Cyber Security

Hackers Spoof Samsung Iris Scanners With A Photo And Contact Lens

The new iris scanner on Samsung's Galaxy S8 makes it painfully easy for criminals to unlock your phone

Cyber Security
May 23, 2017 at 3:26 PM ET

The Samsung Galaxy S8 is the first commercially available smartphone with a built-in iris scanner. And according to hackers with Germany’s Chaos Computer Club, it’s possible to fool that scanner using nothing more than an ordinary contact lens and a photo of the owner’s eye.

Samsung introduced iris scanning into the S8 as an alternate way of unlocking the device and authorizing payments. Instead of typing a passcode or using a fingerprint, the owner simply needs to look into the phone’s camera. But the hackers quickly came up with a simple method for fooling the scanner using a “dummy eye,” made by simply putting a contact lens over a black-and-white photo of the owner’s eye.

That means if you enable the phone’s iris recognition feature to authorize payments or lock your device, all someone with physical access to your device would need to do to is get a photo of your eye and make a quick trip to the local drug store.

“The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot” Dirk Engling, a spokesperson for the CCC, said in a blog post on the hacker group’s website. “Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris.”

In their testing, the CCC hackers say they were able to get a good enough photo using a digital camera shooting with a 200mm lens in “night mode,” from up to 16 feet away. After printing the photo (ironically, the best results were from a Samsung laser printer) the hackers applied a contact lens to simulate the curvature of the eye’s surface, successfully fooling the iris scanner and unlocking the device.

The hack is yet another example of how novel forms of biometric authentication remain insecure, despite being widely implemented by manufacturers in smartphones and other devices. The CCC has previously demonstrated how fingerprint readers can be similarly spoofed: In 2014, the group successfully unlocked the phone of Germany’s Defense Minister by taking a photo of her finger and using it to create a false fingerprint.

Other biometric unlock methods have also been shown to be vulnerable. Last year, researchers were able to circumvent the “face unlock” feature in many smartphones by downloading Facebook photos of their owners, pasting them onto 3D head models, and manipulating the models inside a VR headset.

“If you value the data on your phone — and possibly want to even use it for payment — using the traditional PIN-protection is a safer approach than using body features for authentication,” Engling said.