Eyeballs and faces are not as secure as fingerprints—German hackers with the Chaos Computer Club have bypassed iris authentication technology that’s prominently featured in Samsung’s Galaxy S8 smartphone. All that’s needed to trick Galaxy S8’s iris scanner into unlock the phone is an infrared photograph of the eye of the phone’s owner and a contact lens.

ArsTechnica says the photo need not even be a close up.

This video below, originally posted by Starbug (the moniker used by one of the principal researchers behind the hack), demonstrates how to circumvent the iris recognition of Samsung’s flagship Galaxy S8 smartphone—such as a basic digital camera, Samsung’s laser printer and a contact lens—by using equipment that costs less than the $725 price of an unlocked device.

An attacker must posses a photograph of the phone owner’s face, which must be printed out to place the contact lens on the iris in the printout. Holding the image in front of a locked Galaxy S8 fools the iris scanner into unlocking the device.

Princeton Identity, the makers of Galaxy S8’s iris authentication technology, say the phone provides “airtight security” and that consumers can “finally trust that their phones are protected”. Samsung itself claimed that Galaxy S8’s iris scanning mechanism is “one of the safest ways to keep your phone locked.”

That said, we’ve known that bypassing the phone’s biometrics is laughably easy.

In March, iDevice posted a video proving that Galaxy S8’s facial recognition feature can be fooled into unlocking the phone by scanning a simple headshot of the phone’s owner.

According to The Korea Herald, the Galaxy S8 and Galaxy S8 Plus handsets can even be unlocked by scanning the face of a sleeping person. Samsung is aware that Galaxy S8’s facial unlocking technology is not its most secure biometric system: in a March statement to Mashable, a company spokesperson said that facial unlocking cannot be used for purchases with Samsung Pay.

For that, you still must use the phone’s fingerprint reader as the iris scanner can only be used to purchase apps and media or unlock the phone. Galaxy S8 includes both iris scanning and facial recognition via the front-facing camera, in addition to fingerprint scanning via a sensor relocated to the rear side.

Apple’s own Touch ID fingerprint reader isn’t immune to hacks either.

Back in 2013, Starbug demonstrated that fingerprints casually collected off of water glasses can be leveraged to fool Touch ID into unlocking your iPhone. Android phones are susceptible to a similar hack.

As you know, Apple is expected to use facial unlocking and maybe even iris scanning in iPhone 8. Starbug, however, cautions that future smartphones with iris recognition may be equally easy to hack. Iris recognition, says Starbug, is hard to make hack-proof because you can’t really hide your iris.

“It’s even worse than fingerprints,” added the hacker.

  • John

    “All that’s needed to trick Galaxy S8’s iris scanner into unlock the phone is an infrared photograph of the eye of the phone’s owner and a contact lens.”

    This is a very specific prerequisite, and more difficult to obtain than lifting a fingerprint (which as used to foil Touch ID).

    • Shinonuke

      Not really. Lifting fingerprint then making a print from it is a lot harder than printing a picture of a person’s eye then cover it with a contact lense. But I find this iris trick works for spouses with trust issues.

      • Mike

        I don’t think you understood that that correctly…

      • Shinonuke

        I think you’re right. Imma edit my reply

    • Rowan09

      No all you need is a photo of the persons face and then put it with a contact lense. How is that easier than lifting fingerprints from a glass and then making a mold of that fingerprint?

  • Stephen Hedger

    Oh no this is bad news. So if leave my phone on a bus by accident and someone finds it along with my face I have just printed out and iris portrait in infra red All they would then need is a contact lens!!! Arghgh

    This is something I do so often.

    I’d be tempted to just stick to finger prints BUT what if I fell asleep on the bus and the phone burglar then lifted my finger and opened the phone with it!!! Arghghgf

    Maybe I’ll just stick to an alpha numerical password…

    But wait!! What if THEN someone takes my phone and says “tell me your passcode or I will make you cry”

    I would then tell this person my passcode to save my life and THEY WOULD STILL GET IN!!! Oh my god I’m so fwitond

    Maybe it’s best if I don’t have a phone at all

    • Shinonuke

      Haha. Phone thieves suddenly convert to hostage taker.

    • GUY

      If this comment was on reddit it would have gotten you a Gold.

  • tariq

    I think people who want to be extra extra safe should just stick to words, pin, or pattern lock. Average users, Iris and fingerprint is fine

  • Satyam Panchal
  • Jay Gilgert

    I had the same problem with my pin number. All the thieves needed was mind reading technology.. After they stole my phone I tried to think of a bunch of stuff to wipe out the pin number, but I’m so mentally weak, I thought of it and they captured it in the mind reader.