Hackers have broken the iris-based authentication in Samsung’s Galaxy S8 smartphone in an easy-to-execute attack that’s at odds with the manufacturer’s claim that the mechanism is “one of the safest ways to keep your phone locked.”
The cost of the hack is less than the $725 price for an unlocked Galaxy S8 phone, hackers with the Chaos Computer Club in Germany said Tuesday. All that was required was a digital camera, a laser printer (ironically, models made by Samsung provided the best results), and a contact lens. The hack required taking a picture of the subject’s face, printing it on paper, superimposing the contact lens, and holding the image in front of the locked Galaxy S8. The photo need not be a close up, although using night-shot mode or removing the infrared filter helps. The hackers provided a video demonstration of the bypass.
Starbug, the moniker used by one of the principal researchers behind the hack, told Ars he singled out the Samsung Galaxy S8 because it’s among the first flagship phones to offer iris recognition as an alternative to passwords and PINs. He said he suspects future mobile devices that offer iris recognition may be equally easy to hack. Despite the ease, both Samsung and Princeton Identity, the manufacturer of the iris-recognition technology used in the Galaxy S8, say iris recognition provides “airtight security” that allows consumers to “finally trust that their phones are protected.” Princeton Identity also said the Samsung partnership “brings us one step closer to making iris recognition the standard for user authentication.”
But it turns out that fingerprints, irises, and other biometrics frequently provide an inferior means of authentication. As Starbug demonstrated in 2013, fingerprints can be casually collected off of water glasses and used to fool the Touch ID mechanism Apple built into iPhones. (Android phones are susceptible to a similar hack.) He said the same is true for iris patterns used for authentication.
“Iris recognition is the next big thing with mobile devices,” Starbug wrote in an e-mail. “The technology, especially with the packed space and low computing power of mobile devices, is hard to make hack proof. You can’t hide your iris, and it’s even worse than fingerprints.” At the same time, “mobile devices are holding more and more sensitive data.”
Representatives of Princeton Identity didn’t respond to a request to comment.
Biometrics may be suitable in true multifactor settings in which a high-resolution fingerprint or iris scan is used in combination with a password and u2f cryptographic device. Used as a sole factor, fingerprints are inadequate. Anyone calling them airtight is just peddling snake oil.