Eyeballs and faces are not as secure as fingerprints—German hackers with the Chaos Computer Club have bypassed iris authentication technology that’s prominently featured in Samsung’s Galaxy S8 smartphone. All that’s needed to trick Galaxy S8’s iris scanner into unlock the phone is an infrared photograph of the eye of the phone’s owner and a contact lens.
ArsTechnica says the photo need not even be a close up.
This video below, originally posted by Starbug (the moniker used by one of the principal researchers behind the hack), demonstrates how to circumvent the iris recognition of Samsung’s flagship Galaxy S8 smartphone—such as a basic digital camera, Samsung’s laser printer and a contact lens—by using equipment that costs less than the $725 price of an unlocked device.
An attacker must posses a photograph of the phone owner’s face, which must be printed out to place the contact lens on the iris in the printout. Holding the image in front of a locked Galaxy S8 fools the iris scanner into unlocking the device.
Princeton Identity, the makers of Galaxy S8’s iris authentication technology, say the phone provides “airtight security” and that consumers can “finally trust that their phones are protected”. Samsung itself claimed that Galaxy S8’s iris scanning mechanism is “one of the safest ways to keep your phone locked.”
That said, we’ve known that bypassing the phone’s biometrics is laughably easy.
In March, iDevice posted a video proving that Galaxy S8’s facial recognition feature can be fooled into unlocking the phone by scanning a simple headshot of the phone’s owner.
According to The Korea Herald, the Galaxy S8 and Galaxy S8 Plus handsets can even be unlocked by scanning the face of a sleeping person. Samsung is aware that Galaxy S8’s facial unlocking technology is not its most secure biometric system: in a March statement to Mashable, a company spokesperson said that facial unlocking cannot be used for purchases with Samsung Pay.
For that, you still must use the phone’s fingerprint reader as the iris scanner can only be used to purchase apps and media or unlock the phone. Galaxy S8 includes both iris scanning and facial recognition via the front-facing camera, in addition to fingerprint scanning via a sensor relocated to the rear side.
Apple’s own Touch ID fingerprint reader isn’t immune to hacks either.
Back in 2013, Starbug demonstrated that fingerprints casually collected off of water glasses can be leveraged to fool Touch ID into unlocking your iPhone. Android phones are susceptible to a similar hack.
As you know, Apple is expected to use facial unlocking and maybe even iris scanning in iPhone 8. Starbug, however, cautions that future smartphones with iris recognition may be equally easy to hack. Iris recognition, says Starbug, is hard to make hack-proof because you can’t really hide your iris.
“It’s even worse than fingerprints,” added the hacker.