The Galaxy S8 is one of the very first phones to include iris scanning technology. The device shipped to the public a month ago. It hasn’t taken long for investigators to find a way to bypass the system. German hacking collective the Chaos Computer Club (CCC) posted a video online this week that shows a simple way to fool it using an artificial eye.
The team’s method works by printing off pictures of the user’s eye. These could easily be obtained by a real attacker by browsing social media photos. The highest quality ones are selected and affixed to a contact lens. This ensures the dummy eye matches the curvature of a real specimen.
The “eye” is then presented to the Galaxy S8 which reportedly recognises it as the owner’s original. Although the iris scanner supposedly measures the exact shape and size of the user’s eye, it seems that a contact lens and photograph is sufficient to obtain access. This calls into question the integrity of Samsung’s technology, described as “one of the safest ways to keep your phone locked.”
Samsung hasn’t officially commented on the video and has refused to respond to most media comment requests. However, it told the BBC that it is “aware” of the issue. There’s no word on whether it’s taking steps to investigate further or improve the accuracy of its system.
According to CCC, the most reliable way to fool the phone is to use an infrared photo of a person’s face taken with a camera’s night mode active. This can be achieved using a regular digital camera. After testing a set of different printers, the team ironically found that a Samsung laser model delivers the best results.
The discovery raises further concerns around the actual integrity of biometric authentication mechanisms. Although fingerprint sensors and iris scanners offer greater protection than passwords and PINs, the risks are much higher if the technology is broken.
Unlike passwords, you can only switch between ten fingerprints. With an iris scanner, you have just one chance at using the technology. If hackers create a reliable facsimile of your eye, they could potentially access your devices indefinitely, or at least until technology evolves. This could you put at considerable risk, especially if your biometric authentication is compromised without your knowledge or you use it to protect sensitive data.
“If you value the data on your phone, and possibly want to even use it for payment, using the traditional PIN-protection is a safer approach than using body features for authentication,” said CCC spokesperson Dirk Engling. “The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot.”
As biometrics become more common, the debate over their use is likely to get more public in the coming years. With it evident that the techniques aren’t as infallible as manufacturers suggest, more research will be required to determine the true protection offered by emerging authentication methods.
