Schneier on Security
A blog covering security and security technology.
« Revenge Effects of Too-Safe Playground Equipment |
| Duplicating Physical Keys from Photographs (Sneakey) »
July 26, 2011
iPhone Iris Scanning Technology
No indication about how well it works:
The smartphone-based scanner, named Mobile Offender Recognition and Information System, or MORIS, is made by BI2 Technologies in Plymouth, Massachusetts, and can be deployed by officers out on the beat or back at the station.
An iris scan, which detects unique patterns in a person's eyes, can reduce to seconds the time it takes to identify a suspect in custody. This technique also is significantly more accurate than results from other fingerprinting technology long in use by police, BI2 says.
When attached to an iPhone, MORIS can photograph a person's face and run the image through software that hunts for a match in a BI2-managed database of U.S. criminal records. Each unit costs about $3,000.
Roughly 40 law enforcement units nationwide will soon be using the MORIS, including Arizona's Pinal County Sheriff's Office, as well as officers in Hampton City in Virginia and Calhoun County in Alabama.
Posted on July 26, 2011 at 6:51 AM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Do away with passwords and pins.
Yet another access point to criminal databases, one small enough you can take it out of a police officer's pocket.
Would be interesting to see just how much thought they've put into making this secure.
These have been trialed in the US for several years. Here's a short article about one:
The issue to me is one of becoming non-anonymous just by walking down the street. Right now, taking a photo of someone in public is not infringing anyone's right to search and seizure (as long as it's not /of/ the police), and the PDs are saying "trust us" and they will only use it on those already arrested for a crime.
Naturally, it is easy to start using these devices at breathalyzer checkpoints and so on, and everyone gets a scan in the database. I suspect there's a test case in our future.
I also hear this device has a fingerprint scanner. So, I presume the procedure is to scan both, since there's a vastly larger pool of fingerprints stored now.
Yes, I read a couple article on this over the last week. From a surveillance standpoint, this could prove to be fairly bad news.
In science fiction, one occasionally reads about "retinal scanners" that can scan the eye from long distance. I suspect this technology is being developed as well.
One problem I see for the foreseeable future, however, is where they get the database of retinas. Presumably they will start collecting those from new criminals, just as they have started collecting DNA samples of all criminals these day. But it will be a while before they collect enough to be useful.
The fingerprint scanner in the device, OTOH, is immediately useful of course.
From a criminal's standpoint, this just means never give a cop a reason to stop you on the street or anywhere else. That's pretty much been true for decades anyway due to fingerprinting. And if a cop does stop you, might as well whip out the piece and throw down because your fake driver's ID isn't going to work anymore.
With the rise of technology being applied to law enforcement, at some point it's going to be necessary for just about all criminals to be armed with heavier weapons than the average cop, trained in the use of arms to the same degree as a cop, and willing to kill any cop at any confrontation. There just won't be any other options if you want to stay out of jail.
In other words, crime in the US will look like Mexico.
Unless of course someone comes up with a way to beat the scanner, just as fake fingerprints can be made. Contacts with different retinal patterns or "camouflage patterns" that defeat the scan without being detectible themselves. Someone will come up with something, presumably.
The problem with biometric data is that, whereas trusting a company with a password and token is one thing, I can’t change my biometric (trivially), when or if the companies botches the security.
I guess they would have to hash my biometric data and use bcrypt or some such, in order for it to be modestly safe, and I don’t really expect a lot of companies to handle my credentials responsibly.
So, it would seem this eliminates the need for Real-ID (the post 9/11 universal driver's license). "Your papers please" will be a thing of the past as a simple scan will take care of that. And, we will all get added to the "criminal" database, even if there is no arrest and no reasonable cause for stopping us. The police will be overwhelmed by the post-arrest workload, which should keep them busy for many days to handle each day of scanning. Expect to find required scanning checkpoints at every street corner, every stop sign, every store entrance/exit, even public toilets. At least, it might mitigate the TSA crap.
What about lenses? Can they fool the system?
(I can imagine a whole lot of false identifications of Obama.)
I wear my SUNglasses at night 'cause I don't know I don't know
the Guild Season 5 starts tonight!
I would like to point out that these sorts of systems also work on the police.
The police will argue that this is not a breach of privacy, since taking a picture in public is generally allowed. Someone will program a phone app allowing you to take an iris picture of the policeman pulling you over, to consult an online database reviewing the policeman's past actions.
People are already pressing this issue using video cameras to tape the police and other authorities in action, such as at FreeKeene and CopWatch.
Since the majority of people are law abiding, this technology will have two consequences - it will protect me from known criminals, and it will protect me from abusive police.
Ntanael L 'What about lenses? "
Do you mean Contact Lenses?
Version A obfuscate - reflect or distort inbound or outbound light
Version B render false image (like those plastic fingerprints Barry on the IMF used)
I'd say B would be tougher to develop but these systems always come with test data. I'd use whatever test pattern A. Smith-not-a-criminal is already in the system to pass with a false negative.
I worry about false negatives.
What happens if a cop runs your iris against what comes up on your driver's license or passport and the instrument declares a mismatch? There's no way to talk your way out of the trouble you are now in.
I'm curious. Is this just third party software? What's the link to the iPhone in the headline? Is it just an "app" or is there some deeper integration with the iPhone. If the former, then it's only a matter of time before this is ported to other mobile devices (it's not really iPhone technology). If it's the latter, then I'd be extremely concerned out about the relative insecurity of the mobile device itself.
Sounds highly profitable.
Without a nationwide iris-scan-gathering, the database will be as good as any computerized fingerprint-matching database.
That is, it will only recognize entries already in the system.
What I wonder is, does it also detect dilated blood vessels due to alcohol? The blood vessels present in the eye are affected by alcohol, and the data should be detectable on the image.
The officer can probably smell beer-breath at the 5-6 inch range that MORIS uses for photos. But it may make for an additional piece of evidence, alongside Breathalyzer and Officer Nose.
"Life Imitates Art".
The 1993 movie, "Demolition Man" (Stallone//Snipes). IIRC, Snipes escapes from a futuristic prison by cutting out a guard's eye to get past a retinal scanner. Much as fingerprint scanners have been defeated by cutting off the rightful owner's finger.
The eye is not always constant over time. One example: Wilson's disease, which creates a brown ring on the edge of the iris. Symptoms can begin at any age. The disease appears to be somewhat treatable, implying possible regression or disappearance of the rings.
One of many possibilities. Not to mention smoking certain herbs...
Tommy: The cut out eye bit has been done numerous times. The most recent I saw was last year's season two of Human Target. In the first episode, the crooks took the eye of a deceased billionaire in order to get into his private vault at a bank in Switzerland. Two eye scans were needed, one from his wife and his. They kidnapped the wife and physically brought her along to get them into the bank.
The time before that was on the "Blade: The Series" show in the last episode where Blade cut out an architect's eyeball in order to get into a building with retinal scan locks.
I wonder how easy it would be to cut out an eye and not cause inflammation or bloodshot eyes that would mess up the scan. Probably would need a surgical removal and a special medical container to minimize the damage until it could be used.
Fingers are a lot easier.
RSH, a baggie with ice water would work fine. If in doubt, take the whole head.
Non refelctive(glass) surface plus a infra red matrix(steel,frequnecy sheft canceled) from a camera shot put in frount of a IR bulb
Is anyone else thinking about Pamela Anderson right now?
No, not for that reason, about the film 'Barbed Wire'......
Luckily our contries don't abuse our laws to effect a police state like in the film. Oh. Bum.
Dom De Vitto: You know, the hilarious thing about that movie is that it took me months after seeing it to realize that it was a direct remake of "Casablanca".
I must be really dense.
Soon only criminals will wear sunglasses
Hmm. Time to by a Guy Fawkes-mask.
Officer: Let me scan your eyes.
You: I know my rights! I demand privacy!
Officer: Seriously? Should I have to take you to the station?
You: Can you at least take a look at these legal statements first? If you accept to follow them, I'll let you scan my eyes.
You: You can scan this Qr code for a direct link. *holds up screen*
Officer: Oh, well... *scans*
The cop now have a PDF with exploit that alters the result from the app and then wipes all traces
This needs some perspective.
Notwithstanding CSI mythology, when you send fingerprints to the FBI for identification, they send back the 15 best matches. If none of those match a person of interest, they'll send you 15 more. Rinse and repeat until you get the 'evidence' you need.
The problem is that fingerprints may be unique, but their digital parameters aren't. The same applies to all biometric 'identifiers'. None of them can be used as a unique key to a record in a database.
Anyone see "Minority Report"? Underground eyeball transplants are going to be the next big thing...
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.