After demonstrating how easily Apple’s Touch ID can be fooled with a user fingerprint photographed from a glass surface, Chaos Computer Club (CCC) hacker “Starbug” has proven that the iris recognition system in Samsung’s Galaxy S8 smartphone can be fooled by using a printed photo of the user’s eye(s).
As demonstrated in the video below, the whole process is extremely simple:
- Take a photo of the user with a digital camera (preferably in night-shot mode or with the infrared filter removed as these settings make details of the iris more recognizable)
- Adjust the photo’s brightness and contrast with a graphics editor to make all iris structures well visible
- Print the iris picture
- Place a contact lens over the printed iris (to imitate the curvature of a real eye’s surface)
- Use the setup to unlock the phone.
“Iris recognition may be barely sufficient to protect a phone against complete strangers unlocking it. But whoever has a photo of the legitimate owner can trivially unlock the phone,” the CCC hackers noted. “Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris.”
This method of breaking iris authentication is as cheap as it is easy: all you need is a laser printer and a contact lens – you don’t even have to buy them if a friend will loan them to you.
An insecure option
Samsung means for the iris recognition tech to be used by users to make purchases with Samsung Pay in-store, check their bank accounts via Samsung Pass, and log into their favorite sites with the Web sign-in feature.
Samsung and Princeton Identity, the vendor that provides the iris recognition tech used in Galaxy S8 and S8+ phones, say that it provides “airtight security.”
Unfortunately for Samsung, this simply isn’t true.
“If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication“, Dirk Engling, a spokesperson for the CCC, concluded.