When it comes to security and the iris recognition technology used in its flagship Galaxy S8 smartphone, Samsung touted, “The patterns in your irises are unique to you and are virtually impossible to replicate, meaning iris authentication is one of the safest ways to keep your phone locked and the contents private.”
But the Chaos Computer Club (CCC) made a mockery of Samsung’s “virtually impossible to replicate” claims, easily defeating the iris recognition system used in the new Galaxy S8 with nothing more than a camera, a printer and a contact lens.
Not only can the iris authentication system be broken to unlock an S8, the same trick could allow an attacker to access the victim’s mobile wallet. Just last week, Samsung Pay tweeted a short iris scan video ad along with, “Every eye is unique. Now you can use yours to make purchases with Samsung Pay.”
Every eye is unique.
— Samsung Pay (@SamsungPay) May 17, 2017
Now you can use yours to make purchases with #SamsungPay #IrisScan. pic.twitter.com/t2u87Fzi25
The Galaxy S8 uses iris recognition technology by identity management firm Princeton Identity. The company claims, “Identity management powered by biometrics, making security more convenient, accurate and reliable than ever before.”
That accurate and reliable security was broken by CCC member “starbug,” a biometrics security researcher who also broke the fingerprint biometric security of Apple TouchID.
Starbug showed that you only need to take a picture of the phone owner, crop the image, print it out—ironically using a Samsung printer for the best results—and then place a contact lens over the printed iris to replicate an eye’s curvature. Hold the fake iris up to the phone, and voila! Open sesame, unlock phone, unlock Samsung Pay.
The CCC noted:
The easiest way for a thief to capture iris pictures is with a digital camera in night-shot mode or the infrared filter removed. In the infrared light spectrum—usually filtered in cameras—the fine, normally hard to distinguish details of the iris of dark eyes are well recognizable. Starbug was able to demonstrate that a good digital camera with 200mm-lens at a distance of up to 5 meters (16.4 ft.) is sufficient to capture suitably good pictures to fool iris recognition systems.
So much for Samsung’s claims: “We care deeply about your privacy. So we made the Galaxy S8 and S8+ our securest phones yet. There’s an iris scanner for peace of mind, face recognition that unlocks your phone in an instant, and defense-grade security that stands guard 24/7.”
Do you still have peace of mind about the iris scanner keeping your phone secure?
“Iris recognition may be barely sufficient to protect a phone against complete strangers unlocking it. But whoever has a photo of the legitimate owner can trivially unlock the phone,” said CCC spokesman Dirk Engling. “If you value the data on your phone—and possibly want to even use it for payment—using the traditional PIN-protection is a safer approach than using body features for authentication.”
The biggest cost of this iris biometric hack was purchasing the Galaxy S8. The CCC noted that rumor has it Apple will take a page from Samsung by having iris recognition unlock the next-generation of iPhone. It remains to be seen if Apple’s version will easily be tricked with a dummy eye.