In a video released on Monday, the white-hat team of hackers demonstrated how Samsung Galaxy S8’s iris sensor, supplied by security firm Princeton Identity, can be tricked into unlocking the phone with a cropped picture of a person’s irises and a pair of contact lenses. After toying around with the photo’s brightness and color contrast, printing out a high-resolution copy, and placing the contact lenses on top of the print, the CCC was able to unlock the Galaxy S8.
A spokesperson for Samsung told The Korea Herald that fooling the Galaxy S8’s iris sensor is “unrealistic,” and that it would require a “camera that can capture infrared light” and a photo of the owner’s iris. “It is difficult for the whole scenerio to happen in reality.”
It was a little more challenging than it looks. In a blog post, CCC spokesperson Dirk Engling conceded that most selfies won’t fool the Galaxy S8’s iris scanner — a hacker would have to capture a person’s iris with a digital camera in night-shot mode or the infrared filter removed.
“In the infrared light spectrum — usually filtered in cameras — the fine, normally hard to distinguish [sic] details of the iris of dark eyes are well recognizable,” Engling wrote. “[We were] able to demonstrate that a good digital camera with 200mm-lens at a distance of up to five meters is sufficient to capture suitably good pictures to fool iris recognition systems.”
Still, the CCC’s workaround would appear to contradict Samsung and Princeton Identity’s messaging. In marketing materials, Samsung’s highlighted the Galaxy S8’s iris scanner as a “secure” alternative to PINs and passcodes. In an interview with Business Insider in April, Princeton CEO Mark Clifton characterized the
“[The FBI] uses 13 points of identification per fingerprint, so with all 10 finger you might have 130 unique identifiers,” Clifton said. “[The] Galaxy S8’s iris scanner can register up to 200 identifying features from a single iris.”
It is not the first time the CCC has demonstrated flaws in iris-scanning technologies. In March, the group fooled a commercial system with a 75-pixel image of an iris printed at a resolution of 1,200 dpi (dots per inch).
“If you value the data on your phone, and possibly want to even use it for payment, using the traditional PIN-protection is a safer approach than using body features for authentication,” Engling said.
Article originally published on 05-23-2017. Updated on 05-25-2017 by Kyle Wiggers: Added statement from Samsung spokesperson.
Editors' Recommendations
- You have to see this savage Galaxy S23 drop test
- Does the Samsung Galaxy A54 have wireless charging?
- Samsung may have just killed the Galaxy S10
- Does the Samsung Galaxy A54 have a headphone jack?
- The Huawei Watch Ultimate looks like the perfect Apple Watch Ultra rival