Samsung Galaxy S8’s ‘airtight’ iris scanner spoofed with iris printout
Hackers have once again proved there’s no such thing as true security for your phone.
Samsung’s “airtight” (the company’s word, not mine) iris scanner is included on the Galaxy S8 as an alternative form of biometric security in addition to the built-in fingerprint sensor.
Galaxy S8 users can choose to set up the iris scanner, which is more secure than the face recognition, to unlock the phone or authenticate Samsung Pay mobile payments.
The biggest advantage to using an iris scanner compared to face recognition is that ordinary photos usually can’t fool it. An ordinary photo doesn’t contain the unique patterns in a person’s eyes that can only be seen with an infrared sensor.
That’s exactly why the CCC didn’t use an ordinary photo to trick the S8’s iris scanner.
For its hack, the CCC used a “good digital camera with 200mm-lens at a distance of up to five meters” to take a photo of a person’s eye. The camera was switched to its “night mode” in order to capture the iris’ patterns.
The image of the iris was then printed on a laser printer (ironically, a Samsung one) and a contact lens was placed on top to give it depth.
CCC registered a person’s iris on the S8 and then tested the fake iris. Lo and behold, it worked and the phone unlocked.
BUT… as simple as the hack sounds, it still requires some trial and error. CCC even says as much (emphasis mine):
Depending on the picture quality, brightness and contrast might need to be adjusted. If all structures are well visible, the iris picture is printed on a laser printer.
How many images adjusted for image quality, brightness, contrast, etc. were tested before they got one that worked? I reached out to CCC on Twitter for more details.
CCC’s Jan Krissler (aka “starbug”) told me over direct message they tested three printers, printing five to ten variations per printer, before they got a positive with a Samsung laser printer. The printout of the iris worked out to “80 pixel iris diameter.”
“The Samsung model was a standard consumer product, around 250 Euro. We tested multiple prints on multiple kinds of paper. All of them worked. It worked instantly after we found the working printer.”
The iris scanner hack isn’t unlike the many fingerprint sensor hacks we’ve seen over the years. It looks easy enough, but the probability of it happening is unlikely. How many people have photos of their eyes, captured with night mode, floating around on the web? (Again, your regular selfies won’t fool the iris scanner.)
As proof-of-concept, yes it works. But the same goes for breaking open your home’s door lock or car door. It’s possible, and anyone who really wants to gain access could jump through these hoops to get into your phone, but is it a reason to live in fear or not buy this phone? Not at all.
We reached out to Samsung for official comment on the hack and received the following:
“We are aware of the issue, but we would like to assure our customers that the iris scanning technology in the Galaxy S8 has been developed through rigorous testing to provide a high level of accuracy and prevent attempts to compromise its security, such as images of a persons iris. If there is a potential vulnerability or the advent of a new method that challenges our efforts to ensure security at any time, we will respond as quickly as possible to resolve the issue.”