Chaos Computer Club once again demonstrate how biometric security is far from infallible
German hackers have defeated the iris-recognition feature on Samsung’s Galaxy S8 smartphone, fooling the scanner with a dummy eye.
Members of the Chaos Computer Club hacker group posted a video demonstrating how they can create a fake eye that tricks the iris-recognition capabilities in Samsung’s latest smartphone into thinking it is seeing the actual eye of a registered user.
Samsung iris scanner hack
To bypass the feature designed to offer an alternative to securely accessing the Galaxy S8 that does not involve using a fingerprint scanner or password, the hackers first took a photo of the registered user’s face at medium distance using a digital camera.
From there they printed out an image zoomed into the smartphone user’s eye, somewhat ironically using a Samsung laser printer.
With the image on a sheet of paper, the hackers then put a contact lens over the iris of the printed eye picture to simulate the curvature of an eye.
When the dummy eyre was held up to the front facing camera of a locked Galaxy S8, the Android smartphone unlocked due to it bewing tricked into thinking the fake eye was that of its user.
The hackers noted that images could be taken from social media and used to create a dummy eye in the same fashion.
To carry out the hack, one would need access to a users phone and have a picture of them where they could zoom into the owner’s eye at a certain resolution.
As such, the hack may not be the most practical for phone thieves, as they would either have to stealthily snap a picture of the owner or be aware of their identity enough to track pictures of them down.
Chaos Computer Club did note that clear pictures of irises can be achieved with cameras in night-shooting modes,
In a statement sent to Silicon, a Samsung spokesperson noted that the company has developed it iris scanner to be as robust as possible and that it will look into any highlighted vulnerabilities.
“We are aware of the issue, but we would like to assure our customers that the iris scanning technology in the Galaxy S8 has been developed through rigorous testing to provide a high level of accuracy and prevent attempts to compromise its security, such as images of a person’s iris. If there is a potential vulnerability or the advent of a new method that challenges our efforts to ensure security at any time, we will respond as quickly as possible to resolve the issue,” the spokesperson said.
However, the hack does highlight that various biometric security features are not as robust as their creators might like.
“If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication,” said Dirk Engling, a spokesperson for the Chaos Computer Club.
We would argue that savvy phone thieves could snatch a glace at a person putting in a PIN number likely more easily than creating a dummy eye.
But with fingerprint scanners also unable to offer infallible phone security, it would appear that the best bet to securing your phone is to not to completely put your faith in any one security option and make sure you handset remains close to your person when in public areas and out of easy view and reach of potential thieves.
Do you know all about biometric technology? Take our quiz!