Samsung Galaxy S8 Iris Scanner Hacked In Three Simple Steps
Samsung Galaxy S8 Iris scanner
However the video is quite clear about the method used, and there's enough stuff within that either shows amazing attention to detail for trolls, or a legitimate way to fool the S8's iris scanner.
The exploit uses the following components. First of all you need a camera that can capture infrared light. In the video an old Sony camera is used, these models had a nightshot mode that allowed you to capture images using the same sort of tech as night vision goggles. Once you've got a good photo of the user's eyes, you can then print that out using a laser printer. In the video they use a Samsung printer, which feels like rubbing salt in the wound somewhat.
The printout needs to be a specific size because the next step requires you place a contact lens over the image. According to the group that discovered this workaround, this gives the iris scanner the curvature it's expecting from a real eye, while you present it with a flat, 2D image.
I don't currently have the equipment needed to duplicate this process, so I can't confirm if it works as suggested. Naturally, I asked Samsung if it could take a look at the video and either confirm that it was a hoax, or look into the matter and get back to me. A spokesperson replied:
"We are aware of the issue, but we would like to assure our customers that the iris scanning technology in the Galaxy S8 has been developed through rigorous testing to provide a high level of accuracy and prevent attempts to compromise its security, such as images of a person’s iris. If there is a potential vulnerability or the advent of a new method that challenges our efforts to ensure security at any time, we will respond as quickly as possible to resolve the issue."
That doesn't exactly suggest that the video is a hoax. It may also suggest that Samsung will be able to make changes to the software that might make this harder to use in future.
So what then? Well, obviously the security of both iris scans and fingerprints can be circumvented. In reality, for most people, it's not an issue. You don't tend to let others near your phone unattended so they would be unlikely to break in. Secondly, you might be suspicious about someone taking a photo with an ageing Sony camera
That said quite a lot of cameras can be modified to have their IR filter removed. This might not be entirely obvious to the person having their photo taken. So if someone has a good IR photo of you and access to your phone then they may well be able to get in. This doesn't mean that your phone is unprotected from the sort of casual unauthorised access we are all most worried about.
If security is important, the best advice is always to stick with a good passcode on your phone and device encryption. For most of us the risks are low enough here to ignore the problem. That might, or might not be wise but biometrics do at least offer some form of security that's low impact and reasonably secure.
