Germany’s venerable Chaos Computer Club (CCC) takes no prisoners — especially when it comes to smartphone security. After successfully fooling a fingerprint sensor using high-resolution images of a hand, specialized computer software, and a standard printer last year, the hacker collective set their sights on a new target: The Galaxy S8’s iris scanner.
In a video released on Monday, the white-hat team of hackers demonstrated how
A spokesperson for Samsung told The Korea Herald that fooling the Galaxy S8’s iris sensor is “unrealistic,” and that it would require a “camera that can capture infrared light” and a photo of the owner’s iris. “It is difficult for the whole scenerio to happen in reality.”
It was a little more challenging than it looks. In a blog post, CCC spokesperson Dirk Engling conceded that most selfies won’t fool the Galaxy S8’s iris scanner — a hacker would have to capture a person’s iris with a digital camera in night-shot mode or the infrared filter removed.
“In the infrared light spectrum — usually filtered in cameras — the fine, normally hard to distinguish [sic] details of the iris of dark eyes are well recognizable,” Engling wrote. “[We were] able to demonstrate that a good digital camera with 200mm-lens at a distance of up to five meters is sufficient to capture suitably good pictures to fool iris recognition systems.”
Still, the CCC’s workaround would appear to contradict Samsung and Princeton Identity’s messaging. In marketing materials, Samsung’s highlighted the Galaxy S8’s iris scanner as a “secure” alternative to PINs and passcodes. In an interview with Business Insider in April, Princeton CEO Mark Clifton characterized the
“[The FBI] uses 13 points of identification per fingerprint, so with all 10 finger you might have 130 unique identifiers,” Clifton said. “[The] Galaxy S8’s iris scanner can register up to 200 identifying features from a single iris.”
It is not the first time the CCC has demonstrated flaws in iris-scanning technologies. In March, the group fooled a commercial system with a 75-pixel image of an iris printed at a resolution of 1,200 dpi (dots per inch).
“If you value the data on your phone, and possibly want to even use it for payment, using the traditional PIN-protection is a safer approach than using body features for authentication,” Engling said.
Article originally published on 05-23-2017. Updated on 05-25-2017 by Kyle Wiggers: Added statement from Samsung spokesperson.
- Common Samsung Galaxy Note 10 and 10 Plus problems, and how to fix them
- The best Samsung Galaxy S8 Plus cases and covers
- Google Pixel 5 review: Google’s best tech, condensed for convenience
- The best Samsung Galaxy S9 tips and tricks
- iPad Air 4 vs. iPad Pro 11: This one might surprise you