The Internet is buzzing with a shocking discovery that the iris scanner authentication on the Galaxy S8 is so easy to bypass. Hackers with the Chaos Computer Club in Germany said they were able to bypass the iris scan with less than $725 worth of equipment. All that is required is a digital camera, a laser printer and a contact lens. The hack required taking a picture of the subject's face, printing it on paper, superimposing the contact lens, and holding the image in front of the locked Galaxy S8. "Iris recognition may protect a phone against complete strangers unlocking it, but whoever has a photo of the legitimate owner can trivially unlock the phone," said Chaos Computer Club (CCC) spokesperson Dirk Engling. Samsung responded to the news by releasing the following statement:
"We are aware of the issue, but we would like to assure our customers that the iris scanning technology in the Galaxy S8 has been developed through rigorous testing to provide a high level of accuracy and prevent attempts to compromise its security, such as images of a person's iris. If there is a potential vulnerability or the advent of a new method that challenges our efforts to ensure security at any time, we will respond as quickly as possible to resolve the issue."
This shouldn't surprise anyone. It is well known that consumer grade biometrics are easy to bypass and are not very secure. The touch ID scanner on the iPhone has been compromised many times and there are similar hacks with Android fingerprints. According to Dirk Engling, "If you value the data on your phone – and possibly want to even use it for payment – using a traditional PIN is a safer approach." I'll take it a step further and state that an unlock password is even better than a PIN, which is limited to numbers only.
E-mail: email@example.com Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology