Well, that didn’t take long. Samsung’s Galaxy S8 flagship smartphone has been out for only a month and its iris scanning biometric security feature has already been hacked. The Chaos Computer Club figured out how to trick the iris recognition technology, and it was surprisingly simple.
The Galaxy S8’s iris recognition is touted as a great alternative to tapping out an unlock passcode, and it lets you authenticate for credit card transactions through Samsung Pay—the company’s version of Apple Pay. It’s also apparently great at letting anyone who can snap a photo of your eye into your phone so they can rack up credit card charges through Samsung Pay.
The CCC defeated the Galaxy S8’s iris recognition by snapping a photo of someone’s eye using a smartphone camera in night shot mode—and they didn’t even need to be close to the subject. The image quality from shots taken as far away as 16 feet using a nice digital camera worked just fine, too.
Next, they adjusted the image so the iris was about actual size and output on a laser printer. Ironically, they got the best print quality of Samsung’s own models. The placed a regular contact lens over the iris print, and that was more than enough to trick the S8’s recognition system.
The CCC said, “By far the most expensive part of the iris biometry hack was the purchase of the Galaxy S8 smartphone.”
Samsung’s Galaxy S8 has already been declared the most breakable smartphone ever, and now its biometric security seems pretty weak at best—so it’s hackable and crackable. But at least it looks nice.
CCC spokesperson Dirk Engling offered up some advice for Galaxy S8 owners saying,
If you value the data on your phone—and possibly want to even use it for payment—using the traditional PIN-protection is a safer approach than using body features for authentication.
I did a little online shopping to see how much it costs to hack the S8’s iris recognition, including buying the very phone you’re going to hack. It just seemed right to use the Galaxy S8 to hack the Galaxy S8.
- Samsung Galaxy S8 smartphone (for a selfie of your eye, and to hack) $738
- Samsung Xpress color laser printer (to print out the iris photograph) $115
- Contact lens about $3
- Schadenfreude from bypassing the S8’s biometric security priceless
Of course, if the iPhone 8 includes iris recognition that turns out to be as easy to hack I’ll be eating some serious digital crow. Until then, here’s the CCC’s video showing the hack in action. It’s crazy how simple it is.
I’m starting to think MacOb is “compensating” for something…..
We all know Samsung sells millions more smartphones worldwide than Apple, and Apple uses Samsung for it’s own smartphone hardware so why the pissing? Apple is struggling with the fingerprint sensor in the new iPhone (why they’ve been slow on it) to the point the rumor is a DONGLE with sensor may be used. A DONGLE is so Apple it’s not funny. For a company known for ‘leading from behind’, I’d think you guys would be a little kinder to your big brother Samsung.
No, you’re holding it wrong, Jeff.
That’s a feature. Not a bug. You know, in case you lose your eyes or something. If you had planned ahead, scanned your eye and got one of those contact lens thingies, then tadaaa – you’re in like Flint.
Genius, no?
It is seems to be rather particular. I was doing some masonry work around my house and got a shallow cut on my thumb and some other wear and tear. I had to add a new fingerprint to TouchID. A damp finger will usually not unlock it.
Then I suppose pulling out people’s eyeballs and using them to unlock their smartphones won’t be far behind. There probably isn’t any security system that can’t be hacked in some form or another. Apple has been fortunate so far with TouchID.
Oh my. Would the fix be requiring the iris scan be taken from less than a selfie away? So that resolution would be better?