Hackers Trick Samsung Galaxy S8 Iris Recognition Using a Printed Photo and a Contact Lens

[44267547]

Too bad this very article completely disproves your point.

Whats to bad? That you didn't Read the article accurately. If you go back and reread the article, it clearly states "but the hackers said they suspect future mobile devices that offer iris recognition may be equally easy to hack." This is a broad stroked assertion with no validity as of yet.

Which in theory, has never been tested or confirmed either. So that doesn't this disprove anything I stated for the fact of what Iris scanning is and how it's verified for security purposes based on your unique identifiers. Nor did I make any claims of any specific Iris scanner manufacturer, more or less, I touched on how the Iris developes and it's vectors which would be harder to hack through its back history through development.

It really depends on how cell phone manufacturers continue to implement Iris scanning. We have only seen Samsungs Iris scanning in the smart phone industry. I would be interetested in Apple's Iris scanning and counterfeiting measure Techniques with various Precautions taken. However, it's still a maturing process with Iris scanning and hasn't become the primary. Eventually it will be the primary over fingerprint scanning.

 

[LordVic]

The event on the above article is expected for all android phones as they are unsafest and most unsecured devices.

Stay away from Samsung or any android phones as they are the unsafest and unsecured phones because of their open systems and applications that can be built by anyone including hackers.

Stay with iPhone as it is the safest and the secured phone due to its proprietary systems and application development!! Ask cyber security experts.

this is a load of absolutely unmitigated FUD with no basis in reality.

Android itself is not some wild west insecure platform. That line of thinking needs to die back when Android decided to actually start being serious (around 4.0). Android right now is fairly secure. I wouldn't say that Stock Android is more secure than iOS, I would still put iOS high on the security totem pole, But android isn't some wide open insecure / easily crackable OS.

and many vendors have even added their own security models that are beyond what even iOS has for security. Samsung Knox is actually world reknown for security, and BlackBerry devices as well.

your line of thinking here has no basis in reality in 2017.

 

[Kabeyun]

Egg on face well deserved. This is pure technological hubris.

 

[44267547]

He's clearly not talking about iris scanning in general, only Samsung's implementation.

Re-read what the OP quoted. And, the OP also edited his post after it was commented on by other members.

"No doubt touch id is more secure than iris scanning"

That's a definitive statement and is inaccurate. There is no "Generalization" here. Fingerprint scanning is NOT more accurate than Iris scanning in theory and how it's used in high level security.

 

[macs4nw]

This is why I still use an old-school keyboard password.

Quick and relatively convenient, but with the existence of keystroke loggers, even less secure.

 

[AaronChamberlain]

They also tricked Touch ID btw. With a photograph + wax. For Samsung you need Photograph + Contact Lens. Not much different. Both systems are not secure.

Eh.... let's clarify that statement given that the iPhone trick is notably much more complex. On the iPhone you had to 1) steal a phone, 2) Hope it has a good fingerprint, 3) Scan it on a scanner capable of 2400 dpi or more, 4) print the image on tracing paper, 5) use that paper to etch onto a PCB using chemical, 6) Spray the PCB with graphite to make it conductive, 7) use wood glue to make a fake fingerprint, 8) Hope it work with the perhaps only sample fingerprint you had.

The samsung hack is 1) Steal a phone, 2) Take multiple photos of that person on almost any digital camera (the one they show looks to be $100 or less), 3) Print the photo, 4) Buy any random contact lens, 5) Wet it and bingo.

The difference is notable. One has several additional steps that take time, and use chemicals that not everyone has. The other has less steps, with things people actually already have. I could honestly see the entire Samsung process occurring in less than 10 minutes in a well-organized crime syndicate.

 

[macTW]

"Hackers"

Just like russia "hacked" the election but sending spam emails that idiots clicked on?

The Hacker term has really lost its complexity.

 

[Syk]

Eh.... let's clarify that statement given that the iPhone trick is notably much more complex. On the iPhone you had to 1) steal a phone, 2) Hope it has a good fingerprint, 3) Scan it on a scanner capable of 2400 dpi or more, 4) print the image on tracing paper, 5) use that paper to etch onto a PCB using chemical, 6) Spray the PCB with graphite to make it conductive, 7) use wood glue to make a fake fingerprint, 8) Hope it work with the perhaps only sample fingerprint you had.

The samsung hack is 1) Steal a phone, 2) Take multiple photos of that person on almost any digital camera (the one they show looks to be $100 or less), 3) Print the photo, 4) Buy any random contact lens, 5) Wet it and bingo.

The difference is notable. One has several additional steps that take time, and use chemicals that not everyone has. The other has less steps, with things people actually already have. I could honestly see the entire Samsung process occurring in less than 10 minutes in a well-organized crime syndicate.

HAHAHAHA

 

[The Game 161]

If hackers want in not much can stop them no matter what

 

[Manzzle]

And some folks on these forums saying something like who cares if Apple places the button on the back when they may have face recognition.

I don't care if Apple does add their version of this tech. I will NOT use it.

 

[Gasu E.]

I didn't know this, really interesting. Seeing as the margin for error is far lower (providing the iris scanning software works as it should and was extensively tested), it seems to further highlight Samsung's incompetence if it could be beaten by a photograph and a contact lens.

Though if I've jumped to the wrong conclusion, please correct me if I've missed the mark.

My suspicion is that Samsung's phone can't resolve an iris when a contact lens is present; so they merely detect a contact lens, and if that one is present, rely solely on facial recognition. If so, they should, at least, allow the user to disable this bypass in the settings.

 

[Michael Goff]

Eh.... let's clarify that statement given that the iPhone trick is notably much more complex. On the iPhone you had to 1) steal a phone, 2) Hope it has a good fingerprint, 3) Scan it on a scanner capable of 2400 dpi or more, 4) print the image on tracing paper, 5) use that paper to etch onto a PCB using chemical, 6) Spray the PCB with graphite to make it conductive, 7) use wood glue to make a fake fingerprint, 8) Hope it work with the perhaps only sample fingerprint you had.

The samsung hack is 1) Steal a phone, 2) Take multiple photos of that person on almost any digital camera (the one they show looks to be $100 or less), 3) Print the photo, 4) Buy any random contact lens, 5) Wet it and bingo.

The difference is notable. One has several additional steps that take time, and use chemicals that not everyone has. The other has less steps, with things people actually already have. I could honestly see the entire Samsung process occurring in less than 10 minutes in a well-organized crime syndicate.

I'm sure James Bond has other ways. Normal people, though, don't have to worry that a well organized crime syndicate is going after them.

 

[ani4ani]

Always the case with Samsung, releasing half-baked functionality, just look at Bixby. With Apple, hardly ever any first of anything, but when they do implement something it's usually cooked just right. The other side of the coin though is that with Apple it's their way or the highway. Don't like the choice they've made for you, tough. With Samsung (Android in general) you've got a dizzying array of options.

I have both an S8+ and an LG G6, deals that were too good to pass lol. On the S8, I have not enabled any biometric other than fingerprint, but with the bad placement of the fingerprint sensor, I will be trying the iris unlock soon. I believe both phones are superior to the iPhone 7, in hardware and software, but my iPhone will remain my daily phone because I'm locked in to the ecosystem.

Ding!

Iris recognition/face recognition etc. is (a) its far, far more secure than the default option of not bothering with a pin/password/gesture because its too much hassle or (b) combined with a PIN or password adds another hurdle for a hacker to get over.

The point of personal day-to-day security is to make sure that your phone is one of the ones that the thief throws straight in the dumpster in favour of the one with "0000" as the PIN. If someone is actively targeting you, personally, then unless you're a security expert, you're probably hosed. Best solution to phone security: don't keep sensitive info on your daily driver phone - or at least keep the sensitive stuff separately encrypted.

Also, even the cheapest, crackerjack padlock (or its virtual equivalent) plays the important role of removing deniability:

"Honest judge, the owner told me I could use their phone, and it didn't have a PIN set..."
vs.
"Honest judge, the owner told me I could take a high res picture of their face, glue a contact lens over the eye and use it to unlock the phone ..."

A rational post - thank you

 

[Gasu E.]

Eh.... let's clarify that statement given that the iPhone trick is notably much more complex. On the iPhone you had to 1) steal a phone, 2) Hope it has a good fingerprint, 3) Scan it on a scanner capable of 2400 dpi or more, 4) print the image on tracing paper, 5) use that paper to etch onto a PCB using chemical, 6) Spray the PCB with graphite to make it conductive, 7) use wood glue to make a fake fingerprint, 8) Hope it work with the perhaps only sample fingerprint you had.

The samsung hack is 1) Steal a phone, 2) Take multiple photos of that person on almost any digital camera (the one they show looks to be $100 or less), 3) Print the photo, 4) Buy any random contact lens, 5) Wet it and bingo.

The difference is notable. One has several additional steps that take time, and use chemicals that not everyone has. The other has less steps, with things people actually already have. I could honestly see the entire Samsung process occurring in less than 10 minutes in a well-organized crime syndicate.

The Samsung hack requires a targeted attack. You both have to steal the phone and get a head-on photo (any other photo will not have a place to put the contact lens). If the iPhone is stolen, on the other hand, fingerprints will be all over the case.

The vast majority of phone thefts are "street crimes"-- pickpocketing, snatch and grab, or otherwise taking advantage of the users casualness. There's little opportunity to take those photos. Any hacking attempt would be undertaken after-the-fact. If someone is planning a targeted attack against the user, perhaps the Samsung is more vulnerable. If it's street crime, the iPhone would be more vulnerable, in practice.

 

[CyberBob859]

Everybody's talking about iris recognition versus touch ID.

I say - give me both! (as long as both are reliable and accurate.)

Heck, if somebody goes through the trouble of taking a picture of me to fake my iris AND develop a fake fingerprint, I must be important.

 

[apolloa]

Not surprising, any Apple iris scanner will be the same, finger print readers have been cracked as well. Still better then nothing I suppose.

 

[DynaFXD]

Quick and relatively convenient, but with the existence of keystroke loggers, even less secure.

Don't forget, some hacker _could_ use a 1000 mm zoom lens from a building across the street to film your finger strokes at 1000 FPS. It's what did Gold Finger in, You're screwed! /s Yes, of course that's /s. It's not what kind of security you use, it's that you use some type of security that is important. But if people are going to make all sort of wild assertions to defeat something, no reason the text input folks should feel left out

 

[LordVic]

Everybody's talking about iris recognition versus touch ID.

I say - give me both! (as long as both are reliable and accurate.)

Heck, if somebody goes through the trouble of taking a picture of me to fake my iris AND develop a fake fingerprint, I must be important.

Dual Factor authentication is always the best option. I'd like it I could use both fingerprint and face recognition at the same time.

as you said, someone trying to go through both security methods to get into my device is going to have a hard time of it.

 

[Mousse]

This is why I trust old, trusted technology: a good password.

I remember back when I was a kid, some hacker nicknamed "Captain Crunch" broke into AT&T's phone system using a toy whistle. The toy whistle came from a of Captain Crunch cereal.

 

[jmgregory1]

I think that these scenarios that show there are holes in certain "secure" technologies, are more about scaring people into worrying about nothing, than they are showing some horrible flaw with the technology. Much like the flaw with TouchId of being able to create a 3D fingerprint to use to unlock an iPhone, that takes having access to not only the person's phone, but a clean fingerprint - or in the case of this iris scan "flaw", needing both the person's phone and a photograph of their face, are scenarios that take much more than some simple thief stealing your phone and being able to start using it.

 

[wigby]

I didn't know this, really interesting. Seeing as the margin for error is far lower (providing the iris scanning software works as it should and was extensively tested), it seems to further highlight Samsung's incompetence if it could be beaten by a photograph and a contact lens.

Though if I've jumped to the wrong conclusion, please correct me if I've missed the mark.

All of these methods are easily hackable which is why the only attribute that matters is convenience. These are convenience features, not security features. So the one that is used the most by people who would have otherwise left their phone unlocked is the one that wins.
[doublepost=1495647698][/doublepost]

i would have thought getting a hi res picture of a face is easier than a picture of fingerprints ?

How so? I have hundreds of hi-res pics of people in my phone already and none of their fingerprints. Sure I could get their fingerprints off of glass or something but it's much easier to get a face pic of anyone even if they don't want you to.
[doublepost=1495647915][/doublepost]

this is a load of absolutely unmitigated FUD with no basis in reality.

Android itself is not some wild west insecure platform. That line of thinking needs to die back when Android decided to actually start being serious (around 4.0). Android right now is fairly secure. I wouldn't say that Stock Android is more secure than iOS, I would still put iOS high on the security totem pole, But android isn't some wide open insecure / easily crackable OS.

and many vendors have even added their own security models that are beyond what even iOS has for security. Samsung Knox is actually world reknown for security, and BlackBerry devices as well.

your line of thinking here has no basis in reality in 2017.

It's more about the users than about the platforms. Yes, Android platform contains about 90% of the malware out there compared to iOS' 10% but that's because more people side load malware apps from shady app stores on Android than iOS users. Both platforms are about the same in terms of security but iOS always has the advantage because it's a more closed system with users that generally practice safer security habits (that Apple forces them to) too. Not unlike PC vs. Mac users and those respective platforms.

 

[tongxinshe]

They also tricked Touch ID btw. With a photograph + wax. For Samsung you need Photograph + Contact Lens. Not much different. Both systems are not secure.

Don't make those two cases sound like similar. The needed precision level and thus the prices of the needed equipment are off by several factors. If you read through carefully both cases, you know that the one used against TouchID is totally unreachable to a regular Joe, and even for professions labs like CIA the method requires days to finish. On the other hand, this one used against Samsung's Iris Scanner is fully achievable by a normal person, and it only needs several minutes to achieve.
[doublepost=1495649218][/doublepost]

Well using a little wax can be a little harder, but definetly not hard, and hardly "doesn't get fooled by" as suggested, heck someone even did it with a gummy bear.....

Also a 2013 hack revealed that the Touch ID can be bypassed by photographing a fingerprint from a glass surface, and printing it using special ink (NOT THAT HARD).

I am against fanboyism both way, yes in this case it was "easier" but also "expected", and I am sure that first gen Iris scanner from any company won't be that hard to be hacked, it will eventually get better, and as you suggest never 100% hack proof!

Go read through how exactly they did it against TouchID, before you make nonsense conclusion like this!

 

[44267547]

Not surprising, any Apple iris scanner will be the same, finger print readers have been cracked as well. Still better then nothing I suppose.

How you can make that assessment without even knowingly what Apple has in store? They haven't even released Iris technology yet. Seems like a premature assertion.

 

[tongxinshe]

I challenge you to take a detailed photo of a random persons iris from a moving person, zoomed right in, without them realising they're up to something odd,

How many pictures have you taken? How easy would be a not-so-close-to-you person to persuade you from taking a picture together? Come on, before babbling, use a little bit common sense for a second or two.

 

[Packers1958]

If someone wants my phone that bad that they first have to take a picture of me with a digital camera, then steal my phone, take it home, print the picture of my face and then attach a contact lens to it to unlock it, they can have my phone. Sheesh, these stories are getting more ridiculous. Plus you don't have to set up the phone to use facial recognition. You can use fingerprint and/or passcode too.