A German hacker group called the Chaos Computer Club released a video that makes it seem quite easy to fool the Samsung Galaxy S8’s iris scanner.
The CCC says it was able to use everyday items like a camera, a regular printer, and contact lenses to unlock a Galaxy S8 using its iris scanner, which is an alternative to the fingerprint sensor.
Back in April, the company behind the Galaxy S8’s iris-scanning technology said it was safer than the FBI’s fingerprinting technology. While that may be true, it’s still not secure enough to deter a determined thief or hacker.
Here is Samsung’s official comment on CCC’s trick and the potential for spoofing the Galaxy S8’s iris scanner: “We are aware of the issue, but we would like to assure our customers that the iris scanning technology in the Galaxy S8 has been developed through rigorous testing to provide a high level of accuracy and prevent attempts to compromise its security, such as images of a person’s iris. If there is a potential vulnerability or the advent of a new method that challenges our efforts to ensure security at any time, we will respond as quickly as possible to resolve the issue.”
See how the CCC did it:
According to the CCC, you simply need to take a picture of a Galaxy S8 owner’s face with a camera’s “night mode” activated.
The video suggests you don’t need to be too close to take a picture for the hack.
For the hack to work, the CCC says, you need to take the picture using a camera’s “night mode” so it uses the camera’s infrared flash.
Next, the CCC printed a zoomed-in image of the subject’s eye on a Samsung printer.
I should note that the image being printed doesn’t appear to be from the same photo taken at the beginning of the video, or the previous screenshot above. With that in mind, it’s not clear whether a photo taken from a medium distance is actually sufficient for the trick.
Then, a member of the CCC placed a contact lens on the printed image of the subject’s eye.
It’s not clear from the video exactly why the CCC added the contact lens, but it’s presumably used to mimic the rounded curvature of an eye.
The CCC member simply held up the printed image with the contact lens to the Galaxy S8’s iris scanner, which seemingly unlocked the phone.
Check out the CCC’s full video on the hack here:
It seems incredibly easy to do, but there are still some obstacles for a potential thief or hacker.
- Tanay Mondal/Flickr
A thief or hacker would still need to get a good picture of your eye and have access to your phone to do the trick.
The fingerprint scanner on most smartphones can also be hacked.
Back in March 2016, researchers at Michigan State University showed how they could fool the iPhone 5s’ fingerprint scanner. A potential thief would need to get a high-resolution photograph of a person’s fingerprint and then print the photograph in high-resolution on special paper.
In September 2013, the CCC showed off a similar fingerprint sensor hack in which it used latex paper and a fingerprint lifted from a glass.
What does this mean?
Essentially, it suggests there’s no foolproof way to secure your smartphone, even with advanced biometric technology like the Galaxy S8’s iris scanner. It seems as if the best way to protect the data on your smartphone is the old-fashioned way: Keep it close and do anything you can to prevent someone from stealing it. Even pin codes aren’t safe, as a thief could spot you typing in your pin code before stealing your phone.
If your phone is ever lost or stolen, your best bet is to call your service provider to deactivate the SIM card and permanently lock the phone, and change the password on services and accounts you use on your phone. That means email, bank account log-in information, social-media accounts, home-security accounts (from services like Canary or smart-home system), video-streaming services like Netflix, and anything else you use on your smartphone.