Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Hackers Trick Samsung Galaxy S8 Iris Recognition Using a Printed Photo and a Contact Lens

Yeah all you have to do is pry the phone from my hands get a picture of my eye. All while I wipe my phone remotely.

non issue.
 
  • Like
Reactions: Demo Kit
Didn't Touch ID get defeated by a nipple?

The point is, these are security feature meant for daily use. Of course anything can be tricked given the right set of highly unlikely circumstances and tools.
 
  • Like
Reactions: Demo Kit and Geert76
StarDal said:
That's why I stick to using a passcode: 12345.... the same I use for my luggage.
Click to expand...
Duuuuuuude. That's so insecure. I use a long alphanumeric passcode: 69Mustangissomuchbetterthan69camaroandmy69mustangsisbetterthanallcamarosnoonedeniesthis1. It's my passcode for everything. Granted it takes me a good 20 minutes to enter this but SECURE amirite?:D
 
samcraig said:
I think the comments about TouchID being hackable are just as silly most of the time when it requires such specific criteria it's essentially a non-issue.

Many people use no form of device locking. That's an issue right there. And you're likely to have data compromised through any number of apps or cloud services than someone actually getting into your phone.
Click to expand...

You speak the truth. Better something than nothing- and yes, you are far more likely to be hacked over the internet than in person.
 
  • Like
Reactions: Demo Kit
beanbaguk said:
It's a total non-issue since you need to have a detailed photo of the iris that needs to be used to unlock the phone.

In other words, somebody has to come up close to you to take a photo.

It's a little like getting a photograph of a key and then making a real one from it. The chances are it'll work.

Once again. Total non-issue.
Click to expand...

Did you even watch the video?
 
  • Like
Reactions: Zirel
69Mustang said:
Where are you getting this whole expensive equipment idea? Detailed process maybe, but expensive equipment... yeah, not so much.
"It's very easy. You basically can do it at home with inexpensive office equipment like an image scanner, a laser printer, and a kit for etching PCBs. And it will only take you a couple of hours. The techniques are actually several years old and are readily available on the Internet." - Starbug, the actual hacker who bypassed Touch ID and Samsung's Iris Scanner.
Ars Technica article
Click to expand...

TouchID can become pretty much "unbreakable" if only Apple includes these options in the security settings:

- mandatory password login after only 1 failed attempt with TouchID
- mandatory password login if the phone was not used for a set period of time (should be user selectable; I would be happy with 0,5-5 hours time interval)

Thats it. Makes it way more secure right there.
 
DCIFRTHS said:
Did you even watch the video?
Click to expand...

It was totally staged! The guy looked directly into the camera for a clear shot. Once again, I put the challenge to you also. Go ahead and start taking photos of people this way and then tell us how many black eyes you come back with.

You would literally have to stalk that person to get the right shot (which I'm not saying is impossible, but really very difficult).
 
  • Like
Reactions: Demo Kit, Tinmania, episodex and 1 other person
All technology is fallible, think about it if it wasn't there would never be a hack ever. For this"hack" to work they needed a picture of the iris used to set-up the phone. How many people have pictures of your iris? Then how many people know you have a Samsung phone? Then how many of these people were able to "acquire" your said phone. It's a fun party trick but it's BS in the real world.
 
  • Like
Reactions: Demo Kit, episodex and beanbaguk
As with Touch ID, the security an iris scanner could deliver is highly situational. Probably good enough to keep strangers out if you lose the device, but can be defeated by persons close to you or by law enforcement. Thus for me the interesting bit is how much authorisation this security feature gives in the first place.

ivan_k said:
TouchID can become pretty much "unbreakable" if only Apple includes these options in the security settings:

- mandatory password login after only 1 failed attempt with TouchID
- mandatory password login if the phone was not used for a set period of time (should be user selectable; I would be happy with 0,5-5 hours time interval)

Thats it. Makes it way more secure right there.
Click to expand...

I completely agree. It is because of this that Touch ID doesn’t give me that much confidence. The same with Siri really, I had to disable it, because it discloses too much personal information to anyone who asks.
 
69Mustang said:
Duuuuuuude. That's so insecure. I use a long alphanumeric passcode: 69Mustangissomuchbetterthan69camaroandmy69mustangsisbetterthanallcamarosnoonedeniesthis1. It's my passcode for everything. Granted it takes me a good 20 minutes to enter this but SECURE amirite?:D
Click to expand...

#FoundOnRoadDead
 
  • Like
Reactions: 69Mustang
Jsameds said:
You should really lock your phone.

You don't need to have what most people consider 'important stuff' on there for someone to do damage. Everything else that's already 'logged in' on your phone can be accessed, such as email or social media, and access to just emails the user can change your passwords to everything you've ever signed up for (including bank accounts), take control and steal your identity.

Keep your phone locked.
Click to expand...

My banking is protected (Swedish wonderful app BankID, require my 10-digit personal number and 10-digit passcode), never store important passwords in browser, don't use social media (at all, actually, no facebook, no twitter, no nothing). Mail accounts are on my private server, if they change the password I can easily change it to something they have no clue of.
So, no, no important stuff or passwords on the phone, who needs passcodes?
I can probably wipe the phone faster than they can do damage even if I had passwords I cared about on the phone.

My phone is a phone which I use to communicate with people foremost, not keep my digital life.
 
keysofanxiety said:
I wouldn't say it disproves @Relentless Power's point. You see, it's like comparing a fingerprint scanner on an old DELL laptop to Touch ID on the iPhone; they're two completely different animals.

I think Relentless was implying that in theory, iris scanning is substantially more accurate and has much less chance of being faked than a scanning a fingerprint. With the correct implementation it would be extremely secure and certainly wouldn't be beaten by a photograph.

But seeing as we're here, it looks like Samsung have once again rushed the release of a feature so they could be the one to say "first" and one-up the iPhone in some way, rather than actually caring about their users' privacy and creating something truly great and accurate.
Click to expand...
You were doing good until you over-reached right at the end there. Did you read what the testers had to do to "defeat" the scanning technology? Even TouchID doesn't live up to the standards you imply, and it never was meant to. TouchID, Iris scanning, and whatever other biometric scanner in these consumer level devices is meant to be a balance between convenience and security. In regard to TouchID, even Tim Cook said it was a solution to increase security because people were disabling their access code altogether. TouchID, while not 100% secure, it 100 fold better than nothing. If the Iris scanning tools provide a similar level of ease of use, then they have done their job. Oh, and for what it's worth, it seems that many Apple fans live for the "first and one-up" moniker. Don't know how Samsung is getting slagged for that.
 
  • Like
Reactions: jasvncnt, Demo Kit and the future
beanbaguk said:
With respect, have you ever done any photography? I'm no professional, but I spent a couple of years with a 50D coupled with a 70-200mm f/2L lens with built in IS. Apart from sticking out like a sore thumb, a persons eyes are in constant motion. You need to catch their eyes staring directly at you to get the shot you need. By which point, I'm sure most people would realise something is up.
Click to expand...

Sorry, but you are very wrong about this. Modern mirrorless cameras are way smaller and more discreet than DSLRs while delivering stunningly sharp pictures. Lenses are also smaller. You have automatic eye detection, so the eye will always be in perfect focus. Even if the eyes wander, with high-speed bursts of pictures you will get a direct iris picture very, very easily.

That being said, it's still a method that demands a considerable amount of gear and effort. So it's not that big of a deal in normal circumstances. The bigger problem, according to various reviews, is that the iris recognition (of your own eye) is rather flaky and unreliable.
 
Nik said:
They also tricked Touch ID btw. With a photograph + wax. For Samsung you need Photograph + Contact Lens. Not much different. Both systems are not secure.
Click to expand...

Could you please point us to a report about this hack? All I've seen so far in terms of Touch ID hacks either involved fingerprint holds or fairly involved 3D reconstructions from digital models. Certainly nothing as simple as "photograph + wax".
 
bollman said:
My banking is protected (Swedish wonderful app BankID, require my 10-digit personal number and 10-digit passcode), never store important passwords in browser, don't use social media (at all, actually, no facebook, no twitter, no nothing). Mail accounts are on my private server, if they change the password I can easily change it to something they have no clue of.
So, no, no important stuff or passwords on the phone, who needs passcodes?
I can probably wipe the phone faster than they can do damage even if I had passwords I cared about on the phone.

My phone is a phone which I use to communicate with people foremost, not keep my digital life.
Click to expand...

That kinda defies most of the point of having a smartphone..

Even so, damage can still be done. With an unlocked iPhone you can find out the phone's common locations - your work and home for example. In the phonebook you will likely have your home number, so potentially a criminal could find your phone, travel to your house, ring your home phone to see if anyone's in. If not - easy pickings.

And that's just for starters. Every tiny bit of info can be used against you, even your messages.

I'll stress this again, you should really lock your phone. As much as you feel like there is nothing of importance on there, I guarantee you there is.
 
A much safer recognition would be "Butt ID".

It is a fact, that every person has a unique skin pattern around the sphincter ani.

A smartphone, that could recognise that pattern could give access to its owner. The main advantage over the Iris is, that it can not so easily be photographed in public, through surveillance cameras etc... because it is usually covered by clothes.

Butt ID would theoretically be hack proof.
 
A guy managed to bypass Samsung's security using an image printed with a Samsung printer.
LOL.
Unbox your phone alright! Innovation!
 
I wear glasses all the time but have to take them off to use the iris scanner to unlock the phone. Now when said nasty person takes my photo with his ultra hi res infred camera how is that going to work? just a thought
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back