Hackers Trick Samsung Galaxy S8 Iris Recognition Using a Printed Photo and a Contact Lens

[Paul Dawkins]

I challenge you to take a detailed photo of a random persons iris from a moving person, zoomed right in, without them realising they're up to something odd,

If someone is out to get you they will wait untill you go to lunch and there are devices more than capable of taking such pictures from a distance. Why are you dreaming of someone trying to get a picture from a running target? You think they are stupid?

 

[mateytate]

If you are carrying around military grade secrets on your phone, and you think a government agency is going to try and gain access to them then sure, this or indeed TouchID is probably not secure enough and you should be using a random 30 digit alphanumerical code.

But.... is this secure enough for 99.9% of people who in reality want to protect their data from a common thief? I'd say yes.

So I think most people should stop worrying, TouchID was fooled pretty early on and guess what, I've heard of no bad guys running around stealing phones whilst making wax impressions of the owners fingers, and I believe the same will be true for retina scanning.

 

[theluggage]

Of course it's not ultra secure, if you wanted watertight security then you'd have a custom 30 digit alphanumeric passcode, but biometrics are good enough for the most of us as I said, they are fairly secure and very convenient.

Ding!

Iris recognition/face recognition etc. is (a) its far, far more secure than the default option of not bothering with a pin/password/gesture because its too much hassle or (b) combined with a PIN or password adds another hurdle for a hacker to get over.

The point of personal day-to-day security is to make sure that your phone is one of the ones that the thief throws straight in the dumpster in favour of the one with "0000" as the PIN. If someone is actively targeting you, personally, then unless you're a security expert, you're probably hosed. Best solution to phone security: don't keep sensitive info on your daily driver phone - or at least keep the sensitive stuff separately encrypted.

Also, even the cheapest, crackerjack padlock (or its virtual equivalent) plays the important role of removing deniability:

"Honest judge, the owner told me I could use their phone, and it didn't have a PIN set..."
vs.
"Honest judge, the owner told me I could take a high res picture of their face, glue a contact lens over the eye and use it to unlock the phone ..."

 

[Tubamajuba]

Those that don't understand the condition in which this was accomplished should refrain from commenting.

Of course, because it's a Samsung phone. If this were a Touch ID hack on an iPhone, I'm sure snarky and uninformed comments would be more than welcome. You can't have it both ways...

 

[Chupa Chupa]

There is no such think as "unhackable" anymore than there is a "tamper-proof" lock. If it's made by a human it can ultimately be defeated by a human. It might be hard, it might be ugly. But it can be done. Doesn't matter who designed it. This isn't an Apple or Samsung or Microsoft or Google or Master Lock thing. Humans are not infallible -- something too many people can't really grasp.

 

[bbplayer5]

So if some German guy wants a closeup picture of my eye, don't let him. Got it. Other than that, should be pretty secure.

 

[DNichter]

Not surprising to me knowing Samsung. The only surprising thing to me in this situation is the fact that the Iris scanner worked at all. Was crap when I tried it.

 

[Geert76]

Not surprising to me knowing Samsung. The only surprising thing to me in this situation is the fact that the Iris scanner worked at all. Was crap when I tried it.

iris scanner after 3 weeks of usage: I would say it unlocks my device 8 out of 10 times on the 1st try.

 

[fourthtunz]

If hackers want to get into your phone, they'll usually find a way.

Nothing is 100% accurate so it's good that this has been highlighted.

The best way is not to lose it! I don't use any of this stuff because Im not in a James Bond movie

 

[beanbaguk]

Ever heard of a tele/zoom lens? You don't need to be close at all.

With respect, have you ever done any photography? I'm no professional, but I spent a couple of years with a 50D coupled with a 70-200mm f/2L lens with built in IS. Apart from sticking out like a sore thumb, a persons eyes are in constant motion. You need to catch their eyes staring directly at you to get the shot you need. By which point, I'm sure most people would realise something is up.

Moreover, somebody mentioned Facebook. Potentially, yes that's another option but you would need a decent quality close-up to get the level of detail required from the iris. The chances of this are very unlikely, and with Facebook becoming more and more private, you'll also probably need to be "friends" with this person.

As others have said; any system is hackable. TouchID is no different, probably easier! The short of the long is if anyone has something that's so sensitive, they'll either not have it on their phone, or they'll probably have it locked up with secondary security within the phone itself.

 

[69Mustang]

Well to be honest it's not just a bit of wax, there's a lot of expensive equipment needed. Copy/pasta from a comment on an article regarding the TouchID hack:

Where are you getting this whole expensive equipment idea? Detailed process maybe, but expensive equipment... yeah, not so much.
"It's very easy. You basically can do it at home with inexpensive office equipment like an image scanner, a laser printer, and a kit for etching PCBs. And it will only take you a couple of hours. The techniques are actually several years old and are readily available on the Internet." - Starbug, the actual hacker who bypassed Touch ID and Samsung's Iris Scanner.
Ars Technica article

 

[DNichter]

iris scanner after 3 weeks of usage: I would say it unlocks my device 8 out of 10 times on the 1st try.

I guess that's good? I couldn't get it to work.

 

[Geert76]

I guess that's good? I couldn't get it to work.

take of those sunglasses!

 

[Macintoshrumors]

German hackers have successfully broken the iris recognition authentication in the Samsung Galaxy S8 using equipment that costs less than the price of the smartphone, according to ArsTechnica.

Hackers with the Chaos Computer Club used a digital camera, a Samsung laser printer, and a contact lens to achieve the feat. The hack involved taking a picture of the phone owner's face, printing it out on paper, carefully placing the contact lens on the iris in the printout, and holding the image in front of the locked Galaxy S8.

The video shown above was posted by the hackers to demonstrate the process in action. The photo doesn't have to be a close-up shot, although using night-shot mode or removing the infrared filter helps, according to the hackers.

The hack comes despite the fact that both Samsung and Princeton Identity, the manufacturer of the authentication technology, say iris recognition provides "airtight security" that allows consumers to "finally trust that their phones are protected". Princeton Identity have also said the Samsung partnership "brings us one step closer to making iris recognition the standard for user authentication."

The Galaxy S8 is one of the first flagship phones to offer iris recognition as a convenient alternative to using a passcode or fingerprint, but the hackers said they suspect future mobile devices that offer iris recognition may be equally easy to hack. Apple is widely expected to include the feature alongside Touch ID and face recognition in this year's much-rumored OLED iPhone, although the possible origins of the technology remain unclear.

Apple has already trademarked "Iris Engine", presumably in relation to the upcoming feature, with its acquisition of companies such as Faceshift and PrimeSense lending credence to the suggestion that Apple is developing its own solution for the so-called "iPhone 8". One report has claimed that Taiwan-based supplier Xintec, an affiliate of Apple manufacturer TSMC, is mass-producing the iris recognition chips for Apple.

Samsung reportedly added a facial recognition capability to the Galaxy S8 because of doubts about the reliability of iris scanning on its own, but the security of the facial recognition itself came into question almost immediately, when a photo of a user's face was used to unlock a handset at the S8 launch event.

Article Link: Hackers Trick Samsung Galaxy S8 Iris Recognition Using a Printed Photo and a Contact Lens

Hmmmmm. Looks like Samsung didn't see that comming.

 

[DNichter]

take of those sunglasses!

Haha crap! That had to be it.

 

[69Mustang]

Not surprising to me knowing Samsung. The only surprising thing to me in this situation is the fact that the Iris scanner worked at all. Was crap when I tried it.

Try taking off those sunglasses.

 

[DNichter]

Try taking off those sunglasses.

It may have been my normal glasses. Or the fact that it was a demo unit.

 

[bingeciren]

I think a fart ID would be un-hackable. My wife can distinguish the smell of my farts even in a crowded place. She says she can recognize them out of a million and there is no fooling her. Just build a fart sensor based on a blood hound technology and that's it. To fool the system, they have to have a sample of the owners fart.

 

[samcraig]

Of course, because it's a Samsung phone. If this were a Touch ID hack on an iPhone, I'm sure snarky and uninformed comments would be more than welcome. You can't have it both ways...

I think the comments about TouchID being hackable are just as silly most of the time when it requires such specific criteria it's essentially a non-issue.

Many people use no form of device locking. That's an issue right there. And you're likely to have data compromised through any number of apps or cloud services than someone actually getting into your phone.

 

[jcshas]

Samsung's R & D is just an embarrassment.

 

[rmvanderdrift]

I didn't know this, really interesting. Seeing as the margin for error is far lower (providing the iris scanning software works as it should and was extensively tested), it seems to further highlight Samsung's incompetence if it could be beaten by a photograph and a contact lens.

Though if I've jumped to the wrong conclusion, please correct me if I've missed the mark.

A lot of the anti-spoofing technology is build into the hardware rather than the software. The iris scanners used on airports have a mechanism to detect liveness. It simply flashes light causing your pupil to expand and based on that it concludes that a real eye is presented.
With the Samsung phone they would probably be able to implement a feature like that easily. But as with most hardware vendors, they sometimes make bad design decisions. Apparently there is no liveness detection build in.

In the past, Microsoft OEM'd a fingerprint reader from Digital Persona, the U are U reader. Although that reader in its original format, had build-in end-to-end encryption, preventing so-called replay attacks, Microsoft for whatever reason decided not to turn that feature on, causing the reader to be hacked almost immediately. Then Microsoft issued a statement that fingerprint readers are convenience devices rather than security devices. A big blow for the adoption of biometric fingerprint technology.

Besides border control where expensive reader are used, it took years for biometric fingerprint readers to take off, only when Apple acquired Authentec back in 2012, biometric fingerprint reader technology had serious lift-off and started the global adoption of readers in mobile and at desktops.

 

[X--X]

OFFICIAL SAMSUNG PRESS STATEMENT

"The facts described are known to us. However, we assure our customers that the iris detection technology used in the Galaxy S8 has been rigorously tested.

Accordingly, this technology achieves high accuracy in the scanning process and thus effectively prevents attempts to bypass the authentication process, for example by means of a photograph of a human iris.

The results described by the Chaos Computer Club could only be achieved under a reality-unlikely combination of circumstances. The prerequisite would be that at the same time a high-resolution image of the iris of the smartphone owner, recorded with an infrared camera, as well as a contact lens and the corresponding smartphone are present. Our experts have recreated the case under the same conditions, but it was extremely difficult to reproduce the result.

However, if there is a potential security breach, or a new methodology is being developed that might challenge our security measures, we will respond as soon as possible and close the gap."

​

Source: https://www.mobilegeeks.de/news/s8irishack-ccc-entsperrt-samsung-galaxy-s8-mit-foto/

 

[StarDal]

That's why I stick to using a passcode: 12345.... the same I use for my luggage.

 

[keysofanxiety]

A lot of the anti-spoofing technology is build into the hardware rather than the software. The iris scanners used on airports have a mechanism to detect liveness. It simply flashes light causing your pupil to expand and based on that it concludes that a real eye is presented.
With the Samsung phone they would probably be able to implement a feature like that easily. But as with most hardware vendors, they sometimes make bad design decisions. Apparently there is no liveness detection build in.

In the past, Microsoft OEM'd a fingerprint reader from Digital Persona, the U are U reader. Although that reader in its original format, had build-in end-to-end encryption, preventing so-called replay attacks, Microsoft for whatever reason decided not to turn that feature on, causing the reader to be hacked almost immediately. Then Microsoft issued a statement that fingerprint readers are convenience devices rather than security devices. A big blow for the adoption of biometric fingerprint technology.

Besides border control where expensive reader are used, it took years for biometric fingerprint readers to take off, only when Apple acquired Authentec back in 2012, biometric fingerprint reader technology had serious lift-off and started the global adoption of readers in mobile and at desktops.

That was a great read and really interesting. Thank you for taking the time to detail that!

 

[Zedcars]

Too bad this very article completely disproves your point.

You're missing the difference between theoretical lab conditions vs one manufacturer's implementation which may well be improved upon by another manufacturer to take security beyond that of fingerprint recognition.