Samsung has spent a lot of time perfecting its iris recognition feature that is now deployed on the Galaxy S8 and S8+. But the technology is still far from being foolproof, as German hacking group Chaos Computer Club, or CCC, showed in a video demo.
Facial recognition and iris scanning biometric features on the Galaxy S8 and S8+ are intended to enhance the security provided by the fingerprint recognition system. But nothing seems to be infallible.
The fingerprint reader was hacked by CCC back in 2014, when they accurately recreated the thumbprint of the German federal minister of defense. All they used was a standard photo, but was able to fool almost any fingerprint security system. CCC was also able to fool Apple’s TouchID system a year before that.
More recently, the Samsung Galaxy S8 was fooled into unlocking the phone using a photo of the user, which fooled its facial recognition system. And, now, CCC has struck again, using an enlarged photo of the user’s eye, and then adding a contact lens on top of that to give the illusion of depth. The Galaxy S8 iris recognition system bought it, opening up the phone’s inner secrets, including the ability to make financial transactions on Samsung Pay, the company’s mobile wallet offering.
That’s not very encouraging considering that most new phones in 2017 and beyond are going to be be using these very same security systems to protect users from hacking and subsequent data and identity theft.
It only goes to show that the best authentication is still a very strong password, and proper device encryption protocols. A hacker that really wants to get into a phone can follow any of the hack methods used before to gain access.
Here’s how CCC fooled the Samsung Galaxy S8’s iris recognition security feature:
As you can see from the video, the process is very simple. All you need in a medium-distance photo of the user’s eye and the Galaxy S8 device itself. Admittedly, those two aren’t going to be easy to get from the intended “victim”, but the hack shows that such a scenario is very much possible.
Samsung’s response to the hack:
“We are aware of the issue, but we would like to assure our customers that the iris scanning technology in the Galaxy S8 has been developed through rigorous testing to provide a high level of accuracy and prevent attempts to compromise its security, such as images of a person’s iris. If there is a potential vulnerability or the advent of a new method that challenges our efforts to ensure security at any time, we will respond as quickly as possible to resolve the issue.”