Germany’s venerable Chaos Computer Club (CCC) takes no prisoners — especially when it comes to smartphone security. After successfully fooling a fingerprint sensor using high-resolution images of a hand, specialized computer software, and a standard printer last year, the hacker collective set their sights on a new target: The Galaxy S8’s iris scanner.
In a video released on Monday, the white-hat team of hackers demonstrated how Samsung Galaxy S8’s iris sensor, supplied by security firm Princeton Identity, can be tricked into unlocking the phone with a cropped picture of a person’s irises and a pair of contact lenses. After toying around with the photo’s brightness and color contrast, printing out a high-resolution copy, and placing the contact lenses on top of the print, the CCC was able to unlock the Galaxy S8.
A spokesperson for Samsung told The Korea Herald that fooling the Galaxy S8’s iris sensor is “unrealistic,” and that it would require a “camera that can capture infrared light” and a photo of the owner’s iris. “It is difficult for the whole scenerio to happen in reality.”
It was a little more challenging than it looks. In a blog post, CCC spokesperson Dirk Engling conceded that most selfies won’t fool the Galaxy S8’s iris scanner — a hacker would have to capture a person’s iris with a digital camera in night-shot mode or the infrared filter removed.
“In the infrared light spectrum — usually filtered in cameras — the fine, normally hard to distinguish [sic] details of the iris of dark eyes are well recognizable,” Engling wrote. “[We were] able to demonstrate that a good digital camera with 200mm-lens at a distance of up to five meters is sufficient to capture suitably good pictures to fool iris recognition systems.”
Still, the CCC’s workaround would appear to contradict Samsung and Princeton Identity’s messaging. In marketing materials, Samsung’s highlighted the Galaxy S8’s iris scanner as a “secure” alternative to PINs and passcodes. In an interview with Business Insider in April, Princeton CEO Mark Clifton characterized the Galaxy S8’s iris scanner as “better” than the FBI’s fingerprinting technology.
“[The FBI] uses 13 points of identification per fingerprint, so with all 10 finger you might have 130 unique identifiers,” Clifton said. “[The] Galaxy S8’s iris scanner can register up to 200 identifying features from a single iris.”
It is not the first time the CCC has demonstrated flaws in iris-scanning technologies. In March, the group fooled a commercial system with a 75-pixel image of an iris printed at a resolution of 1,200 dpi (dots per inch).
“If you value the data on your phone, and possibly want to even use it for payment, using the traditional PIN-protection is a safer approach than using body features for authentication,” Engling said.
Article originally published on 05-23-2017. Updated on 05-25-2017 by Kyle Wiggers: Added statement from Samsung spokesperson.