nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

How good are selfies these days? Good enough to fool Samsung Galaxy S8 biometrics

Iris-scanner defeated with a camera in night mode, a contact lens, and a printer

By Richard Chirgwin, 24 May 2017

Chaos Computer Club's "Starbug" has taken a look at the Samsung Galaxy S8's iris-scanning authentication feature and found you can beat it with a photograph.

The tools the group used aren't even remotely sophisticated: a camera in night mode, a contact lens, and a printer.

To fool the sensor, supplied to Samsung by Princeton Identity, the “attacker” took a photo of the subject from a few metres' distance, printed it out, and dropped the contact lens over the iris to imitate the curvature of an eye (note: the CCC video doesn't mention this, but you'd have to get the printout aspect right, so as to make the iris the same size as the contact lens).

When that image was presented to the camera, it unlocked, right on cue.

As CCC spokesperson Dirk Engling says in the group's announcement, the integration between authentication and Samsung Pay means someone who can trick your phone can also spend your money.

Night mode (that is, infrared filter switched off) is important, because with infrared in the image, “the fine, normally hard to distinguish details of the iris of dark eyes are well recognisable.”

Starbug (biometrics specialist Jan Krisller, who has plenty of form wielding cameras against biometrics) says a good digital camera with a 200mm-lens gets a decent iris at up to five metres.

CCC's advice: use a PIN to unlock the phone. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing