Chaos Computer Club (CCC) security researcher, Jan Krissler (nicknamed “Starbug”) has bypassed the Samsung Galaxy S8’s iris-based authentication system just one month after the phone started shipping.
The same researcher who has now tricked Samsung’s iris-based authentication system was also the one to bypass the iPhone’s Touch ID fingerprint recognition system with a mold of a fingerprint. Not long after that, Krissler was also able to bypass Apple’s fingerprint authentication system using photos of fingers downloaded from the internet.
Samsung’s own Galaxy S8 comes with a fingerprint sensor, as well as face and iris recognition systems. Samsung doesn’t seem to have learned much from the past in regards to mistakes that keep getting repeated in face authentication systems, because the S8’s face recognition was bypassed by a simple photo on the day of the launch.
As we’ve seen from previous research, even the best face recognition systems play a cat and mouse game with those who want to bypass such systems. In practice, most systems like these can be easily defeated.
Iris scanning systems don’t seem to be much better, either. They tend to function under the same principle as face scanning systems, except that instead of analyzing facial features, they analyze iris features. In theory, this should be more difficult to bypass, but as Krissler has now shown, the difficulty isn’t much greater.
"The security risk to the user from iris recognition is even bigger than with fingerprints, as we expose our irises a lot. Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris," said Dirk Engling, spokesperson for the CCC.
A Photo Enough To Bypass Iris Scanning
According to Krissler, who uncovered the issue, the Samsung Galaxy S8 iris authentication system can be bypassed by high-quality photos, including selfie photos that you may upload to Facebook or elsewhere on the internet.
However, the easiest way to bypass the Galaxy S8 iris scanning system right now is to take photos using digital cameras with 200mm-lens from a distance of up to five meters. That also means that you don’t have to upload your photos online for someone to capture your iris profile.
An attacker would have to print the photo using a laser printer and then add a contact lens on top of the scanned iris on the printed photo to emulate the curvature of the eye. That's how a photo could be used to trick the Galaxy S8’s iris authentication system into thinking a real eye is in front of it.
Samsung has enabled iris authentication for “Samsung Pay,” which means that a successful attack can unlock both the phone itself as well as the company’s own payment system. Other companies, including banks, are now considering using iris scanning as the main authentication method for ATMs. If their security can be just as easily bypassed as Samsung’s Galaxy S8’s iris authentication was, that could spell trouble for the banks' customers.
"If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication," warned Engling.