Researchers Bypass Samsung Galaxy S8's Iris Recognition System With A Photo And A Contact Lens

Chaos Computer Club (CCC) security researcher, Jan Krissler (nicknamed “Starbug”) has bypassed the Samsung Galaxy S8’s iris-based authentication system just one month after the phone started shipping.

Biometric Troubles

The same researcher who has now tricked Samsung’s iris-based authentication system was also the one to bypass the iPhone’s Touch ID fingerprint recognition system with a mold of a fingerprint. Not long after that, Krissler was also able to bypass Apple’s fingerprint authentication system using photos of fingers downloaded from the internet.

Samsung’s own Galaxy S8 comes with a fingerprint sensor, as well as face and iris recognition systems. Samsung doesn’t seem to have learned much from the past in regards to mistakes that keep getting repeated in face authentication systems, because the S8’s face recognition was bypassed by a simple photo on the day of the launch.

As we’ve seen from previous research, even the best face recognition systems play a cat and mouse game with those who want to bypass such systems. In practice, most systems like these can be easily defeated.

Iris scanning systems don’t seem to be much better, either. They tend to function under the same principle as face scanning systems, except that instead of analyzing facial features, they analyze iris features. In theory, this should be more difficult to bypass, but as Krissler has now shown, the difficulty isn’t much greater.

"The security risk to the user from iris recognition is even bigger than with fingerprints, as we expose our irises a lot. Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris," said Dirk Engling, spokesperson for the CCC.

A Photo Enough To Bypass Iris Scanning

According to Krissler, who uncovered the issue, the Samsung Galaxy S8 iris authentication system can be bypassed by high-quality photos, including selfie photos that you may upload to Facebook or elsewhere on the internet.

However, the easiest way to bypass the Galaxy S8 iris scanning system right now is to take photos using digital cameras with 200mm-lens from a distance of up to five meters. That also means that you don’t have to upload your photos online for someone to capture your iris profile.

An attacker would have to print the photo using a laser printer and then add a contact lens on top of the scanned iris on the printed photo to emulate the curvature of the eye. That's how a photo could be used to trick the Galaxy S8’s iris authentication system into thinking a real eye is in front of it.

Samsung has enabled iris authentication for “Samsung Pay,” which means that a successful attack can unlock both the phone itself as well as the company’s own payment system. Other companies, including banks, are now considering using iris scanning as the main authentication method for ATMs. If their security can be just as easily bypassed as Samsung’s Galaxy S8’s iris authentication was, that could spell trouble for the banks' customers.

"If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication," warned Engling.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Jake Hall
    Should gone Retinal, Samsung... don't get cheap on me
    Reply
  • DookieDraws
    D'OH!
    Reply
  • InvalidError
    19727839 said:
    Should gone Retinal, Samsung... don't get cheap on me
    I would never recommend relying on biometric as a password replacement as it is merely a matter of time before someone finds a way to fool sensors and there is no way for you to prevent a would-be aggressor from coercing the ID out of you, with or without your knowing. Also, once your biometric ID has been compromised, there is no practical way for you to change it.

    Biometrics as the only authentication factor is only suitable for low security application where biometrics are used more for convenience than security.
    Reply
  • 10tacle
    On another note, what is up with Samsung and their Galaxy updates so frequently? I'm still using my one and a half year old Note 5 when they had the matching Galaxy S6. Now they are coming out with the 4K Note 8 this fall (they skipped the Note 6 series and went with the exploder Note 7) and Galaxy S9 next spring.

    I can't keep up anymore but I guess I'm getting old - I like to keep my phones for 3 years or so before feeling the need to upgrade (better cameras, better resolution, larger screen, better Android support from the carrier, etc.). And now that carriers (in the US anyway) make you buy the phone up front instead of "giving" you one with a new 2-year subsidized contract, it's just becoming ridiculous.
    Reply
  • alextheblue
    19727996 said:
    19727839 said:
    Should gone Retinal, Samsung... don't get cheap on me
    I would never recommend relying on biometric as a password replacement as it is merely a matter of time before someone finds a way to fool sensors and there is no way for you to prevent a would-be aggressor from coercing the ID out of you, with or without your knowing. Also, once your biometric ID has been compromised, there is no practical way for you to change it.

    Biometrics as the only authentication factor is only suitable for low security application where biometrics are used more for convenience than security.

    Exactly, low-security or as a tertiary factor. Anyway, has anyone bypassed the Windows Hello Iris or facial recognition with something similar yet? It's still breakable I'm certain, it's still biometrics and the same rules apply, but it seems to be a cut above the others.

    Reply
  • mrmez
    Ouch!
    Plenty of photos of my face around.
    Not so many of my fingerprints.
    Reply
  • therealduckofdeath
    If you notice someone taking a photo of you with a 200 mm lens less than five metres away, you really should be worried. :)
    Remember, you literally will have to look at the perp for them to succeed.
    Reply
  • humorific
    Biometrics were always fools gold. As much as we everyone likes to bash passwords, ultimately they are still the best, most secure, most flexible option, and likely to stay that way. Remember, the purpose of security is to be secure, not convenient.
    Reply
  • 19728903 said:
    So you don't have ANY photos of your face ANYWHERE?

    Nothing on Facebook, Twitter, Tumblr, Twitch, Tinder, Youtube, etc etc etc.

    You must be very paranoid or very ugly.
    Or maybe they're just not vain enough to want the whole world to see their pictures.
    Reply
  • Shagoii
    I think that the person could select more than 1 method of security. Exemple:
    Iris + Biometric
    or password + pin code
    or pin code + iris
    or password + iris + biometric
    or password + pin code + iris + biometric

    If the person want security, he select more than 1, if not select 1 ou none
    Reply