Samsung's 'Airtight' Iris Scanning Technology For The S8 Defeated With A Camera, Printer, And Contact Lens

from the a-new-theatre-for-security dept

The thing about biometric scanning as a security practice is it is one of those things that sounds great. "Lock your phone with your fingerprint or facial scan", shout the manufacturers and security companies that came up with the scans. Well, shit, thinks the average person, if nobody else has my face I'm in the clear. Even when movies and television tackle the subject, the methods for breaking the biometric security typically involve convoluted plans and insane stunts so brazen they would make Danny Ocean's jaw drop.

The problem is that the hype around this tech is typically more effective than the tech itself. Fingerprint scanners are easily fooled and facial recognition software has been shown to be defeatable by, and I swear this is true, printouts of a person's face. That isn't security, it's a punchline. So, when Samsung and its security partner decide to pimp the iris-scanning security feature of the Galaxy S8 with language like "airtight" and suggestions that owners of the phone can "finally trust that their phones are protected", one would expect those claims to be backed up by strong technology.

It isn't.

Hackers have broken the iris-based authentication in Samsung's Galaxy S8 smartphone in an easy-to-execute attack that's at odds with the manufacturer's claim that the mechanism is "one of the safest ways to keep your phone locked."

The cost of the hack is less than the $725 price for an unlocked Galaxy S8 phone, hackers with the Chaos Computer Club in Germany said Tuesday. All that was required was a digital camera, a laser printer (ironically, models made by Samsung provided the best results), and a contact lens. The hack required taking a picture of the subject's face, printing it on paper, superimposing the contact lens, and holding the image in front of the locked Galaxy S8. The photo need not be a close up, although using night-shot mode or removing the infrared filter helps. The hackers provided a video demonstration of the bypass.

As they did in the previous facial recognition flaw post referenced above, some will, at this point, be diving for their keyboards to point out that this type of security isn't really designed to make a device impermeable. Rather, it's to keep easy break-ins from occurring. And, hey, that's true! Good job, you guys! The problem here isn't that Samsung's security tech failed to be 100% effective. It's that it's barely effective, yet at the same time Samsung is pitching it as the end of phone break-ins. I'm not the one making wild claims here; they are.

And this tech is going to be rolled out in a big way, likely pitched to the public in the same manner.

"Iris recognition is the next big thing with mobile devices," Starbug wrote in an e-mail. "The technology, especially with the packed space and low computing power of mobile devices, is hard to make hack proof. You can't hide your iris, and it's even worse than fingerprints." At the same time, "mobile devices are holding more and more sensitive data."

Advertising this iris security as "airtight" is actively misleading the public on the security of a device becoming all the more important and one on which the public is more often storing sensitive information. For a company like Samsung to be so vociferous in its claims in light of this easy workaround ought to result in a ding to its credibility.

For biometrics generally, a good pin number is probably still your best bet. The tech may improve to the point of being the most effective option some day, but we're not there yet.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Anonymous Anonymous Coward (profile), 26 May 2017 @ 5:57pm

    Bio-metrics

    Ever since I heard about bio-metrics (long ago and far away), I was concerned that once my fingerprint, iris, or whatever was digitized all a bad person, or a person who is supposedly good (government lackey) had to do was copy those digits.

    As many others have said, bio-metrics make sense as an ID or user name, not for a password. Even then, someone else spoofing my 'digits' to impersonate me is not a good thing.

    reply to this | link to this | view in chronology ]

    • icon
      ShadowNinja (profile), 30 May 2017 @ 5:52am

      Re: Bio-metrics

      Not to mention the police and other bad guys violating your rights can force you to unlock your bio-metrics/iris stuff pretty easily.

      Passwords however can't be stolen so easily.

      reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 26 May 2017 @ 6:36pm

    Eyes open

    Not looking good for Samsung.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 May 2017 @ 6:38pm

    From the last two decades' DRM wars to the recent CIA&NSA malware leaks, it should be obvious that every electronic "security" feature ever conceived can and will be broken, in many cases with the simplest of tools and methods.

    Yet as always the hype will continue, as every new development (in a never ending chain) in "security" gets touted as the absolute final solution ... until it's obviously not.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 May 2017 @ 7:04pm

    Technical question about phone security

    Personally, I think you're being a little hard on Samsung. But that is just my opinion. My technical question is: no one actually encrypts the raw data on a phone, right? If they did, then you could not easily and rapidly change the password, because the encrypted data would have to be rewritten. So, why is not obvious to the casual observer that just copying and analyzing the raw data on the internal flash will "break" all the security on a phone, just as it would on Windows or pretty much any other OS? There is no "encryption at rest" on phones, right? There must be some reason this is not trivially easy to break into, basically the equivalent of booting a Windows machine on another disk and then poking around on the original boot drive. Any phone data storage experts out there?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 May 2017 @ 10:37pm

      Re: Technical question about phone security

      Personally, I think you're being a little hard on Samsung.

      I'd say not hard enough, considering they're being dishonest.

      My technical question is: no one actually encrypts the raw data on a phone, right? If they did, then you could not easily and rapidly change the password, because the encrypted data would have to be rewritten.

      Not true. Are you dishonest, like Samsung, or just ignorant?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 26 May 2017 @ 11:46pm

        Re: Re: Technical question about phone security

        Well, gosh, your questions are kind of a mirror into your inner world, aren't they? I express an opinion, ask a question, and I am either dishonest or ignorant (probably both). Are those my only choices? Maybe it was an honest question. I've never actually encrypted a phone, never had a need to.

        Regarding Samsung, how are they different from every other company that is trying to peddle their product? Look at your own TechDirt products that you peddle. Likely their benefits are overblown a little, right? I have no idea why your expectation of Samsung would be higher than everyone else, is yours a paid opinion? Or do you have a particular ax to grind?

        reply to this | link to this | view in chronology ]

        • icon
          Ben S (profile), 27 May 2017 @ 1:58am

          Re: Re: Re: Technical question about phone security

          Can't say for every implementation, but usually there's an encrypted decryption key on a keyring. Change your password, and the encrypted key gets rewritten, but that's it. This makes changing your password a fairly simple thing, update the file/database entry for your password, and rewrite the decryption key to be encrypted (and decrypted) with your password.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 27 May 2017 @ 2:11am

            Re: Re: Re: Re: Technical question about phone security

            Which would imply that the original data was written without any reference to the encryption key, right, since the encryption key can change without changing the data. Does that follow?

            reply to this | link to this | view in chronology ]

            • icon
              Aaron Walkhouse (profile), 27 May 2017 @ 7:29am

              When you change a password it adds a key without immediately
              deleting the old one. ‌‌ New data is encrypted to the new key
              and old data is slowly converted in the background. ‌‌

              Once all the data is updated the old key is deleted. ‌‌

              The whole process is not so slow or inefficient that it
              drains your battery before completion.

              reply to this | link to this | view in chronology ]

              • icon
                Aaron Walkhouse (profile), 27 May 2017 @ 7:34am

                Also, Ben S is right that filesystem encryption is a layer
                removed from your password. ‌‌ The encryption key for that is
                preserved but re-encrypted along with other sensitive data
                when you change your password.

                reply to this | link to this | view in chronology ]

              • icon
                Someone asdf (profile), 30 May 2017 @ 11:26am

                Re:

                This is wrong, and shows a basic misunderstanding about how encryption works (especially Public-Private key pairs).

                What most OSes do when encrypting is that it generates a key. This key does not normally change and is transparent to the user. The password you use encrypts this key and only this key. This way, you can grant other users access to your files (and the system / root user) in a multiuser system without giving or remembering your password.

                When you change a password, it simply decrypts the key, and re-encrpyts it. Only the new encrypted key is written to the hard drive - nothing else needs to be changed.


                With your method, you need to write the old password/key down somewhere should the system be restarted during the rewrite -- this leaves a MASSIVE security issue as a full drive rewrite of 100s of GB will take at least 30-60 minutes.

                reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 27 May 2017 @ 5:14am

          Re: Re: Re: Technical question about phone security

          Well, gosh, you made a false statement of fact when you wrote "If they did, then you could not easily and rapidly change the password, because the encrypted data would have to be rewritten." Considering your defense of Samsung's dishonesty, I'm guessing you were possibly being both dishonest and ignorant.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 27 May 2017 @ 6:52am

            Re: Re: Re: Re: Technical question about phone security

            No, nothing was false, I was stating the obvious. When you encrypt data with a key, the data then requires THAT KEY to be decrypted. If you change the key, the old encrypted data needs to be read, and the new encrypted data, produced with the new key, needs to be written. That is what I meant about "the encrypted data would have to be rewritten". Hello? Are you with me?

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 27 May 2017 @ 7:10am

              Re: Re: Re: Re: Re: Technical question about phone security

              Seems I was right. You seem to be both ignorant and dishonest.

              reply to this | link to this | view in chronology ]

              • icon
                William Braunfeld (profile), 28 May 2017 @ 12:52pm

                Re: Re: Re: Re: Re: Re: Technical question about phone security

                Dude. Deep breaths. You are not helping anyone by being this hostile.
                Ignorant should not be an insult, and someone asking questions is not being WILLFULLY ignorant. Being polite and respectful in correcting them goes a long way.
                Also, opinions are opinions. You can disagree with them without calling the other person a liar. Yes, he was mistaken on this; insulting people when they ask for clarification is only going to make them mistaken *and* stubborn about it.

                reply to this | link to this | view in chronology ]

              • icon
                Alasdair Fox (profile), 29 May 2017 @ 6:47am

                Re: Re: Re: Re: Re: Re: Technical question about phone security

                Perhaps a better approach might be to inform and educate the other person as to why they were being 'ignorant'. This would then have the effect of removing the alleged ignorance, while also enlightening other readers, who may also be 'ignorant'.

                This would also have the added bonus of making you look less like:
                a) a person who is also ignorant, but wants to appear not to be so.

                b) a person who wants others to remain ignorant, so that they can be smugly superior to others who have a perceived lesser knowledge of the subject.

                c) an inflammatory trolling asshole.

                d) any or all of the above.

                reply to this | link to this | view in chronology ]

      • icon
        Someone asdf (profile), 30 May 2017 @ 11:28am

        Re: Re: Technical question about phone security

        So which products do you use?

        You better not have an idevice, as their lawyers literally say that their advertising is bullshit and you shouldn't believe anything they say.

        Google "No reasonable person would believe our advertisements". It'll autocomplete with the full sentence about halfway typing that.

        reply to this | link to this | view in chronology ]

    • icon
      Mark Murphy (profile), 27 May 2017 @ 9:06am

      Re: Technical question about phone security

      There is no "encryption at rest" on phones, right?

      Yes, there is.

      Android devices have offered full-disk encryption since Android 4.2 or thereabouts, though the implementation prior to Android 5.0 sucked. Full-disk encryption is opt-out starting with Android 7.0, meaning that Android devices are encrypted unless the user takes steps to disable that.

      I forget the state of iOS, as that's not my area of expertise, but I am under the impression that full-disk encryption is the norm on newer versions of iOS.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 May 2017 @ 12:52am

        Re: Re: Technical question about phone security

        Interesting, thanks. Pretty surprising the phones are so much more intelligent than disk drives or storage arrays.

        reply to this | link to this | view in chronology ]

        • icon
          William Braunfeld (profile), 28 May 2017 @ 12:56pm

          Re: Re: Re: Technical question about phone security

          To be fair, that's kind of a nonsense comparison. It'd make more sense to compare a phone to a computer, not a dosc drive; the programs on the phone encrypt the data, as does a standing-encryption program on a computer. A disc drive is only part of a computer, just as memory is only part of a phone.

          Dunno if that made sense, but I tried XD

          reply to this | link to this | view in chronology ]

  • icon
    K`Tetch (profile), 26 May 2017 @ 11:10pm

    facial recognition flaws

    I tried facial recognition for a time, as a test, on a samsung tablet.

    You know why I stopped? It's because my daughter unlocked it.

    Sure, people say 'looks like you just spit her out', but I'm a man in my mid-30s with a beard, she was a pre-pubescent girl of 9 with long hair.

    It's like samsung wasn't even trying.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 May 2017 @ 2:23am

      Re: facial recognition flaws

      Well, if you don't like the product, why not just buy something else? 'Let the buyer beware', as we say in America.

      reply to this | link to this | view in chronology ]

      • icon
        Eldakka (profile), 28 May 2017 @ 5:32pm

        Re: Re: facial recognition flaws

        Because since all the advertising for the product and paid product placement touts how good all that security is, you don't know until after you've already purchased it that there are issues.

        And, depending on how 'into' phones you are, setting up a new phone - especially if changing manufacturer as well - can be a large effort. So if you discover these flaws in a $700+ phone after you've spent a couple weeks faffing about with it to set it up just right, well, I can understand not wanting to replace it (assuming you can get some sort of decent warranty/exchange) outside a normal (1-3 years depending on the person) upgrade cycle.

        reply to this | link to this | view in chronology ]

        • icon
          Someone asdf (profile), 30 May 2017 @ 11:45am

          Re: Re: Re: facial recognition flaws

          The library near me has a 3d printer that anyone can use.

          This renders all fingerprint scanners vulnerable and I don't even have to pay a cent!

          Tell me which company has a disclaimer on their website that it's not secure.


          Also, Samsung never said Facial Recognition was secure -- setting it up actually warns you that it isn't.


          The warning is somewhat overblown and it's actually safer than fingerprints. Fingers prints you leave everywhere, especially on the surface of the phone. As a malicious attacker, I have everything I need just by stealing the phone.

          Iris scanner? Requires a good picture with a decent camera. If they don't take a good picture, they're screwed as you're gone.


          Airtight? Maybe not, and should be correected. However, other companies seem to get a free pass for their marketing...

          reply to this | link to this | view in chronology ]

      • icon
        K`Tetch (profile), 30 May 2017 @ 2:00pm

        Re: Re: facial recognition flaws

        Well, You might have money to throw around on products, hundreds of dollars every few weeks when something happens.
        I don't (I have teenagers)

        I never expected it to be the most reliable, but when a completely different person can unlock it, the facial recognition was not fit for purpose.

        I still use the tablet, but only with the passcode (which unlike my face, fingerprint or iris, requires the product of my mind, and not my body ('the coma standard')

        reply to this | link to this | view in chronology ]

  • identicon
    Avideogameplayer, 27 May 2017 @ 2:32am

    I C what Samsung did thar...

    reply to this | link to this | view in chronology ]

  • icon
    Not an Electronic Rodent (profile), 27 May 2017 @ 3:52am

    Big helping of "Nope!"

    For biometrics generally, a good pin number is probably still your best bet. The tech may improve to the point of being the most effective option some day, but we're not there yet.

    There's a fundamental flaw in using biometrics for security that doesn't seem to get talked about as much as the breakability, and I can't see how it would ever be overcome (Except in part by the sensible current practice of using the biometric as part of security not the whole):

    The flaw is in the "trusted ID". E.g. for a credit card, the "trusted" part of the ID - the thing that makes it worth your money - is the 16-digit number on the front. If the number is compromised by fraud, it's rendered invalid, they issue you a new one and, "hey, presto!", trusted again.

    If your biometric is your security and it's compromised, how can it (i.e. you) ever be re-trusted? And if an "unbreakable" biometric security method is developed that seems to stand up comes along, well that just means it will be used for more and more secure and valuable things making it worth putting more money into trying to crack it until it inevitably is.

    Nope, think I'll stick with the PIN.

    reply to this | link to this | view in chronology ]

    • icon
      techflaws (profile), 27 May 2017 @ 9:54pm

      Re: Big helping of "Nope!"

      > There's a fundamental flaw in using biometrics for security
      > that doesn't seem to get talked about as much as the
      > breakability

      Right, and that's the fact that you can change your password but can't change your fingerprint or Iris.

      reply to this | link to this | view in chronology ]

      • icon
        Not an Electronic Rodent (profile), 28 May 2017 @ 1:12pm

        Re: Re: Big helping of "Nope!"

        Right, and that's the fact that you can change your password but can't change your fingerprint or Iris.

        Thanks for the TL;DR version :-)

        reply to this | link to this | view in chronology ]

  • icon
    DarkKnight (profile), 27 May 2017 @ 4:03am

    Both a fingerprint reader and iris scanner are less effective than a pin code. Someone (or a couple of people) can force you to open your eyes, look at the phone, and that iris scanner will unlock it, or place your finger on the figure print reader and unlock it. If the wrong pin code is typed in enough times, the phone could be wiped, so I'll be sticking with a pin code and avoiding fingerprint readers and iris scanners. No thanks.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 May 2017 @ 6:18am

    They do this to get your biometric data, not for security reasons.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 May 2017 @ 1:38pm

    Biometrics shouldn't be the password, they should be the username. IE: The thing that's secret shouldn't be the thing you cannot change.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 May 2017 @ 6:56pm

    They most certainly do this to get your biometric data, not for security reasons. Princeton Identity is an offshoot of DARPA-funded Sarnoff, which developed Iris on the Move tech decades ago to track "interesting people".

    reply to this | link to this | view in chronology ]

  • identicon
    Maharashtra Land Records, 28 May 2017 @ 10:56pm

    Maharashtra Land Records

    for more information visit my website

    reply to this | link to this | view in chronology ]

  • icon
    K`Tetch (profile), 31 May 2017 @ 2:22pm

    facial recognition flaws

    I tried facial recognition for a time, as a test, on a samsung tablet.

    You know why I stopped? It's because my daughter unlocked it.

    Sure, people say 'looks like you just spit her out', but I'm a man in my mid-30s with a beard, she was a pre-pubescent girl of 9 with long hair.

    It's like samsung wasn't even trying.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.