iBeta launches Injection Attack Detection testing against CENS/TS 18099

A new testing solution from iBeta Quality Assurance meets a growing need for evaluations of injection attack detection (IAD) products. The lab’s IAD testing launches today, and will be part of what iBeta showcases at Identity Week 2026 in Amsterdam next week. It includes testing up to Level 3, against the European standard CENS/TS 18099: 2025, across multiple platforms. And it presages the planned 2027 publication of the ISO/IEC standard dedicated to injection attack testing. iBeta will release a IAD testing solution for the ISO standard when it is released.

David Yambay, iBeta’s assistant director and standards subject matter expert (SME), trained under Dr. Stephanie Schuckers, who played a role in developing the biometric standards for presentation attack detection (PAD) – now a few generations back in the biometric attack timeline. Yambay says that organizations noticed the injection attack threat before they began taking it seriously. He points to the notorious $25 million Hong Kong deepfake debacle as a turning point. “That really started putting it in perspective of, it’s not coming, it’s here.”

“From there, it started becoming a big fight of people trying to figure out ways to stop it. Luckily, the European standards are able to come out so much quicker than ISO standards, because ISO standards require a lot of cooperation, back and forth debate. European standards are able to get through a lot quicker.”

Enter CENS/TS 18099: 2025, which the British Standards Institute (BSI) expedited, to provide what Yambay calls “a stopgap measure” while the ISO/IEC standard is drafted. “We’re actively working on the ISO version, trying to work on a lot of clarifying pieces, things that may not have been as clear or not exactly how we wanted it in the European standard, so that we can create something that we believe will be a more rigorous and comprehensive evaluation of systems.”

The effort speaks to iBeta’s goal of being a leader in biometrics testing, and being ahead of the curve on the ongoing evolution of biometric fraud techniques.

Weights and measures power IAD testing methodology

IAD testing against 18099 makes use of the evaluative versioning from a number of cybersecurity standards, which assign “weights” to attacks. Those weights, Yambay says, are based on things such as the amount of time or the amount of expertise required for an attack. “There is essentially a whole chapter of the standard that goes over weighting.”

Levels for IAD testing are then based on basic cumulative weight values; for instance, says Yambay, “a level 2 test is, I believe, weight 39 and below, a level 3 test is weight 49 and below.”

“This method makes it a little bit future proof, in that as technology advances, some of those weights of expertise or ease of access to the biometric you’re going to use for the injection, that might come down, and then lower the attack potential of that attack.”

Level 2 type attacks are classified as Substantial. Examples include virtual webcam or emulator injections, which plug a camera feed into the system through an emulator.

Level 3 is considered the High level. Ryan Borgstrom, iBeta’s director of biometrics, explains that for level 3 IAD testing, the lab uses tools similar to Magisk, which is used for systemless rooting of Android devices  “And we’ll be doing some camera service and kernel manipulation, going through those files and looking to replace that video file within the kernel manipulation there. And then customizing, you know, an AOSP image to run on, say, a Google Pixel or Raspberry Pi, making it easier to access those camera modules and being able to bypass them that way.”

Testing against Level 3 also encompasses attacks lower on the hierarchy. Which is to say, a Substantial test will ensure the system is strong against attacks classed as Substantial and lower.

Ultimately, what matters is what works. The market status of IAD is in flux, as vendors figure out how to incorporate the capability into existing fraud prevention and authentication stacks. But Yambay says it’s the overall security posture that matters.

“If other parts of the systems work together and prevent the injection attack method, then that overall is a positive in terms of injection attack testing. So we’re not necessarily worried about isolating just the injection attack protection methods a company has, but working with a cybersecurity partner on different ways for them to hack the system and say, all right, we’re going to attempt to get in these ways and push these things through. If the system is preventing it, whether it’s their dedicated injection attack detection methods or a combination of that and others, that’s not so much of a concern, as long as they’re able to stop these attacks coming in.”

Customers are asking for IAD

For iBeta, the main reason for launching the IAD testing is simple: their customers are asking for it. While it may not yet be considered table stakes in the same way as liveness detection, Yambay says that, with Europe moving towards a mandatory date by which IAD providers need to have been tested against CENS/TS 18099, “it basically is forcing a lot of vendors to look towards it.”

The publication of the ISO/IEC standard will accelerate IAD’s journey toward baseline necessity. Yambay says a lot of what’s in it will align with the European standard, but it will be more comprehensive. Details are still being worked on; Yambay says many things “are still in the discussion phase.”

Borgstrom says that the AI boom is drastically increasing attack surfaces – making testing all the more important. “It’s going to be able to provide more confidence in vendor systems to not only go through the presentation attack detection test, but to continue on with the IAD testing.”

That’s part of what’s driving iBeta’s long-term strategy. Evan Call, iBeta’s director of biometrics sales and marketing, notes that the use of biometrics is becoming more prevalent everywhere. That’s driving the market for testing. “I get the impression that a lot of people look at PAD Level 3 like it’s the new Level 2.”

Escalation, advancements, convergence: the future of fraud prevention looks busy, and increasingly interconnected. Yambay sees the emergence of IAD standards as harbingers of “a future where it’s going to be more and more cybersecurity and biometric security kind of intertwined. Because you’re going to need both sides working together.”

This is a sponsored post. For information about advertising, please contact us.

Article Topics

AI fraud  |  biometric testing  |  CEN/TS 18099  |  IAD certification  |  iBeta  |  injection attack detection