Samsung Galaxy S8 iris scanner can be fooled with a printed photo

After demonstrating how easily Apple’s Touch ID can be fooled with a user fingerprint photographed from a glass surface, Chaos Computer Club (CCC) hacker “Starbug” has proven that the iris recognition system in Samsung’s Galaxy S8 smartphone can be fooled by using a printed photo of the user’s eye(s).

Samsung Galaxy S8 iris recognition

The hack

As demonstrated in the video below, the whole process is extremely simple:

  • Take a photo of the user with a digital camera (preferably in night-shot mode or with the infrared filter removed as these settings make details of the iris more recognizable)
  • Adjust the photo’s brightness and contrast with a graphics editor to make all iris structures well visible
  • Print the iris picture
  • Place a contact lens over the printed iris (to imitate the curvature of a real eye’s surface)
  • Use the setup to unlock the phone.

“Iris recognition may be barely sufficient to protect a phone against complete strangers unlocking it. But whoever has a photo of the legitimate owner can trivially unlock the phone,” the CCC hackers noted. “Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris.”

This method of breaking iris authentication is as cheap as it is easy: all you need is a laser printer and a contact lens – you don’t even have to buy them if a friend will loan them to you.

An insecure option

Samsung means for the iris recognition tech to be used by users to make purchases with Samsung Pay in-store, check their bank accounts via Samsung Pass, and log into their favorite sites with the Web sign-in feature.

Samsung and Princeton Identity, the vendor that provides the iris recognition tech used in Galaxy S8 and S8+ phones, say that it provides “airtight security.”

Unfortunately for Samsung, this simply isn’t true.

“If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication“, Dirk Engling, a spokesperson for the CCC, concluded.