As computers continue to manage more and more of our private information, keeping that information secure is becoming more and more important. The most recent iPhone has a fingerprint biometrics scanner, and this Kickstarter campaign is promoting an eyeball scanner that purports to keep your information secure. But is it really secure?
The Tech
So what exactly is this device? Is it some kind of super sweet retinal scanner with lasers and whatnot like in Mission Impossible? Apparently not. They’re not too specific on the details, but it looks like it’s more or less just a webcam:
I’m seeing a camera, an indicator LED, and a one-way mirror on the front to help you align your eyeball. There’s also mention of an accelerometer in the description, though it isn’t clear what that’s used for. Alright, so it’s a webcam. Perhaps the Myelock team felt limited by the lenses of typical webcams and needed something that could present a better close-up image of an eyeball for this application.
So if the hardware is just a fancy camera, what’s the software like? They advertise that they’ve made some kind of “vault” software that allows you to drag and drop files into a special encrypted folder that’s protected by your MyeLock. Imagine it: someone sits down to your machine and wants access to your secure banking document or whatever and they’re thwarted by MyeLock! Their iris doesn’t match up! That seems secure enough, right?
There’s a thing in the tech world called the “10 Immutable Laws of Security“. Law number three reads “If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore”. The idea is that once someone has the ability to sit down to your machine without intervention, they can basically take anything they want wether it be by running special software or removing components from your computer. Physical device security is a pretty serious matter, and hackers are always challenging themselves to find more interesting ways to access secure data (such as cryogenically freezing ram to retain its information as it’s removed from your computer), so claiming that a device will protect your data when the malicious entity already has physical access is a pretty tall order. How does MyeLock claim to cover this?
They don’t.
There’s no mention anywhere on the description or the video of what method of encryption they’re using. They use the word “encryption” a number of times, but “encryption” can range from just jumping thirteen characters ahead in the alphabet to storing information in the quantum states of particles. So what is MyeLock using? It’d be pretty silly to go through all the effort of creating a iris scanner just to have someone bypass it entirely by using a standard rainbow table on the software itself. There’s also no detail on what they’re doing to prevent malicious software from intercepting the video feed from the camera and taking screenshots of your eye. Is the device encrypting the info before passing it to the host PC? who knows!
So okay, let’s assume the software uses the best encryption methods possible. There’s still the concern of forgery. Dr. Eugene Belogay in the video describes how the odds of two individuals having the same iris is under one in 10 billion. There are two problems that I have with this.
Firstly, the video claims that your iris can generate a “ridiculously long password”, but if you assume that the average password has about 100 different characters to choose from (caps, lowercase, numbers, symbols, etc), the odds of guessing a randomized five character password correctly is also one in 10 billion (100^5). Add another character and it shoots up to 1 trillion. Okay, so best case, this device has the security of a five digit password.
Now of course, most passwords aren’t entirely random. As the video explains, people often use words or phrases familiar to them to make their passwords easier to remember (name of pets, etc). So if you know someone personally or have any sort of information on them, you can probably leverage that information to narrow down the number of possibilities to a list that a piece of software can brute force in a reasonable amount of time.
So what about leveraging information to obtain a good image of someone’s eyeball?
One of the biggest issues facing iris recognition technology is the inability to discriminate between an iris and a high resolution picture of an iris. Even mainstream fingerprint scanners such as that in the iPhone 5S uses special technology to determine if a fingerprint is generated by a live finger and not a facsimile (or tragically severed finger). So what does the MyeLock do to prevent someone from using a high resolution image?
Nothing. Or at least nothing they felt important enough to mention.
But where are you supposed to get a high resolution image of someone’s eyeball? Well if you know anyone working on the MyeLock marketing video, you could start here:
Perhaps these images aren’t quite high resolution enough to pull it off, but if they are, these folks effectively just published their passwords on the internet. It’s especially easy if you know who wears contacts.
Marketing
So their video and marketing materials like to brag about how easy it is to use this device to access your data. Of course the saying goes that the most secure computer in the world is the one nobody can access, and this team hasn’t made it clear what measures they’re taking to prevent unauthorized access.
While the video mentions some kind of hash generated from an eyeball image, the Kickstarter description mentions that the image is matched to an “enrolled image”.
If the latter is true, it means that the key to unlocking your data is apparently stored on the machine you’re trying to protect. This is a major no-no in the cryptography world.
The team seems to be leveraging the buzzwords and fun facts associated with biometrics to push their product, but they haven’t gone into any detail regarding how their specific implementation is secured.
Can they do it?
I’d say yes. These guys seem totally capable of producing a USB webcam that can take pictures of your eye to open and encrypted folder on your computer. I am very concerned however that the device delivered will not offer the level of protection that backers are expecting from the device.
Personally, I’ll stick to using ********.
Leave a Reply