Samsung wanted you to believe that its security features can literally be trusted leaving the facial recognition apart when it was fooled to unlock your phone with mere a photo of yours. But it seems like the other prominent security feature of Galaxy S8 – iris scanner is also not fool proof.
A security researcher at the Chaos Computer Club (CCC) in Berlin has now debunked the iris scanner – one of the prominent security features in Galaxy S8, with nothing but only a camera, a printer, and a contact lens.
This included a little bit work but it goes exactly like the fooling of the facial recognition that Samsung justified later that it will be only used for unlocking the screen. It will not facilitate with Samsung Pay. Now we have to wait if Samsung has to say the same for iris Scanner as well.
How the iris Scanner was fooled?
The security researcher at CCC, Jan Krissler – aka Starbug, used a Sony digital camera and its night mode settings to capture an image of his friend’s eyes – whom the Galaxy S8 was to be hacked. Second, he used a laser printer to print out a high quality image of an eye. Third, he glued a contact lens to the picture-eye to provide faux depth.
That’s it, the iris scanner in Galaxy S8 couldn’t make a difference between an actual eye or a fake pictured-eye. In fact the video shows, how instant, Galaxy S8 was to unlock the phone when the hacker pointed the printed eye in front of it.
While the night-mode capture from a digital camera was used,
a high-res selfie could also lead to this vulnerability of Galaxy S8
Iris pattern details come sharp out of the camera when shot in with using night mode and/or removing the infrared filter. However, the hacker notes, “the security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot. Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris“
Traditional PIN is the most safe option on your phone
“Iris recognition may protect a phone against complete strangers unlocking it, but whoever has a photo of the legitimate owner can trivially unlock the phone,” said Dirk Engling, Chaos Computer Club (CCC). “If you value the data on your phone – and possibly want to even use it for payment – using a traditional PIN is a safer approach.”
