When it comes to security and the iris recognition technology used in its flagship Galaxy S8 smartphone, Samsung touted, “The patterns in your irises are unique to you and are virtually impossible to replicate, meaning iris authentication is one of the safest ways to keep your phone locked and the contents private.”
A couple of members of the German Chaos Computer Club (CCC), already renowned for hacking biometric logins, show in a newly released video how to fool the Galaxy S8’s iris scanner with a digital photograph, an office printer and a contact lens.
As demonstrated by the Jan Krissler of the Chaos Computer Club, it’s possible to bypass the feature using a photograph of the owner’s eye taken from 15 feet away. Because the iris scanner uses infrared light, the night mode on the camera was enabled, reads a new report from Security Week.
The picture was printed on a regular laser printer, before the schemer simply placed a wet contact lens over the eye. Once the paper is held in front of the Galaxy S8’s eye scanner, the unauthorised party is in, with access to everything.
Samsung has since responded, and has said that while the iris scanning tech has been thoroughly tested, it will investigate the CCC’s methods.
“We were aware of the report, but would like to assure our customers that the iris scanning technology in the Galaxy S8 has been developed through rigorous testing to provide a high level of accuracy and prevent against attempts to compromise its security, such as images of a person’s iris,” a Samsung spokesperson told The Inquirer.
“The reporter’s claims could only have been made under a rare combination of circumstances,” the spokesperson continued. “It would require the unlikely situation of having possession of the high-resolution image of the smartphone owner’s iris with IR camera, a contact lens and possession of their smartphone at the same time. We have conducted internal demonstrations under the same circumstances however it was extremely difficult to replicate such a result.”
“Nevertheless, if there is a potential vulnerability or the advent of a new method that challenges our efforts to ensure security at any time, we will respond as quickly as possible to resolve the issue.”