Samsung's 'Airtight' Iris Scanning Technology For The S8 Defeated With A Camera, Printer, And Contact Lens
from the a-new-theatre-for-security dept
The thing about biometric scanning as a security practice is it is one of those things that sounds great. “Lock your phone with your fingerprint or facial scan”, shout the manufacturers and security companies that came up with the scans. Well, shit, thinks the average person, if nobody else has my face I’m in the clear. Even when movies and television tackle the subject, the methods for breaking the biometric security typically involve convoluted plans and insane stunts so brazen they would make Danny Ocean’s jaw drop.
The problem is that the hype around this tech is typically more effective than the tech itself. Fingerprint scanners are easily fooled and facial recognition software has been shown to be defeatable by, and I swear this is true, printouts of a person’s face. That isn’t security, it’s a punchline. So, when Samsung and its security partner decide to pimp the iris-scanning security feature of the Galaxy S8 with language like “airtight” and suggestions that owners of the phone can “finally trust that their phones are protected”, one would expect those claims to be backed up by strong technology.
Hackers have broken the iris-based authentication in Samsung’s Galaxy S8 smartphone in an easy-to-execute attack that’s at odds with the manufacturer’s claim that the mechanism is “one of the safest ways to keep your phone locked.”
The cost of the hack is less than the $725 price for an unlocked Galaxy S8 phone, hackers with the Chaos Computer Club in Germany said Tuesday. All that was required was a digital camera, a laser printer (ironically, models made by Samsung provided the best results), and a contact lens. The hack required taking a picture of the subject’s face, printing it on paper, superimposing the contact lens, and holding the image in front of the locked Galaxy S8. The photo need not be a close up, although using night-shot mode or removing the infrared filter helps. The hackers provided a video demonstration of the bypass.
As they did in the previous facial recognition flaw post referenced above, some will, at this point, be diving for their keyboards to point out that this type of security isn’t really designed to make a device impermeable. Rather, it’s to keep easy break-ins from occurring. And, hey, that’s true! Good job, you guys! The problem here isn’t that Samsung’s security tech failed to be 100% effective. It’s that it’s barely effective, yet at the same time Samsung is pitching it as the end of phone break-ins. I’m not the one making wild claims here; they are.
And this tech is going to be rolled out in a big way, likely pitched to the public in the same manner.
“Iris recognition is the next big thing with mobile devices,” Starbug wrote in an e-mail. “The technology, especially with the packed space and low computing power of mobile devices, is hard to make hack proof. You can’t hide your iris, and it’s even worse than fingerprints.” At the same time, “mobile devices are holding more and more sensitive data.”
Advertising this iris security as “airtight” is actively misleading the public on the security of a device becoming all the more important and one on which the public is more often storing sensitive information. For a company like Samsung to be so vociferous in its claims in light of this easy workaround ought to result in a ding to its credibility.
For biometrics generally, a good pin number is probably still your best bet. The tech may improve to the point of being the most effective option some day, but we’re not there yet.