Don't need to, as I have done it myself (with the right ink ain't that hard!)
Also ... wow that was hard!!!
Very hard!!
Extremely hard!
Don't even need a pic or ink
just some of your kid supply, Gummy Bear AND PLAY DOH!
Last edited:
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Hackers Trick Samsung Galaxy S8 Iris Recognition Using a Printed Photo and a Contact Lens
- Thread starter MacRumors
- Start date
- Sort by reaction score
Also ... wow that was hard!!!
Very hard!!
Extremely hard!
Don't even need a pic or ink
just some of your kid supply, Gummy Bear AND PLAY DOH!
Eh... let's clarify your statement.
The narratives you build can sometimes work against you even better than they work for you. How about we break down the processes and put them in proper perspective. Hard part: Steal iPhone/S8 and get a good fingerprint/photo of eye. That's it. Once you have those, the rest is just a matter of time and a small expense. One process takes a printer, scanner, and a PCB etching kit. The other takes a camera, printer, and contact lens. Whether one process takes 5 steps and the other takes 8 is immaterial. Both hacks were completed by the same team. Both hacks were proof of concept that have little value in the real world. The likelihood of either being used in the wild is negligible.
Did you watch the video? It's only a minute long. They took the photo from about 10 feet away with a modest zoom lens using a pretty basic looking point and shoot camera. If you have proper lighting, a decent camera, and optical zoom you can get a pretty detailed photo of someone's iris rather easily. If you have a high end camera, a top notch zoom lens, and good enough lighting, you can probably do this from a lot farther than 10 feet away.
It would certainly more challenging to do this with a smartphone camera of any megapixel rating, but camera technique might have something to do with it as well. With proper conditions and a zoom lens, 4 megapixels would probably be enough.
Last edited:
Have attractive woman walk up to you and say that she loves your outfit and would like to take your picture. Everyone will say yes to that (men and women). Use a nice DSLR camera and you will have a great picture of their face right away.
Also, the concern here is that law enforcement will just take a picture of you (which they get to do, it is called a mug shot) and now they can unlock your phone. But, at least in the US for now, they can't grab your hand and place your finger against your phone to unlock it.
And I'd be concerned going through customs. I know my picture is being taken in that situation. In fact I'm required to stand still in front of the agent while they compare me against my passport picture. Perfect time to grab a photo. I'm required to hand over my equipment. Put two and two together and my phone is easily compromised.
Don't even need a pic or ink
How exactly was it done with the gummy bear? That part isn't clear. It appears like it wasn't an ordinary gummy bear in the video. When he flipped over the gummy bear, the back side appeared to be treated with some white chalky substance.
It s a type of gummy bear (they sell them here as well), like this candy.
It is kinda like a marshmallow on the back.
Just plain ordinary candy...
It works by using the print that is already. on the glass (button).
By replicating a fingerprint in identical detail, yes. It's like 'tricking' a door by creating the exact key which fits the lock. Samsung's door, on the other hand, would simply creak open by whistling into the lock like a Shaman Throat Warbler.
of course...because getting a high res infrared image of someone's eye at close range is easy as pie.
Because it's all the same technology, they don't reinvent the wheel just because it's a different manufacture. It's the same with Touch ID, that's been beaten the same as any Samsung finger print reader.
Let's revisit your first quote. Again, you can't make the assertion "Any" Apple Iris scanner will be the same as any other competitor. You have no idea what contingencies they have invested in research and development to not necessarily "Reinvent the wheel" per se, but make it more refined in being more dynamic and stringent based identifiers. That's my point. It's too early to tell where Iris scanning is leading, but I think it's blatantly obvious Apple does things on a level differently from what technology allows them from other competitors. There Isn't much of an argument here based on how they incorporate their security and the seriousness they take it. We will find out soon enough.
Last edited:
Just like how the Touch ID can be beaten by a gummy bear? You trust Apple and it's security, I'll see it be beaten the same as any other. An Apple iris scanner will be just the same.
Last edited:
I see deflecting is a tactic based on your previous posts. I'm not debating semantics. I trust Apple's security more than I do your anecdotal assumptions. Thanks for the discussion and again, this topic can resume
WHen Apple actually releases Iris scanning versus making ill-sighted opinions on Its capabilities without having proof Being the "Same."
Deflecting? Erm no, you just don't want to accept my point so I'll just move on and not waste time. It's already been proven Apple security can be beaten, by a gummy bear amongst others, so I'll reserve the right to hold the view any iris scanner they come up with will be no different.
Wow, that's it?
Could you expect to grab any phone that was unlocked with touch ID within the past 24 hours and expect it to work most of the time?
I mean, how reliable is the technique? Does it work best if the person has oily skin and so forth?
[doublepost=1495661163][/doublepost]
Kinda the truth about our world today. Virtually nobody has a vertical supply chain anymore whether it's hardware or software. So much of what we use today is modular in nature even if the size of those modules are tiny.
It's possible that the reason we're seeing multiple security solutions being pursued by all parties is that they're aware that no single approach is dependable on its own. We may see a combination of security technologies used simultaneously (e.g. Touching a fingerprint scanner while scanning your iris or face). It would be akin to having both a door lock and a deadbolt on your device.
Hacking fingerprint sensors or iris sensors is easily achievable by a normal person. (Normal person = not someone lazy who has never made anything in their life, and especially not anyone who actually thinks that a 1200 DPI printer is "unreachable" tech, as some have ridiculously claimed.)
In both cases, the necessary biometrics can be obtained by taking a good photo of the target owner's fingers or eyes. (Which is why using biometrics alone is never done where real security is involved.)
Creating a fake fingerprint using the longest and hardest method can be done in under two hours. With conductive ink and paper, as used by some home circuit board makers, it can be done in minutes, nearly as quickly as making a fake iris.
As some of us have been pointing out for years, biometrics as used in smartphones is not about unbreakable security. What it is about, is good enough security most of the time. That is, the small risk of being deliberately targeted is a fair exchange for the extra unlock speed and convenience.
In both cases, the necessary biometrics can be obtained by taking a good photo of the target owner's fingers or eyes. (Which is why using biometrics alone is never done where real security is involved.)
Creating a fake fingerprint using the longest and hardest method can be done in under two hours. With conductive ink and paper, as used by some home circuit board makers, it can be done in minutes, nearly as quickly as making a fake iris.
As some of us have been pointing out for years, biometrics as used in smartphones is not about unbreakable security. What it is about, is good enough security most of the time. That is, the small risk of being deliberately targeted is a fair exchange for the extra unlock speed and convenience.
Last edited:
You mean how extraordinarily simple it was to accomplish this? Noted. And certainly interesting at what your baseline for defining what is difficult and what is easy. Noted for all your future posts!
You mean how extraordinarily simple it was to accomplish this? Noted. And certainly interesting at what your baseline for defining what is difficult and what is easy. Noted for all your future posts!
Have you read through the comments? There are people who claim that it'd be virtually impossible to get a good enough photo of someone's iris to make this work and the next person thinking you could whip out a smartphone and snap a photo from distance. As is the case with every MR discussions, lots of people just comment about stuff they don't know much about without asking questions first or thinking first.
He had a valid point, so maybe you do want to mark his posts in the future for actually having a point.
Take a random person like me for example - there are hundreds of photos of my face (including my eyes) floating around in the internet. The vast majority of which, were taken on someone else's camera/phone for someone else's use. In other words, hurndreds of photos of my eyes that any random person has access to.
One the other hand, there are exactly zero photos of my fingers (let alone fingerprints) anywhere.
Samsung Iris recognition is a gimmick at best. And not even a good gimmick.
[doublepost=1495689273][/doublepost]
Why surreptitiously snapped? Aren't there tons of high resolution photographs of you in places like facebook?
Imagine someone stealing a celebrity's phone. You think it would be hard to find high resolution photographs of celebrities?
[doublepost=1495689340][/doublepost]
You mean how extraordinarily simple it was to accomplish this? Noted. And certainly interesting at what your baseline for defining what is difficult and what is easy. Noted for all your future posts!
Yeah, I don't get it either. Was something magical happening not shown in the video?
[doublepost=1495689447][/doublepost]
"Hey mister, can you put your finger on this gummy bear?"
A question I get asked all the time.
Maybe. People often rest their hands on a table. That's how Starbug (the same guy who originally faked Touch Id) later took a photo of a thumb from six feet away and created a duplicate. The person wasn't aware.
OTOH, someone aiming directly at your eyes means they're in your direct eyeshot.
In either case, though, few would think their identity was being stolen.
Also, as kids and pranksters have shown, it's easy to use a sleeping person's finger to unlock their phone. Prying open their eyes is more likely to wake them up
But how many taken in infrared mode, which is how this fake was done (iris scanners use a flood of IR instead of visible light).
Really, no pics of you waving hello, making a peace sign, thumbs up, etc?
More importantly, fingers leave prints. (Starbug's original demo lifted one off the phone itself.). Looking at your phone does not leave an iris image
Like everyone else, Samsung uses iris recognition tech from a third party company.
As noted, just as with fingerprint recognition, biometric implementations in smartphones so far have been more about speed than actual security. I.e. waiting for blinks, pulses, etc would annoy most users. And could usually be easily faked, anyway.
Biometrics alone is not secure. Worse, once stolen, you can't easily change yours. But it's convenient and "good enough" for mass consumer use.
Last edited:
Infared mode? Is that fancy speak for night mode? If so, I dunno. 30%? My guess is that half of the pictures taken of me have been in low light conditions. Assuming that and assuming that only a fraction of those are in night mode, my guess is 30%.
Assuming there are 500 pictures of me in the inter webs, that would be around 100-150 high resolution pictures of me in night mode.
How many of my Starbucks cups are floating around in the internet ready for some unscrupulous person to download?
No, not normally.
Most DSLRs and high res caneras have an IR blocking filter, as does the iPhone rear camera since the iPhone 4.
Night mode for them is a longer exposure.
History has shown that a common thief isn't going to try to find a usable fingerprint image off the web, nor even bother looking for a usable print on the phone itself. They're too lazy, and they don't care about our data anyway. Same would go for irises.
Now, as for 'unscrupulous' people who actually wish to target someone's phone for gaining info (say, a politician or businessman or a cheating spouse), then they'll have plenty of motive and opportunity to gather any biometric data that they need ahead of time. Heck, at that point they need only borrow the phone while the owner sleeps and put it back.
Last edited: