The Chaos Computer Club, Europe’s largest association of hackers has successfully broken the security of the Samsung Galaxy S8’s iris scanner. They also uploaded a video to show how simple and easy this technique of breaking the iris recognition system is.
The Galaxy S8 is the first smartphone in the market to have been released with iris recognition. The manufacturer of the biometric technology is Princeton Identity Inc. While the system has promised users secure individual authentication by using the unique pattern of the human iris, Chaos Computer Club hackers showed this can be easily broken. Their test involved creating a dummy eye that fooled the phone’s iris scanner into unlocking.
The dummy eye was created by taking a photo of the owner’s eye, adjusting the brightness and contrast of the image until the full structure of the eye was visible, and then printing this out on a Samsung laser printer. Then, a normal contact lens was placed over the image, and the Galaxy S8 would unlock!
The hardest part is taking a photo of someone’s eye with that much detail. However, hackers from Chaos Computer Club discovered that one could use selfies off social media. Additionally, a good quality usable picture can also be clicked using a good digital camera with a 200 mm lens from a distance of up to five meters using night mode or with the infrared filter removed.
Samsung has announced the integration of the iris biometric system along with its mobile wallet Samsung Pay. This means hackers will not only have access to details on your mobile phone but will also be able to access your wallet. Spokesperson for the Chaos Club Sirk Engling said,
If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication.
Chaos Club member and biometrics security researcher Starbug has also repeatedly shown how biometric technology can be hacked into by demonstrating on Apple iPhone’s Touch ID. According to Engling,
The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot. Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris.
The best way to ensure the safety of your Galaxy S8 and the sensitive information on it is to keep it near you at all times, especially in public. An alternative will also be to use a simple pin unlock instead of biometric options. Samsung is aware of the security lapse and has issued a statement saying the iris scanner has been developed through rigorous testing. The spokesperson further adds:
If there is a potential vulnerability or the advent of a new method that challenges our efforts to ensure security at any time, we will respond as quickly as possible to resolve the issue.