We already knew that the Galaxy S8’s facial unlock feature could be easily fooled with just a simple photograph of the device owner, but now hackers have also discovered a simple way to bypass the iris-based authentication, which Samsung wants you to think is unbeatable.
All it took for German hacking group Chaos Computer Club (CCC) to break the Galaxy S8’s iris-recognition system was nothing but a camera, a printer, and a contact lens.
Video Demonstration — Bypassing Iris Scanner
The process was very simple.
Since the iris scanner uses infrared light, the group then printed out a real-life sized infrared image of one eye using a Samsung printer and placed a contact lens on the top of the printed picture to provide some depth.
The Samsung Galaxy S8 instantly recognized the mare photo as being a “real” human eye and unlocked the phone, giving hackers full access to the phone, including Samsung Pay.
“The patterns in your irises are unique to you and are virtually impossible to replicate, meaning iris authentication is one of the safest ways to keep your phone locked and the contents private,” Samsung’s official website reads.
Here’s what Samsung said about the iris-recognition system hack:
“We are aware of the issue, but we would like to assure our customers that the iris scanning technology in the Galaxy S8 has been developed through rigorous testing to provide a high level of accuracy and prevent attempts to compromise its security, such as images of a person’s iris. If there is a potential vulnerability or the advent of a new method that challenges our efforts to ensure security at any time, we will respond as quickly as possible to resolve the issue.”
This is not the first time when CCC hacked into biometric systems.
In March 2013, the CCC group managed to fool Apple’s TouchID fingerprint authentication system.
So, it is a good reminder for people to always stick on a strong passcode and device encryption to secure their devices, instead of relying on biometric features, like fingerprint scan, IRIS scan, or facial recognition, that can eventually be broken by a determined hacker.