summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
author46halbe <46halbe@berlin.ccc.de>2017-05-23 08:58:56 +0000
committer46halbe <46halbe@berlin.ccc.de>2020-05-23 13:40:02 +0000
commit53b1a292e843726ed1c55723c00ea6a89c486dd5 (patch)
tree05524943b6fac32d6592102b7db25d752b836f8f
parent66b1b20f338c36e8d3f0b19372a8c9db9bcf1a62 (diff)
committing page revision 1
-rw-r--r--updates/2017/iriden.en.md80
1 files changed, 80 insertions, 0 deletions
diff --git a/updates/2017/iriden.en.md b/updates/2017/iriden.en.md
new file mode 100644
index 00000000..fdb2d212
--- /dev/null
+++ b/updates/2017/iriden.en.md
@@ -0,0 +1,80 @@
1title: Chaos Computer Clubs breaks iris recognition system of the Samsung Galaxy S8
2date: 2017-05-22 22:24:00
3updated: 2017-05-23 08:58:56
4author: 46halbe
5tags: update, pressemitteilung
6
7Biometric authentication systems – again – don’t deliver on their security promise: The iris recognition system of the new Samsung Galaxy S8 was successfully defeated by hackers of the Chaos Computer Club (CCC). A video demonstrates how the simple technique works.
8
9<!-- TEASER_END -->
10
11The Samsung Galaxy S8 is the first flagship smartphone with iris
12recognition. The manufacturer of the biometric solution is the company
13Princeton Identity Inc. The system promises secure individual user
14authentication by using the unique pattern of the human iris.
15
16A new test conducted by CCC hackers shows that this promise cannot be
17kept: With a simple to make dummy-eye the phone can be fooled into
18believing that it sees the eye of the legitimate owner. A video shows
19the simplicity of the method. \[0\]
20
21Iris recognition may be barely sufficient to protect a phone against
22complete strangers unlocking it. But whoever has a photo of the
23legitimate owner can trivially unlock the phone. „If you value the data
24on your phone – and possibly want to even use it for payment – using the
25traditional PIN-protection is a safer approach than using body features
26for authentication“, says Dirk Engling, spokesperson for the CCC.
27Samsung announced integration of their iris recognition authentication
28with its payment system „Samsung Pay“. A successful attacker gets access
29not only to the phone’s data, but also the owner’s mobile wallet.
30
31Iris recognition in general is about to break into the mass market:
32Access control systems, also at airports and borders, mobile phones, the
33inevitable IoT devices, even payment solutions and VR systems are being
34equipped with the technology. But biometric authentication does not
35fulfill the advertised security promises.
36
37CCC member and biometrics security researcher starbug has demonstrated
38time and again how easily biometrics can be defeated with his hacks on
39fingerprint authentication systems – most recently with his successful
40defeat of the fingerprint sensor „Touch ID“ on Apple’s iPhone. \[1\]
41„The security risk to the user from iris recognition is even bigger than
42with fingerprints as we expose our irises a lot. Under some
43circumstances, a high-resolution picture from the internet is sufficient
44to capture an iris“, Dirk Engling remarked.
45
46But it is not sufficient to not upload selfies to the internet: The
47easiest way for a thief to capture iris pictures is with a digital
48camera in night-shot mode or the infrared filter removed. In the
49infrared light spectrum – usually filtered in cameras – the fine,
50normally hard to distinguish details of the iris of dark eyes are well
51recognizable. Starbug was able to demonstrate that a good digital camera
52with 200mm-lens at a distance of up to five meters is sufficient to
53capture suitably good pictures to fool iris recognition systems. \[2\]
54
55Depending on the picture quality, brightness and contrast might need to
56be adjusted. If all structures are well visible, the iris picture is
57printed on a laser printer. Ironically, we got the best results with
58laser printers made by Samsung. To emulate the curvature of a real eye’s
59surface, a normal contact lens is placed on top of the print. This
60successfully fools the iris recognition system into acting as though the
61real eye were in front of the camera.
62
63The by far most expensive part of the iris biometry hack was the
64purchase of the Galaxy S8 smartphone. Rumor has it that the next
65generation iPhone will also come with iris recognition unlock. We will
66keep you posted.
67
68**Links**:
69
70\[0\] Video [in
71English](http://live.ber.c3voc.de/releases/biometrie/11-hd.mp4) (HD),
72also on [media.ccc.de](https://media.ccc.de/v/biometrie-s8-iris-en),
73more Videos [in German](http://live.ber.c3voc.de/releases/biometrie/)
74
75\[1\] [Chaos Computer Club breaks Apple
76TouchID](/en/updates/2013/ccc-breaks-apple-touchid)
77
78\[2\] Video (in German): [Ich sehe, also bin ich … Du – Gefahren von
79Kameras für (biometrische)
80Authentifizierungsverfahren](https://media.ccc.de/v/31c3_-_6450_-_de_-_saal_1_-_201412272030_-_ich_sehe_also_bin_ich_du_-_starbug)