Hackers Trick Samsung Galaxy S8 Iris Recognition Using a Printed Photo and a Contact Lens

Discussion in 'MacRumors.com News Discussion' started by MacRumors, May 24, 2017.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    German hackers have successfully broken the iris recognition authentication in the Samsung Galaxy S8 using equipment that costs less than the price of the smartphone, according to Ars Technica.

    Hackers with the Chaos Computer Club used a digital camera, a Samsung laser printer, and a contact lens to achieve the feat. The hack involved taking a picture of the phone owner's face, printing it out on paper, carefully placing the contact lens on the iris in the printout, and holding the image in front of the locked Galaxy S8.


    The video shown above was posted by the hackers to demonstrate the process in action. The photo doesn't have to be a close-up shot, although using night-shot mode or removing the infrared filter helps, according to the hackers.

    The hack comes despite the fact that both Samsung and Princeton Identity, the manufacturer of the authentication technology, say iris recognition provides "airtight security" that allows consumers to "finally trust that their phones are protected". Princeton Identity have also said the Samsung partnership "brings us one step closer to making iris recognition the standard for user authentication."

    The Galaxy S8 is one of the first flagship phones to offer iris recognition as a convenient alternative to using a passcode or fingerprint, but the hackers said they suspect future mobile devices that offer iris recognition may be equally easy to hack. Apple is widely expected to include the feature alongside Touch ID and face recognition in this year's much-rumored OLED iPhone, although the possible origins of the technology remain unclear.

    Apple has already trademarked "Iris Engine", presumably in relation to the upcoming feature, with its acquisition of companies such as Faceshift and PrimeSense lending credence to the suggestion that Apple is developing its own solution for the so-called "iPhone 8". One report has claimed that Taiwan-based supplier Xintec, an affiliate of Apple manufacturer TSMC, is mass-producing the iris recognition chips for Apple.

    Samsung reportedly added a facial recognition capability to the Galaxy S8 because of doubts about the reliability of iris scanning on its own, but the security of the facial recognition itself came into question almost immediately, when a photo of a user's face was used to unlock a handset at the S8 launch event.

    Article Link: Hackers Trick Samsung Galaxy S8 Iris Recognition Using a Printed Photo and a Contact Lens
     
  2. Sunny1990, May 24, 2017
    Last edited: May 24, 2017

    Sunny1990 Suspended

    Sunny1990

    Joined:
    Feb 13, 2015
    #2
    So Samsungs gimmick feature got hacked!!!

    Apple has already trademarked "Iris Engine",
    One report has claimed that Taiwan-based supplier Xintec, an affiliate of Apple manufacturer TSMC, is mass-producing the iris recognition chips for Apple. :- Macrumors quote

    No doubt touch id is more secure than iris scanner.Hope Apple not make iris scanner a Touch id replacement.Just keep it as secondary form of security.
     
  3. Nik, May 24, 2017
    Last edited: May 24, 2017

    Nik macrumors 6502a

    Joined:
    Jun 3, 2007
    Location:
    Germany
    #3
    They also tricked Touch ID btw. With a photograph + wax. For Samsung you need Photograph + Contact Lens. Not much different. Both systems are not secure.
     
  4. Zirel, May 24, 2017
    Last edited: May 24, 2017

    Zirel Suspended

    Zirel

    Joined:
    Jul 24, 2015
    #4
    This is why I buy Apple.

    Instead of trying to check all the bullet points, they only put what really works, and doesn't get fooled by... a mere B/W photograph and a contact lens... but things like this don't matter and people will keep buying Samsung, and the sales clerks will keep pushing "but the Samsung has X feature and the iPhone doesn't".

    Also, unlike TouchID sensors, camera sensors consume a lot of power, nobody intelligent will want to use this in real life, or their battery life will suffer from the 100+ unlocks most people do every day...
     
  5. TheShadowKnows! macrumors 6502a

    TheShadowKnows!

    Joined:
    Sep 30, 2014
    Location:
    National Capital Region
    #5
    Iris -> Siri
    Both worthless. Who would have thought?
     
  6. keysofanxiety macrumors G3

    keysofanxiety

    Joined:
    Nov 23, 2011
    #6
    Ah that blog post from Princeton Identity...
    I can't help but imagine lots of people having conversations with cardboard cutouts of their coworkers and not knowing the difference.

    By replicating a fingerprint in identical detail, yes. It's like 'tricking' a door by creating the exact key which fits the lock. Samsung's door, on the other hand, would simply creak open by whistling into the lock like a Shaman Throat Warbler. :D
     
  7. Urban Joe Suspended

    Joined:
    Mar 19, 2012
  8. Zirel Suspended

    Zirel

    Joined:
    Jul 24, 2015
    #8
    So worthless, that Apple received multiple awards for its use by disabled people...
     
  9. Nik macrumors 6502a

    Joined:
    Jun 3, 2007
    Location:
    Germany
    #9
    They needed a photograph for it. The only difference being that they needed wax in addition to create a negative from the positive. Not much different at all. For Iris you need a contact lens in addition, for TouchID you need wax.
     
  10. Relentless Power, May 24, 2017
    Last edited: May 24, 2017

    Relentless Power macrumors Penryn

    Relentless Power

    Joined:
    Jul 12, 2016
    #10
    @Sunny1990. Actually, you're incorrect. Iris scanning is far more secure than a fingerprint scanner.

    The iris is the colored pattern part of your eye. It is developed when you're approximately a year old or so. An eye injury or death, apparently never changes after the fact. Fingerprints can likely be duplicated one out of 50,000 as where Iris scanning is more similar to one out of 1 million. It uses infrared and a camera to detect the Iris.

    Iris scanning is also expected to be 5/6 times more secure than a fingerprint and accurate in reading, because it contains more unique information about you and makes it highly more accurate/reliable than fingerprint scanning. Fingerprint scanning can be duplicated .

    http://science.howstuffworks.com/biometrics4.htm

    http://findbiometrics.com/solutions/iris-scanners-recognition/
     
  11. JaySoul macrumors 68030

    JaySoul

    Joined:
    Jan 30, 2008
    #11
    If hackers want to get into your phone, they'll usually find a way.

    Nothing is 100% accurate so it's good that this has been highlighted.
     
  12. Morgenland macrumors 6502a

    Morgenland

    Joined:
    May 28, 2009
    Location:
    Europe
    #12
    Well done CCC!
    Samsung has a problem. They must meet development milestones, therefore development engineers must release non-approved subsystems. I assume the problem was known among the engineers. General issue around the world. Similar to the Samsung's battery problem. A deep view into the company ;-)
     
  13. JosephAW macrumors 68020

    JosephAW

    Joined:
    May 14, 2012
    #13
    This is why I still use an old-school keyboard password.
     
  14. keysofanxiety macrumors G3

    keysofanxiety

    Joined:
    Nov 23, 2011
    #14
    I didn't know this, really interesting. Seeing as the margin for error is far lower (providing the iris scanning software works as it should and was extensively tested), it seems to further highlight Samsung's incompetence if it could be beaten by a photograph and a contact lens.

    Though if I've jumped to the wrong conclusion, please correct me if I've missed the mark. :oops:
     
  15. tdream macrumors 65816

    Joined:
    Jan 15, 2009
    #15
    Samsung security is worthless because hackers found a way to steal a sample of your saliva, reengineer a perfect clone of you using stem cells and dna material left on your starbucks coffee cup. Now they've stolen your wife, family and kids, house, bank accounts, dog and collection of baseball cards.
     
  16. Relentless Power macrumors Penryn

    Relentless Power

    Joined:
    Jul 12, 2016
    #16
    You mean nothing is 100% reliable. That's why security needs to be constantly dynamic an ever-changing. Because stagnancy and being complacent allows for those to infiltrate and find ways to steal information. It's one of the reasons I trust Apple, because I know they will put the research and development into my security.
     
  17. Jsameds macrumors 68040

    Joined:
    Apr 22, 2008
    #17
    Biometric unlocks are a fairly secure method of accessing a phone that are also incredibly quick and convenient for the user.

    Of course it's not ultra secure, if you wanted watertight security then you'd have a custom 30 digit alphanumeric passcode, but biometrics are good enough for the most of us as I said, they are fairly secure and very convenient.
     
  18. djcerla macrumors 68000

    djcerla

    Joined:
    Apr 23, 2015
    Location:
    Italy
    #18
    Too bad this very article completely disproves your point.
     
  19. SgtPepper12 macrumors 6502a

    SgtPepper12

    Joined:
    Feb 1, 2011
    Location:
    Germany
    #19
    I'd say it's a whole lot different. Every method I saw trying to unlock Touch ID required substantial work, special equipment and skill. This method on the other hand requires a camera and a printer, no special equipment at all.

    Anyway, you are right though that both methods should not be considered perfectly secure. They clearly are a compromise between security and convenience. Usually it's good enough. I doubt people who steal phones will first make sure they have a glass with the owner's prints on it or an infrared photograph of their faces. It is not an actual threat.
     
  20. episodex macrumors newbie

    Joined:
    May 24, 2017
    #20
    You know why it's not an issue? Because there is no photo of me or any of you on the Internet where you can see iris in enough detail do unlock the phone. Check your all facebook photos. I don't think you'll find any unless you do some crazy close-up selfies of your eyes. The thing from article is academic example where you take a photo prepared specially for this.

    I did test in my office some days ago. We took close up photo of my eyes with 13mpix camera of other phone (there's no way someone can do it to you without your knowledge), and looking at the photo I couldn't tell any details of the iris. It was just dark blurry circle. No way it could unlock the phone whatever you put on it.
     
  21. PinkyMacGodess macrumors 601

    PinkyMacGodess

    Joined:
    Mar 7, 2007
    Location:
    Midwest America.
    #21
    So is this worse than when they were blowing up?

    I think it's a blow to their 'truthiness'. That was a marketing point for the device.
     
  22. keysofanxiety, May 24, 2017
    Last edited: May 24, 2017

    keysofanxiety macrumors G3

    keysofanxiety

    Joined:
    Nov 23, 2011
    #22
    I wouldn't say it disproves @Relentless Power's point. You see, it's like comparing a fingerprint scanner on an old DELL laptop to Touch ID on the iPhone; they're two completely different animals.

    I think Relentless was implying that in theory, iris scanning is substantially more accurate and has much less chance of being faked than a scanning a fingerprint. With the correct implementation it would be extremely secure and certainly wouldn't be beaten by a photograph.

    But seeing as we're here, it looks like Samsung have once again rushed the release of a feature so they could be the one to say "first" and one-up the iPhone in some way, rather than actually caring about their users' privacy and creating something truly great and accurate.
     
  23. Relentless Power macrumors Penryn

    Relentless Power

    Joined:
    Jul 12, 2016
    #23
    Replace what exactly? Touch ID is a primary security feature, it's not secondary. Apple never replaced Touch ID with anything.
     
  24. craigrusse11 macrumors member

    Joined:
    May 24, 2017
    #24
    i would have thought getting a hi res picture of a face is easier than a picture of fingerprints ?
     
  25. samcraig macrumors P6

    Joined:
    Jun 22, 2009
    Location:
    USA
    #25
    Those that don't understand the condition in which this was accomplished should refrain from commenting.
     

Share This Page

211 May 24, 2017