While biometrics are coming into serious vogue for device security, volunteer researchers at the Chaos Computer Club say they've already cracked into Samsung's red-hot Galaxy S8 smartphone, which uses an iris recognition system for security.
The S8 is the first major smartphone to feature iris recognition technology, which is supplied to Samsung by Princeton Identity. It's supposed to provide bulletproof security thanks to the unique characteristics of each person's eyes. But according to the CCC, there's a simply workaround to the system, as they explained in a blog post:
[W]hoever has a photo of the legitimate owner can trivially unlock the phone. "If you value the data on your phone – and possibly want to even use it for payment—using the traditional PIN-protection is a safer approach than using body features for authentication," says Dirk Engling, spokesperson for the CCC.
However, it will take some doing for a thief to get the kind of photograph they need.
The easiest way for a thief to capture iris pictures is with a digital camera in night-shot mode or the infrared filter removed. In the infrared light spectrum – usually filtered in cameras – the fine, normally hard to distinguish details of the iris of dark eyes are well recognizable. Starbug was able to demonstrate that a good digital camera with 200mm-lens at a distance of up to five meters is sufficient to capture suitably good pictures to fool iris recognition systems.
If all structures are well visible, the iris picture is printed on a laser printer. Ironically, we got the best results with laser printers made by Samsung. To emulate the curvature of a real eye’s surface, a normal contact lens is placed on top of the print. This successfully fools the iris recognition system into acting as though the real eye were in front of the camera.
The CCC has provided a video demonstration of the hack at this link.
This technique won't easily provide mass-scale penetration of iris-recognition protected devices, but thieves and others intent on stealing private data can certainly be resourceful. Iris recognition is set to become more widely used, and not just in smartphones but also in airports, VR systems and payment services, as the CCC notes. Now is the time for users to be aware of its limitations and for manufacturers to start working on solutions.
The CCC previously hacked the iPhone's TouchID fingerprint scanner. Their cautions are well worth listening to, says Constellation Research VP and principal analyst Steve Wilson.
"Iris is often hyped as the 'gold standard' biometric," he says. "This myth was borne in some basic research decades ago by John Daugman at Cambridge in the UK. Daugman found that the iris pattern is formed randomly in the womb, and measured its entropy, or randomness, as 10 to the power of 70."
There are more possible iris variations than atoms in the universe, which sounds impressive but it doesn't translate into real world precision because of sensor imprecision, Wilson adds. And even if it did, spoofability is a different story, as the CCC's research shows.
Still, the CCC's demonstration on the S8 "doesn't spell doom," Wilson says. "The good thing about 1:1 biometrics for unlocking mobile devices is that you still need to lose your phone to be at risk."
However, users can't be complacent if they do in fact lose a biometric-protected device and must get their accounts cleared as soon as possible. Moreover, "it's folly to rank any biometric as inherently better than any other," Wilson says. "The fine detailed specifications matter."
"Remember: biometrics don't work like they seem to in the sci fi movies," he adds. "You have to get professional advice and you have to do your own risk assessments before locking up valuables behind biometric security systems. No security system is 100%."
24/7 Access to Constellation Insights
Subscribe today for unrestricted access to expert analyst views on breaking news.
