It takes nothing more than a photograph and a contact lens to trick the phone’s mobile security feature.
The sophisticated and hyped smartphone iris scanner in the Samsung Galaxy S8 isn’t quite as secure as marketing claims have suggested. A German hacking group called the Chaos Computer Club has found a simple way around what Samsung called “one of the safest ways to keep your phone locked.”
The electronics giant said that the patterns on a person’s iris are “virtually impossible to replicate.”
That said, members of the German club snapped a photo of a person in night mode from a medium distance – the type of distance used, for example, for a selfie or social profile pic – zoomed in, printed the eye and set a clear contact lens over the photo paper. That was all it took to replicate the look of the eye to the degree needed for the smartphone iris scanner to believe it. The iris was copied in the image and the contact lens replicated the eye’s curvature.
The Chaos Computer Club detailed its smartphone iris scanner trick in a recent blog post.
The post described holding a paper with a contact lens on it up to the scanner and unlocking it in the same way that it would have occurred if a real person had looked into the scanner with their eye.
“The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot,” said Dirk Engling, a Chaos Computer Club (CCC) spokesperson. “Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris.”
At the time this article was written, Samsung had yet to reply to requests for comment on the function of the mobile security technology and the way the CCC found to circumvent it.
Samsung is far from alone in using biometrics as mobile security scanners. Many brands are already using fingerprint scanners to unlock their devices. Rumor also has it that Apple is currently working on smartphone iris scanner technology and features for its next iPhone. That said, in the tradition of that company, none of the rumors about its unreleased products have been officially confirmed.
Update: Since the initial publishing of this article, Samsung released a statement saying that it was aware of the issue and upon analysis of the video describing the methods used by the hacking group, Galaxy S8 owners should feel little-to-no concern over the possibility of having their phones or Samsung Pay wallets broken into using the iris scanner. “You need a camera that can capture infrared light (used in the video), which is no longer available in the market. Also, you need to take a photo of the owner’s iris and steal his smartphone. It is difficult for the whole scenario to happen in reality,” said a company spokesperson to the media.