Hackers Trick Samsung Galaxy S8 Iris Recognition Using a Printed Photo and a Contact Lens

Nik said:
They also tricked Touch ID btw. With a photograph + wax. For Samsung you need Photograph + Contact Lens. Not much different. Both systems are not secure.
Click to expand...
The difference is your finger isnt posted all over social media with dozens or more different pictures to choose from. Your eyes however, they are in pretty much every picture of a person posted online. It's way easier to get access to someone elses eye image than it is to get their fingerprint image.

Although, I doubt most images online are detailed enough to actually use for iris scanning. Ultimately, this tech is probably safe enough for the masses to use as an additional security feature.
 
Jsameds said:
That kinda defies most of the point of having a smartphone..

Even so, damage can still be done. With an unlocked iPhone you can find out the phone's common locations - your work and home for example. In the phonebook you will likely have your home number, so potentially a criminal could find your phone, travel to your house, ring your home phone to see if anyone's in. If not - easy pickings.

And that's just for starters. Every tiny bit of info can be used against you, even your messages.

I'll stress this again, you should really lock your phone. As much as you feel like there is nothing of importance on there, I guarantee you there is.
Click to expand...

Well, I can tell you know little of Sweden ;) Most of that info is readily available online, for free, totally open, about anyone. You don't need my phone number to find where I live, even the government would give that out to anyone that asks.
Like this:
https://www.hitta.se/patrik+sonestad/klagstorp/person/~TWjX44vnO?vad=patrik+sonestad
There you go, my adress, complete with map and satellite picture, my birthday, all my phone numbers. The second adress is my previous adress in Malmö.

Or here:
https://www.ratsit.se/19740407-Joha...p/_BLrTgdlvqbDQmOn6TpM3-WW2oC_hw5_y9gIZ_KNyEM
They even show what cars I own. Pay them a fiver and they tell you where I work, what my salary is, what mortgage I have on my house, if I have any unpaid bills or if I'm rich (like own stocks, have a lot of money in the bank and so on). They even show my fiancee's name so you can investigate further, enjoy. :)

All this is public information, not hidden in any way.
 
bollman said:
Well, I can tell you know little of Sweden ;) Most of that info is readily available online, for free, totally open, about anyone. You don't need my phone number to find where I live, even the government would give that out to anyone that asks.
Like this:
https://www.hitta.se/patrik+sonestad/klagstorp/person/~TWjX44vnO?vad=patrik+sonestad
There you go, my adress, complete with map and satellite picture, my birthday, all my phone numbers. The second adress is my old adress in Malmö.

Or here:
https://www.ratsit.se/19740407-Joha...p/_BLrTgdlvqbDQmOn6TpM3-WW2oC_hw5_y9gIZ_KNyEM
They even show what cars I own. Pay them a fiver and they tell you where I work, what my salary is, what mortgage I have on my house, if I have any unpaid bills or if I'm rich (like own stocks, have a lot of money in the bank and so on). They even show my fiancee's name so you can investigate further, enjoy. :)

All this is public information, not hidden in any way.
Click to expand...

Wow, I really didn't know that. :eek:

Does this amount of open information not cause security issues?
 
bollman said:
Well, I can tell you know little of Sweden ;) Most of that info is readily available online, for free, totally open, about anyone. You don't need my phone number to find where I live, even the government would give that out to anyone that asks.
Like this:
https://www.hitta.se/patrik+sonestad/klagstorp/person/~TWjX44vnO?vad=patrik+sonestad
There you go, my adress, complete with map and satellite picture, my birthday, all my phone numbers. The second adress is my previous adress in Malmö.

Or here:
https://www.ratsit.se/19740407-Joha...p/_BLrTgdlvqbDQmOn6TpM3-WW2oC_hw5_y9gIZ_KNyEM
They even show what cars I own. Pay them a fiver and they tell you where I work, what my salary is, what mortgage I have on my house, if I have any unpaid bills or if I'm rich (like own stocks, have a lot of money in the bank and so on). They even show my fiancee's name so you can investigate further, enjoy. :)

All this is public information, not hidden in any way.
Click to expand...

I find that sort of freedom of information to be quite terrifying. I'll stick with my Canadian PIPEDA privacy regulations and safe in the knowledge that it's illegal here for anyone to share personal and identifiable information about an individual.
 
I used to have a gf from England, she was absolutely terrified too.
If you live under heightened threat, you can get supplied with a secret identity from the government, and I can tell you, you disappear when that happen. Everything gets extremely complicated with secret identity, you can't sign contracts on a new phone for example, since they can't check your credit history or adress.

I think we as a society has a very high level of "trust", be it your fellow man or the government. And actually, crime is low here. There where 1510000 crimes reported last year, and that is all the way down to stolen bicycles.
 
Nik said:
They also tricked Touch ID btw. With a photograph + wax. For Samsung you need Photograph + Contact Lens. Not much different. Both systems are not secure.
Click to expand...

But it's a lot harder to get fingerprints, photos of people with eyes open are everywhere. Clearly a huge difference.
[doublepost=1495637648][/doublepost]
Sunny1990 said:
So Samsungs gimmick feature got hacked!!!

Apple has already trademarked "Iris Engine",
One report has claimed that Taiwan-based supplier Xintec, an affiliate of Apple manufacturer TSMC, is mass-producing the iris recognition chips for Apple. :- Macrumors quote

No doubt touch id is more secure than iris scanner.Hope Apple not make iris scanner a Touch id replacement.Just keep it as secondary form of security.
Click to expand...

Apple cannot replace TouchID with something else. Apple pay uses your fingerprint to execute payment. No fingerprint means no Apple Pay.
 
Nik said:
They also tricked Touch ID btw. With a photograph + wax. For Samsung you need Photograph + Contact Lens. Not much different. Both systems are not secure.
Click to expand...
Far easier for someone to find a photograph of your face (eyes) than find a photo of your fingerprints.
 
brendu said:
The difference is your finger isnt posted all over social media with dozens or more different pictures to choose from. Your eyes however, they are in pretty much every picture of a person posted online. It's way easier to get access to someone elses eye image than it is to get their fingerprint image.

Although, I doubt most images online are detailed enough to actually use for iris scanning. Ultimately, this tech is probably safe enough for the masses to use as an additional security feature.
Click to expand...

And a detailed IR picture of your iris isn't online on social media.
 
shastada said:
Far easier for someone to find a photograph of your face (eyes) than find a photo of your fingerprints.
Click to expand...
A picture of your face, which contains eyes, is not good enough; it needs to be a high definition scan of your iris. They need to get a high definition scan of your iris. Then they need to know you have a phone which uses iris recognition. Then they have to steal/acquire that phone uses iris recognition Then they have to apply that high quality iris scan to the phone that they've stolen. Really, that's what you're worried about?
 
WatchFromAfar said:
A picture of your face, which contains eyes, is not good enough; it needs to be a high definition scan of your iris. They need to get a high definition scan of your iris. Then they need to know you have a phone which uses iris recognition. Then they have to steal/acquire that phone uses iris recognition Then they have to apply that high quality iris scan to the phone that they've stolen. Really, that's what you're worried about?
Click to expand...

Optometrists would have a very detail image of your iris.
 
I don't think Iris Engine is iris recognition. It's something related to the display or the camera, like "Retina Display". It could be what they were going to call the feature that eventually became "Portrait Mode"
 
bingeciren said:
I think a fart ID would be un-hackable. My wife can distinguish the smell of my farts even in a crowded place. She says she can recognize them out of a million and there is no fooling her. Just build a fart sensor based on a blood hound technology and that's it. To fool the system, they have to have a sample of the owners fart.:p
Click to expand...
Revolutionary
 
dojoman said:
Optometrists would have a very detail image of your iris.
Click to expand...
I don't see optometrists going out to hack people phone, unless their iris database got hacked I guess. But then I haven't seen any optometrist lately.

If people are so worried, just get a phone that use your blood sample as passcode.
 
WatchFromAfar said:
That just adds another layer of obfuscation, they would have to know your optometrist, or if you even had one.
Click to expand...
Last time I went to my optometrist, they did not take a photo of my eyes. They examined them in real time and that was the end off it.
Now I can see an ophthalmologist doing that when mapping the eye prior to surgery, but as a practical matter, optometrists don't photograph your eyes.
 
brendu said:
Well unless you're stupid enough to take a close up selfie of your face...
Click to expand...

Judging from the description of the "hack", that wouldn't be enough.

I believe The photo in question was an IR photo of the retina. Which means that not only would a high quality photo of you need to be online, but a high quality IR photo.

I'm guessing the liklihood of that is just as high as your fingerprint being online as well


Both this hack and the TouchID hack are more proof of concepts that yes, it CAN be done, But not that it's likely to happen.
 
MacRumors said:



German hackers have successfully broken the iris recognition authentication in the Samsung Galaxy S8 using equipment that costs less than the price of the smartphone, according to Ars Technica.

Hackers with the Chaos Computer Club used a digital camera, a Samsung laser printer, and a contact lens to achieve the feat. The hack involved taking a picture of the phone owner's face, printing it out on paper, carefully placing the contact lens on the iris in the printout, and holding the image in front of the locked Galaxy S8.


The video shown above was posted by the hackers to demonstrate the process in action. The photo doesn't have to be a close-up shot, although using night-shot mode or removing the infrared filter helps, according to the hackers.

The hack comes despite the fact that both Samsung and Princeton Identity, the manufacturer of the authentication technology, say iris recognition provides "airtight security" that allows consumers to "finally trust that their phones are protected". Princeton Identity have also said the Samsung partnership "brings us one step closer to making iris recognition the standard for user authentication."

The Galaxy S8 is one of the first flagship phones to offer iris recognition as a convenient alternative to using a passcode or fingerprint, but the hackers said they suspect future mobile devices that offer iris recognition may be equally easy to hack. Apple is widely expected to include the feature alongside Touch ID and face recognition in this year's much-rumored OLED iPhone, although the possible origins of the technology remain unclear.

Apple has already trademarked "Iris Engine", presumably in relation to the upcoming feature, with its acquisition of companies such as Faceshift and PrimeSense lending credence to the suggestion that Apple is developing its own solution for the so-called "iPhone 8". One report has claimed that Taiwan-based supplier Xintec, an affiliate of Apple manufacturer TSMC, is mass-producing the iris recognition chips for Apple.

Samsung reportedly added a facial recognition capability to the Galaxy S8 because of doubts about the reliability of iris scanning on its own, but the security of the facial recognition itself came into question almost immediately, when a photo of a user's face was used to unlock a handset at the S8 launch event.

Article Link: Hackers Trick Samsung Galaxy S8 Iris Recognition Using a Printed Photo and a Contact Lens
Click to expand...

The event on the above article is expected for all android phones as they are unsafest and most unsecured devices.

Stay away from Samsung or any android phones as they are the unsafest and unsecured phones because of their open systems and applications that can be built by anyone including hackers.

Stay with iPhone as it is the safest and the secured phone due to its proprietary systems and application development!! Ask cyber security experts.
 
Relentless Power said:
Actually, you're incorrect. Iris scanning is far more secure than a fingerprint scanner.

The iris is the colored pattern part of your eye. It is developed when you're approximately a year old or so. An eye injury or death, apparently never changes after the fact. Fingerprints can likely be duplicated one out of 50,000 as where Iris scanning is more similar to one out of 1 million. It uses infrared and a camera to detect the Iris.

Iris scanning is also expected to be 5/6 times more secure than a fingerprint and accurate in reading, because it contains more unique information about you and makes it highly more accurate/reliable than fingerprint scanning. Fingerprint scanning can be duplicated .

http://science.howstuffworks.com/biometrics4.htm

http://findbiometrics.com/solutions/iris-scanners-recognition/
Click to expand...

He's clearly not talking about iris scanning in general, only Samsung's implementation.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Back
Top