The Chaos Computer Club has demonstrated how to bypass the Galaxy S8 Iris Scanner with just a printed photo and a contact lens.
Samsung claims “Iris authentication is one of the safest ways to keep your phone locked and its contents private” but after watching this video, you’ll likely disagree.
Iris recognition may be barely sufficient to protect a phone against complete strangers unlocking it. But whoever has a photo of the legitimate owner can trivially unlock the phone. “If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication”, says Dirk Engling, spokesperson for the CCC. Samsung announced integration of their iris recognition authentication with its payment system “Samsung Pay”. A successful attacker gets access not only to the phone’s data, but also the owner’s mobile wallet.
The security risk with iris based authentication is even worse than fingerprint scanners like Apple’s Touch ID which is also easily bypassed. CCC says that Samsung’s iris scanner can be circumvented with high resolution pictures from the Internet or with a photo taken by a good digital camera with a 200mm lens from up to five meters away. You’ll need to shoot with the infrared filter removed for usable results.
Security researcher Starbug printed the iris picture using a laser printer, ironically getting the best results with laser printers made by Samsung. Then, to emulate the curvature of a real eye’s surface, a contact lens is placed on top of the print. This is enough to fool the system.
Take a look at the hack in action below…