Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Hackers Trick Samsung Galaxy S8 Iris Recognition Using a Printed Photo and a Contact Lens

Ok so they need a picture of you and there may or may not be hundreds of pictures on the internet with your face on, can some one explain how i find a picture of you on the internet if all i have is your locked phone. what google search do i use to get your face, what facebook search do i use.

the Challenge would be: Find a Hi Res picture of me on the internet where you can get a good copy of my iris from and steal my S8 all you have to go on is the hypothetical S8 you have just stolen from me.

I' not denying where the hack works just how you or mr. nasty can actually do it in real life
 
Last edited:
interesting,,, kinda serves the purpose of an "eye for an eye"

This doesn't mean that the Iris scanning in S8 is "ineffective" Just because burgers can break into to a car doesn't mean all cars from now on should be unbreakable glass...

But in the technology world.? Not an option......
 
Last edited:
dreadnort said:
Ok so they need a picture of you and there may or may not be hundreds of pictures on the internet with your face on, can some one explain how i find a picture of you on the internet if all i have is your locked phone. what google search do i use to get your face, what facebook search do i use.

Challenge: Find a Hi Res picture of me on the internet where you can get a good copy of my iris from and i'll give you either my iPhone7 or S8 all you have to go on is the hypothetical S8 you have just stolen from me. (anyone up for a go)

I' not denying where the hack works just how you or mr. nasty can actually do it in real life
Click to expand...

The internet is a powerful tool in the right hands, I wouldn't underestimate it.

I won't post any direct personal details as I'm don't do this kind of thing maliciously, but researching people is part of my job hence why I know how to find out certain things, like that family member of yours who's on holiday in Turkey at the moment, or your reg plate that stars WV1 - or did you ditch that one for the Jag..?

My point is people can be very easily researched, always keep your wits about you online. I also hope I haven't got this completely wrong and in which case I apologise for being an idiot :D
 
Nik said:
They also tricked Touch ID btw. With a photograph + wax. For Samsung you need Photograph + Contact Lens. Not much different. Both systems are not secure.
Click to expand...

So explained in detail how a person would go about hacking the Touch ID on the iPhone 7.
Please provide an example on somewhere who has done so with an iPhone 7.
What kind of equipment is needed?
How much does the equipment cost?
What kind of training is necessary?
How easy is it to lift of fingerprints? Does it require practise or training?
 
Jsameds said:
The internet is a powerful tool in the right hands, I wouldn't underestimate it.

I won't post any direct personal details as I'm don't do this kind of thing maliciously, but researching people is part of my job hence why I know how to find out certain things, like that family member of yours who's on holiday in Turkey at the moment, or your reg plate that stars WV1 - or did you ditch that one for the Jag..?

My point is people can be very easily researched, always keep your wits about you online. I also hope I haven't got this completely wrong and in which case I apologise for being an idiot :D
Click to expand...

you don't have it wrong at all I should have used 'The challenge would be':, the point i'm trying to make is that others have said theirs lots of pictures of them on the internet so finding using one of them to unlock an S8 would be easy but finding a picture of that person when all you have is a phone, no name, no personnel details what so ever. then making sure its of the right res and has been taken with an infred camera. its not easy in fact i bet almost impossible.
 
Last edited:
  • Like
Reactions: Demo Kit and Jsameds
hans1972 said:
So explained in detail how a person would go about hacking the Touch ID on the iPhone 7.
Please provide an example on somewhere who has done so with an iPhone 7.
What kind of equipment is needed?
How much does the equipment cost?
What kind of training is necessary?
How easy is it to lift of fingerprints? Does it require practise or training?
Click to expand...

You might have missed my post....

"Also ... wow that was hard!!!

Very hard!!

Extremely hard!"

Don't even need training or equipment, just some of your kid supply, Gummy Bear AND PLAY DOH!:p

Tech198 said:
This doesn't mean that the Iris scanning in S8 is "ineffective" Just because burgers can break into to a car. . .
Click to expand...

Mhhhh burgers!!
 
Last edited:
  • Like
Reactions: Demo Kit
At least with a fake fingerprint you could make Fill-in-the-blank Pay purchases on a stolen phone without being too obvious. And yet this seems to never to be reported.

To do the same with iris enabled payments, a thief would have to actually print an iris onto a curved lens that they were willing to wear, since the alternative of holding up part of an "eyeball" would look very suspicious :)

Certainly I think that people in truly sensitive jobs should not be allowed to use any biometric unlock by itself. For that matter, shoulder-surfing a passcode isn't hard either. It's a pity that stock phone makers don't have two factor unlock options.
 
Last edited:
  • Like
Reactions: Demo Kit
dreadnort said:
you don't have it wrong at all I should have used 'The challenge would be':, the point i'm trying to make is that others have said theirs lots of pictures of them on the internet so finding using one of them to unlock an S8 would be easy but finding a picture of that person when all you have is a phone, no name, no personnel details what so ever. then making sure its of the right res and has been taken with an infred camera. its not easy in fact i bet almost impossible.
Click to expand...

Yeah sorry, I didn't mean to scare you or anything, I just thought I'd take up your challenge to see if I could actually do it. I was close, but no cigar.

I think this whole thing has less to do with unlocking a random phone found on a street, but more to do with a targeted malicious attack on someone in order to spy or mine data on a suspect.

To be honest, if it was my job to unlock your phone with an iris it can easily be done. Once someone knows who you are they can find out where you live and your work address, and snapping an IR photo of someone incognito would be fairly simple. It could be as simple as a cute girl asking you for a selfie, for example.

On the other hand (literally..) it would be just as easy to lift someones fingerprint.
 
kdarling said:
At least with a fake fingerprint you could make Fill-in-the-blank Pay purchases on a stolen phone without being too obvious. And yet this seems to never to be reported.

To do the same with iris enabled payments, a thief would have to actually print an iris onto a curved lens that they were willing to wear, since the alternative of holding up part of an "eyeball" looks suspicious :)

Certainly I think that people in sensitive jobs should be allowed neither unlock option. It's a pity that stock phone makers don't have two factor unlock options.
Click to expand...

Probably because the manufacture doesn't wanna take responsibility for the fact when it doesn't work.

I like the eyeball effect : Kinda reminds me of Sherlock Homes.
 
Jsameds said:
Yeah sorry, I didn't mean to scare you or anything, I just thought I'd take up your challenge to see if I could actually do it. I was close, but no cigar.

I think this whole thing has less to do with unlocking a random phone found on a street, but more to do with a targeted malicious attack on someone in order to spy or mine data on a suspect.

To be honest, if it was my job to unlock your phone with an iris it can easily be done. Once someone knows who you are they can find out where you live and your work address, and snapping an IR photo of someone incognito would be fairly simple. It could be as simple as a cute girl asking you for a selfie, for example.

On the other hand (literally..) it would be just as easy to lift someones fingerprint.
Click to expand...

Not worried buddy, just like most things i't maybe possible but highly unlikely. (now to go google myself as google always gives me a laugh and jobs and address i can't remember)
 
  • Like
Reactions: Demo Kit
kobalap said:
Infared mode? Is that fancy speak for night mode? If so, I dunno. 30%? My guess is that half of the pictures taken of me have been in low light conditions. Assuming that and assuming that only a fraction of those are in night mode, my guess is 30%.

Assuming there are 500 pictures of me in the inter webs, that would be around 100-150 high resolution pictures of me in night mode.

How many of my Starbucks cups are floating around in the internet ready for some unscrupulous person to download?
Click to expand...

Night mode ≠ infrared
 
  • Like
Reactions: Demo Kit, kdarling and rjohnstone
Don't know if anyone said this already (didn't read all the posts), but ANY form of biometrics will be LESS secure than a (suitably secure) password, simply because you cannot see inside people's mind.

It is convenient for home use, but for a mobile device you can lose, a password is the safer (if inconvenient) option.
 
  • Like
Reactions: Demo Kit, rjohnstone and kdarling
inkswamp said:
Do both methods require a photograph of the fingerprint or eye? Seems to me it would be much easier to surreptitiously snap a photo of someone's face and eye than their fingerprint.
Click to expand...

You can't just use any picture, it has to pretty much be a pic from head on.
[doublepost=1495727383][/doublepost]
melendezest said:
Don't know if anyone said this already (didn't read all the posts), but ANY form of biometrics will be LESS secure than a (suitably secure) password, simply because you cannot see inside people's mind.

It is convenient for home use, but for a mobile device you can lose, a password is the safer (if inconvenient) option.
Click to expand...

Biometrics are for convienence, not really for security.
 
  • Like
Reactions: Demo Kit
WatchFromAfar said:
A picture of your face, which contains eyes, is not good enough; it needs to be a high definition scan of your iris. They need to get a high definition scan of your iris. Then they need to know you have a phone which uses iris recognition. Then they have to steal/acquire that phone uses iris recognition Then they have to apply that high quality iris scan to the phone that they've stolen. Really, that's what you're worried about?
Click to expand...
That is not what this video of the hack is showing. It's showing a picture of a persons face from relatively far distance being used as the source. They take the high res image, blow up the eye and put a contact lens on it to trick the sensor. This isn't some fancy DoD iris scanner, it's a cell phone camera doing a pseudo 'iris' scan login.
 
shastada said:
That is not what this video of the hack is showing. It's showing a picture of a persons face from relatively far distance being used as the source. They take the high res image, blow up the eye and put a contact lens on it to trick the sensor. This isn't some fancy DoD iris scanner, it's a cell phone camera doing a pseudo 'iris' scan login.
Click to expand...

No one ever said it was a fancy DoD level iris scanner. Bio-metric security (on a smartphone) is easy to bypass. Samsung's iris scan with a infrared photo of the owner's eye and Apple's touchID with a gummy bear. If you're truly worried about the security of your phone, stick with entering a pin.
 
Nik said:
They needed a photograph for it. The only difference being that they needed wax in addition to create a negative from the positive. Not much different at all. For Iris you need a contact lens in addition, for TouchID you need wax.
Click to expand...

Are u seriously? Contact lens and photos of eye is so easy to get.

Have u ever try to get fingerprint photos and make it into a wax? Very difficult.
[doublepost=1495741202][/doublepost]
lazard said:
No one ever said it was a fancy DoD level iris scanner. Bio-metric security (on a smartphone) is easy to bypass. Samsung's iris scan with a infrared photo of the owner's eye and Apple's touchID with a gummy bear. If you're truly worried about the security of your phone, stick with entering a pin.
Click to expand...

Pin is "super" easy to acquire. If u are a target, all it takes is nice tele-zoom camera. Or simply observe u for a while. Just stay behind u while u punch your pin. Or simple guess from your movements in CCTV.

Hacking cannot get easier than that.

Pin is also least convenient way of all security measures.

In short, Pin is the worst for mobile devices
[doublepost=1495741940][/doublepost]
melendezest said:
Don't know if anyone said this already (didn't read all the posts), but ANY form of biometrics will be LESS secure than a (suitably secure) password, simply because you cannot see inside people's mind.

It is convenient for home use, but for a mobile device you can lose, a password is the safer (if inconvenient) option.
Click to expand...

Totally wrong. Pin is the least safe of all. Why?
1. U have to punch your pin in public. And u have to do it very often.
2. U cannot use very long pin. Again u have to do it very often.

In that sense, Pin is "super easy" to acquire. If u are a target, all it takes is nice tele-zoom camera. Or simply observe u for a while. Just stay behind u while u punch your pin. Or simple guess from your movements in CCTV.

Hacking cannot get easier than that.

Pin is also least convenient way of all security measures.

In short, Pin is the worst for movile devices.

* if u don't believe me, try to get PIN from someone who spends a lot of time with u. I even unintentionally get the PIN while strangers opening his phone by entering his code from time to time.
 
Last edited:
Like are some of you people stupid or can't read or something. This is a very hard and unlikely hack to achieve. For the simple reason, that you would need a camera with a ir sensor. Not a ir filter like some moron in the comment section said. And have the person look directly at you while you take the photo. And of course their phone, and the hope they have that feature enabled. And the other equipment described in the post. Most modern day cameras don't have ir sensors, some smartphones cameras do. The problem with that is, on smartphones it's only used for focusing. Which is done automatically, and can't be manually controlled. And further more this hack was done in a lab, with someone willing to aid in the process.
[doublepost=1495748508][/doublepost]
shastada said:
That is not what this video of the hack is showing. It's showing a picture of a persons face from relatively far distance being used as the source. They take the high res image, blow up the eye and put a contact lens on it to trick the sensor. This isn't some fancy DoD iris scanner, it's a cell phone camera doing a pseudo 'iris' scan login.
Click to expand...
You would be wrong they took a picture using a camera with an ir sensor on it to take the photo. The iris scanner on the Galaxy S8 and Note 8 are actually ir scanners/sensors. That actually scan your iris. With the combination of other sensors on the phone.
 
  • Like
Reactions: Demo Kit
Yuthopia said:
Are u seriously? Contact lens and photos of eye is so easy to get.

Have u ever try to get fingerprint photos and make it into a wax? Very difficult.
Click to expand...

hackers don't even need to get fingerprint photos. They can use the print already on the touchID sensor (like in the gummy bear video).
 
  • Like
Reactions: Demo Kit
Zirel said:
This is why I buy Apple.

Instead of trying to check all the bullet points, they only put what really works, and doesn't get fooled by... a mere B/W photograph and a contact lens... but things like this don't matter and people will keep buying Samsung, and the sales clerks will keep pushing "but the Samsung has X feature and the iPhone doesn't".

Also, unlike TouchID sensors, camera sensors consume a lot of power, nobody intelligent will want to use this in real life, or their battery life will suffer from the 100+ unlocks most people do every day...
Click to expand...

What security features does the iPhone have that could be tricked with a photo and a contact lens?
 
All these talks about security (iris/fps) is more academic than real. Firstly, we know all security measures can be broken and if you are being targeted by professional hackers then likely you get caught. Don't be surprise that the spar between the FBI and Apple is just a ruse to instill confident that Iphone cannot be hack so all the criminal minds continue using Iphone (whilst a the back door big brother can easily listens in). Most iphone users use 4-digit pin - how difficult can it be to hack this.

Whether it is iris/fps, it is just a deterrence for casual people/theives to pry into your phone. If hackers need to get your info, they don't need to steal fp/iris - they can let you give them info yourself with software hack (i.e. phone home) without you realizing you are leaking info. If hackers steal your phone, then you will take action thus defeating the purpose. And it is too much trouble just to steal ONE person info instead of stealing millions with software hack.
 
  • Like
Reactions: Demo Kit
Yuthopia said:
Totally wrong. Pin is the least safe of all. Why?
1. U have to punch your pin in public. And u have to do it very often.
2. U cannot use very long pin. Again u have to do it very often.
Click to expand...

As with anything "secure" just as TouchID,, its a sheer trade of knowing WHEN to do it to be secure yourself..

Still if they think a someone is watching them as they enter something, then instead of using better technology to secure yourself as to how secure it is in public, how about covering your hand over the device. That works just as good. And while its not secure for those who really want it (as the only reason to use better technology) its serves its purpose because no one knows what u entered.

We aren't really securing ourselves, we're only securing it more from other people. It IS more secure using Touch ID and more quicker, but the same practices can be put int place if "users" thought about when to do stuff as well. As the more technology gets better, we no longer have to worry what we should be doing.
 
Last edited:
Jsameds said:
Biometric unlocks are a fairly secure method of accessing a phone that are also incredibly quick and convenient for the user.

Of course it's not ultra secure, if you wanted watertight security then you'd have a custom 30 digit alphanumeric passcode, but biometrics are good enough for the most of us as I said, they are fairly secure and very convenient.
Click to expand...

The main issue is that is it fairly secure, however law enforcement can make you use your finger to unlock your phone, but can not force you to divulge your passcode, legally of course. So stick with a passcode even though it is super easy and convenient to use the TouchID to unlock the phone.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back