diff options
author | 46halbe <46halbe@berlin.ccc.de> | 2017-05-23 08:58:56 +0000 |
---|---|---|
committer | 46halbe <46halbe@berlin.ccc.de> | 2020-05-23 13:40:02 +0000 |
commit | 53b1a292e843726ed1c55723c00ea6a89c486dd5 (patch) | |
tree | 05524943b6fac32d6592102b7db25d752b836f8f | |
parent | 66b1b20f338c36e8d3f0b19372a8c9db9bcf1a62 (diff) |
committing page revision 1
-rw-r--r-- | updates/2017/iriden.en.md | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/updates/2017/iriden.en.md b/updates/2017/iriden.en.md new file mode 100644 index 00000000..fdb2d212 --- /dev/null +++ b/updates/2017/iriden.en.md | |||
@@ -0,0 +1,80 @@ | |||
1 | title: Chaos Computer Clubs breaks iris recognition system of the Samsung Galaxy S8 | ||
2 | date: 2017-05-22 22:24:00 | ||
3 | updated: 2017-05-23 08:58:56 | ||
4 | author: 46halbe | ||
5 | tags: update, pressemitteilung | ||
6 | |||
7 | Biometric authentication systems – again – don’t deliver on their security promise: The iris recognition system of the new Samsung Galaxy S8 was successfully defeated by hackers of the Chaos Computer Club (CCC). A video demonstrates how the simple technique works. | ||
8 | |||
9 | <!-- TEASER_END --> | ||
10 | |||
11 | The Samsung Galaxy S8 is the first flagship smartphone with iris | ||
12 | recognition. The manufacturer of the biometric solution is the company | ||
13 | Princeton Identity Inc. The system promises secure individual user | ||
14 | authentication by using the unique pattern of the human iris. | ||
15 | |||
16 | A new test conducted by CCC hackers shows that this promise cannot be | ||
17 | kept: With a simple to make dummy-eye the phone can be fooled into | ||
18 | believing that it sees the eye of the legitimate owner. A video shows | ||
19 | the simplicity of the method. \[0\] | ||
20 | |||
21 | Iris recognition may be barely sufficient to protect a phone against | ||
22 | complete strangers unlocking it. But whoever has a photo of the | ||
23 | legitimate owner can trivially unlock the phone. „If you value the data | ||
24 | on your phone – and possibly want to even use it for payment – using the | ||
25 | traditional PIN-protection is a safer approach than using body features | ||
26 | for authentication“, says Dirk Engling, spokesperson for the CCC. | ||
27 | Samsung announced integration of their iris recognition authentication | ||
28 | with its payment system „Samsung Pay“. A successful attacker gets access | ||
29 | not only to the phone’s data, but also the owner’s mobile wallet. | ||
30 | |||
31 | Iris recognition in general is about to break into the mass market: | ||
32 | Access control systems, also at airports and borders, mobile phones, the | ||
33 | inevitable IoT devices, even payment solutions and VR systems are being | ||
34 | equipped with the technology. But biometric authentication does not | ||
35 | fulfill the advertised security promises. | ||
36 | |||
37 | CCC member and biometrics security researcher starbug has demonstrated | ||
38 | time and again how easily biometrics can be defeated with his hacks on | ||
39 | fingerprint authentication systems – most recently with his successful | ||
40 | defeat of the fingerprint sensor „Touch ID“ on Apple’s iPhone. \[1\] | ||
41 | „The security risk to the user from iris recognition is even bigger than | ||
42 | with fingerprints as we expose our irises a lot. Under some | ||
43 | circumstances, a high-resolution picture from the internet is sufficient | ||
44 | to capture an iris“, Dirk Engling remarked. | ||
45 | |||
46 | But it is not sufficient to not upload selfies to the internet: The | ||
47 | easiest way for a thief to capture iris pictures is with a digital | ||
48 | camera in night-shot mode or the infrared filter removed. In the | ||
49 | infrared light spectrum – usually filtered in cameras – the fine, | ||
50 | normally hard to distinguish details of the iris of dark eyes are well | ||
51 | recognizable. Starbug was able to demonstrate that a good digital camera | ||
52 | with 200mm-lens at a distance of up to five meters is sufficient to | ||
53 | capture suitably good pictures to fool iris recognition systems. \[2\] | ||
54 | |||
55 | Depending on the picture quality, brightness and contrast might need to | ||
56 | be adjusted. If all structures are well visible, the iris picture is | ||
57 | printed on a laser printer. Ironically, we got the best results with | ||
58 | laser printers made by Samsung. To emulate the curvature of a real eye’s | ||
59 | surface, a normal contact lens is placed on top of the print. This | ||
60 | successfully fools the iris recognition system into acting as though the | ||
61 | real eye were in front of the camera. | ||
62 | |||
63 | The by far most expensive part of the iris biometry hack was the | ||
64 | purchase of the Galaxy S8 smartphone. Rumor has it that the next | ||
65 | generation iPhone will also come with iris recognition unlock. We will | ||
66 | keep you posted. | ||
67 | |||
68 | **Links**: | ||
69 | |||
70 | \[0\] Video [in | ||
71 | English](http://live.ber.c3voc.de/releases/biometrie/11-hd.mp4) (HD), | ||
72 | also on [media.ccc.de](https://media.ccc.de/v/biometrie-s8-iris-en), | ||
73 | more Videos [in German](http://live.ber.c3voc.de/releases/biometrie/) | ||
74 | |||
75 | \[1\] [Chaos Computer Club breaks Apple | ||
76 | TouchID](/en/updates/2013/ccc-breaks-apple-touchid) | ||
77 | |||
78 | \[2\] Video (in German): [Ich sehe, also bin ich … Du – Gefahren von | ||
79 | Kameras für (biometrische) | ||
80 | Authentifizierungsverfahren](https://media.ccc.de/v/31c3_-_6450_-_de_-_saal_1_-_201412272030_-_ich_sehe_also_bin_ich_du_-_starbug) | ||