We can’t say spy movies didn’t warn us – but I am surprised at just how quickly hackers found a way to bypass iris recognition with contact lenses.
You don’t even need Charlie’s Angels-type skills – just having a decent-enough photo of the phone’s owner and a random clear contact lens was enough.
The flaw was discovered by Chaos Computer Club, a European association of hackers.
They have previously bypassed other biometric security systems such as Apple’s TouchID , but turned their attention to iris scanners thanks to the release of Samsung’s latest flagship – the Galaxy S8.
“A new test conducted by CCC hackers shows that this promise [of security] cannot be kept: With a simple to make dummy-eye the phone can be fooled into believing that it sees the eye of the legitimate owner,” the group said on their website.
“If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication”, CCC’s spokesperson Dirk Engling said in their statement.
While selfies uploaded to the internet sometimes sufficed, CCC found the best way to circumvent the S8’s iris scanner security is to get a Night Mode or infrared photo of the phone’s owner.
The full method can be seen in the video below:
Why Now Though?
While iris scanners sound like fancy new technology, they have actually been around for a few years. Microsoft implemented the technology in some of their Lumia phones – with fast and effective recognition.
However, we know that Microsoft’s phones never became mainstream hits in most markets. With the Galaxy S8 however, CCC expects the technology to become hugely popular.
It is also being implemented into security systems for other industries (yay, the future is here).
“Iris recognition in general is about to break into the mass market: Access control systems, also at airports and borders, mobile phones, the inevitable IoT devices, even payment solutions and VR systems are being equipped with the technology,” CCC said.
“But biometric authentication does not fulfill the advertised security promises.”
Don’t believe the hackers?
Well, the allegations have enough weight that Samsung is looking into the matter.
But as Android Authority points out, the experiment was carried out under controlled conditions. This means it would be harder to pull off in a real-life situation.
However, Engling said that high-resolution images from the web could be used to bypass iris technology in some situations.
“The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot. Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris“, he said.
Looks like some of us will have to stick with good old-fashioned pin codes…
What is your preferred system for smartphone security? Let me know in the comments below….