Chaos Computer Club demonstrates simple Galaxy S8 iris scanner hack

May 24, 2017 | 11:32

Tags: #biometric #ccc #fingerprint-scanner #galaxy-s8 #insecurity #security

Companies: #chaos-computer-club #samsung

The German Chaos Computer Club has released a video demonstrating how the iris scanner on Samsung's latest Galaxy S8 smartphone - and, by extension, any device relying on the same technology - can be defeated with no more than a photograph and a contact lens.

Biometric authentication has proven popular in the mobile realm. For a device which you are likely to lock and unlock dozens of times a day and which lacks a comfortable text-entry system, the ability to bypass patterns, PINs, or passwords with the tap of a finger or an unblinking stare offers considerable convenience. Sadly that convenience often comes at the cost of security, at least when pitting against a sufficiently motivated attacker: back in 2014 the Chaos Computer Club demonstrated how to duplicate fingerprints from high-resolution photographs of politicians' hands taken through a telephoto lens at public events with a high enough quality to bypass fingerprint recognition systems.

Now, the Chaos Computer Club is at it again with the demonstration of a method for bypassing the iris scanner built into Samsung's flagship Galaxy S8 smartphone. Although the demonstration features photographs taken with a digital camera set to night-vision mode or with its built-in infrared filter removed, taking images at a distance of up to five metres through a 200mm telephoto lens, CCC's Dirk Engling warned: 'The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot. Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris.'

Once an image of the iris has been captured, the team's technique sees it printed it out on a low-cost off-the-shelf laser printer. By placing a disposable contact lens over the image, the sensor is fooled into thinking it is viewing a real eye - and the phone immediately unlocked.

'If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication,' Engling added following the group's demonstration video, which is available in English on the CCC website.
Discuss this in the forums
YouTube logo
MSI MPG Velox 100R Chassis Review

October 14 2021 | 15:04