The German Chaos Computer Club has released a video demonstrating how the iris scanner on Samsung's latest Galaxy S8 smartphone - and, by extension, any device relying on the same technology - can be defeated with no more than a photograph and a contact lens.
Biometric authentication has proven popular in the mobile realm. For a device which you are likely to lock and unlock dozens of times a day and which lacks a comfortable text-entry system, the ability to bypass patterns, PINs, or passwords with the tap of a finger or an unblinking stare offers considerable convenience. Sadly that convenience often comes at the cost of security, at least when pitting against a sufficiently motivated attacker: back in 2014 the Chaos Computer Club demonstrated how to duplicate fingerprints from high-resolution photographs of politicians' hands taken through a telephoto lens at public events
with a high enough quality to bypass fingerprint recognition systems.
Now, the Chaos Computer Club is at it again with the demonstration of a method for bypassing the iris scanner built into Samsung's flagship Galaxy S8 smartphone. Although the demonstration features photographs taken with a digital camera set to night-vision mode or with its built-in infrared filter removed, taking images at a distance of up to five metres through a 200mm telephoto lens, CCC's Dirk Engling warned: 'The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot. Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris.
Once an image of the iris has been captured, the team's technique sees it printed it out on a low-cost off-the-shelf laser printer. By placing a disposable contact lens over the image, the sensor is fooled into thinking it is viewing a real eye - and the phone immediately unlocked.
'If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication,
' Engling added following the group's demonstration video, which is available in English on the CCC website