris Scanner? There’s Got To Be a Better Way.

A couple of weeks ago, when the news broke that someone had claimed to have “hacked” iris biometrics by reverse engineering a template into an image of an iris that would be accepted by an iris recognition system, I said: It’s not a real biometric modality until someone hacks it.

That’s because a hacking claim can generate a lot of media publicity even if it doesn’t constitute proof that a technology is fatally flawed. Where’s the publicity value of hacking something that nobody uses, anyway? Claims like this can also be taken as a sign that a new technology, iris biometrics in this case, has crossed some sort of adoption and awareness threshold.

So what about the hack? Now that more information is available and assuming that Wired has things about right, “experiment” is a far better descriptor than “hack” for what actually went down. “Hack” would seem to indicate that a system can be manipulated into behaving unexpectedly and with exploitable consequences in its real world conditions. Think of picking a lock. A doorknob with a key hole can be manipulated by tools that aren’t the proper key to open a locked door in its normal operating environment.

The method that the researchers relied upon to develop the fake iris from the real template bears no resemblance to the lock-picking example. What  the researchers did is known as hill-climbing. In simple terms, it’s like playing the children’s game Cold-Warm-Hot but the feedback is more detailed. A hill-climbing experiment relies upon the system being experimented on giving detailed information back to the experimenter about how well the experimenter is doing. The experimenter presents a sample and the system gives a score (cold, warm, hot). The experimenter refines the sample and hopes the score will improve. Lather, rinse, repeat. A few hundred iterations later, the light turns green.

Technically, you don’t even need to have a sample (template) to start hill climbing. You could just start feeding the system random characters until you hit upon a combination that fit the template’s template(?).

This is one of those exercises that is academically interesting but doesn’t provide much useful information to system engineers or organization managers. Scientific experiments deal with their subjects by isolating and manipulating one variable at a time. Real world security systems are deployed with careful consideration of the value of what is being protected and a dependence upon all sorts of environmental factors.

A person who wanted to bypass an iris scanner using this method in the real world would:

1. Hack into a biometric database to steal a template of an authorized user; pray templates aren’t encrypted
2. Determine which biometric algorithm (which company’s technology) generated the template
3. Buy (or steal) that company’s software development kit
4. Build and successfully run the hill-climbing routine
5. Print the resulting image using a high quality printer
6. Go to the sensor
7. Place print-out in front of iris scanner
8. Cross fingers

Simple, right? Compared to what?

Once you’re talking about hacking into unencrypted biometric template databases (and depending upon your CRUD privileges) almost anything is possible and little of it requires Xeroxing yourself a pair of contact lenses.

Why not just blow away the whole database of iris templates? Problem solved. The scanners, now just locks with no key, would have to be disabled at least temporarily.

If stealth is more your style, just hack into the database, create a credential for yourself by placing your very own iris template in there and dispense with the whole rigmarole of the hill-climbing business. Delete your template (and why not all the others) after the heist.

If your hacking skillz aren’t up to the task, you could stalk someone who is already enrolled with a Nikon D4 and a wildlife photography lens and skip steps one thru four (and eight) on the above list.

You could trick, threaten or bribe someone into letting you in.

Break the door or a window.

The elaborateness of the process undertaken by the researchers pretty much proves that the iris sensor isn’t going to be the weak link in any real world security deployment.

hack, iris, modality

Iris Biometrics: Come on Down!

It’s not a real biometric modality until someone hacks it (yes, I’m talking to you foot, ear and butt). So cheer up, iris. You’re in good company.

Black Hat: Hacking iris recognition systems (Bank Info Security) UPDATE: Link was wrong before, fixed now.

The article is short on detail about how and how successfully iris systems have been hacked but more information will certainly follow Black Hat’s presentation on July 25 summarized as follows:

FROM THE IRISCODE TO THE IRIS: A NEW VULNERABILITY OF IRIS RECOGNITION SYSTEMS

A binary iriscode is a very compact representation of an iris image, and, for a long time, it has been assumed that it did not contain enough information to allow the reconstruction of the original iris. The present work proposes a novel probabilistic approach to reconstruct iris images from binary templates and analyzes to what extent the reconstructed samples are similar to the original ones (that is, those from which the templates were extracted). The performance of the reconstruction technique is assessed by estimating the success chances of an attack carried out with the synthetic iris patterns against a commercial iris recognition system. The experimental results show that the reconstructed images are very realistic and that, even though a human expert would not be easily deceived by them, there is a high chance that they can break into an iris recognition system.

Stay tuned.