committing page revision 1

author: 46halbe <46halbe@berlin.ccc.de> 2017-05-23 08:58:56 +0000
committer: 46halbe <46halbe@berlin.ccc.de> 2020-05-23 13:40:02 +0000
commit: 53b1a292e843726ed1c55723c00ea6a89c486dd5 (patch)
tree: 05524943b6fac32d6592102b7db25d752b836f8f /updates/2017
parent: 66b1b20f338c36e8d3f0b19372a8c9db9bcf1a62 (diff)
1 files changed, 80 insertions, 0 deletions
diff --git a/updates/2017/iriden.en.md b/updates/2017/iriden.en.md
new file mode 100644
index 00000000..fdb2d212
--- /dev/null
+++ b/updates/2017/iriden.en.md
@@ -0,0 +1,80 @@
+title: Chaos Computer Clubs breaks iris recognition system of the Samsung Galaxy S8
+date: 2017-05-22 22:24:00 
+updated: 2017-05-23 08:58:56 
+author: 46halbe
+tags: update, pressemitteilung
+Biometric authentication systems – again – don’t deliver on their security promise: The iris recognition system of the new Samsung Galaxy S8 was successfully defeated by hackers of the Chaos Computer Club (CCC). A video demonstrates how the simple technique works.
+<!-- TEASER_END -->
+The Samsung Galaxy S8 is the first flagship smartphone with iris
+recognition. The manufacturer of the biometric solution is the company
+Princeton Identity Inc. The system promises secure individual user
+authentication by using the unique pattern of the human iris.
+A new test conducted by CCC hackers shows that this promise cannot be
+kept: With a simple to make dummy-eye the phone can be fooled into
+believing that it sees the eye of the legitimate owner. A video shows
+the simplicity of the method. \[0\]
+Iris recognition may be barely sufficient to protect a phone against
+complete strangers unlocking it. But whoever has a photo of the
+legitimate owner can trivially unlock the phone. „If you value the data
+on your phone – and possibly want to even use it for payment – using the
+traditional PIN-protection is a safer approach than using body features
+for authentication“, says Dirk Engling, spokesperson for the CCC.
+Samsung announced integration of their iris recognition authentication
+with its payment system „Samsung Pay“. A successful attacker gets access
+not only to the phone’s data, but also the owner’s mobile wallet.
+Iris recognition in general is about to break into the mass market:
+Access control systems, also at airports and borders, mobile phones, the
+inevitable IoT devices, even payment solutions and VR systems are being
+equipped with the technology. But biometric authentication does not
+fulfill the advertised security promises.
+CCC member and biometrics security researcher starbug has demonstrated
+time and again how easily biometrics can be defeated with his hacks on
+fingerprint authentication systems – most recently with his successful
+defeat of the fingerprint sensor „Touch ID“ on Apple’s iPhone. \[1\]
+„The security risk to the user from iris recognition is even bigger than
+with fingerprints as we expose our irises a lot. Under some
+circumstances, a high-resolution picture from the internet is sufficient
+to capture an iris“, Dirk Engling remarked.
+But it is not sufficient to not upload selfies to the internet: The
+easiest way for a thief to capture iris pictures is with a digital
+camera in night-shot mode or the infrared filter removed. In the
+infrared light spectrum – usually filtered in cameras – the fine,
+normally hard to distinguish details of the iris of dark eyes are well
+recognizable. Starbug was able to demonstrate that a good digital camera
+with 200mm-lens at a distance of up to five meters is sufficient to
+capture suitably good pictures to fool iris recognition systems. \[2\]
+Depending on the picture quality, brightness and contrast might need to
+be adjusted. If all structures are well visible, the iris picture is
+printed on a laser printer. Ironically, we got the best results with
+laser printers made by Samsung. To emulate the curvature of a real eye’s
+surface, a normal contact lens is placed on top of the print. This
+successfully fools the iris recognition system into acting as though the
+real eye were in front of the camera.
+The by far most expensive part of the iris biometry hack was the
+purchase of the Galaxy S8 smartphone. Rumor has it that the next
+generation iPhone will also come with iris recognition unlock. We will
+keep you posted.
+**Links**:
+\[0\] Video [in
+English](http://live.ber.c3voc.de/releases/biometrie/11-hd.mp4) (HD),
+also on [media.ccc.de](https://media.ccc.de/v/biometrie-s8-iris-en),
+more Videos [in German](http://live.ber.c3voc.de/releases/biometrie/)
+\[1\] [Chaos Computer Club breaks Apple
+TouchID](/en/updates/2013/ccc-breaks-apple-touchid)
+\[2\] Video (in German): [Ich sehe, also bin ich … Du – Gefahren von
+Kameras für (biometrische)
+Authentifizierungsverfahren](https://media.ccc.de/v/31c3_-_6450_-_de_-_saal_1_-_201412272030_-_ich_sehe_also_bin_ich_du_-_starbug)
author	46halbe <46halbe@berlin.ccc.de>	2017-05-23 08:58:56 +0000
committer	46halbe <46halbe@berlin.ccc.de>	2020-05-23 13:40:02 +0000
commit	53b1a292e843726ed1c55723c00ea6a89c486dd5 (patch)
tree	05524943b6fac32d6592102b7db25d752b836f8f /updates/2017
parent	66b1b20f338c36e8d3f0b19372a8c9db9bcf1a62 (diff)

diff --git a/updates/2017/iriden.en.md b/updates/2017/iriden.en.md new file mode 100644 index 00000000..fdb2d212 --- /dev/null +++ b/updates/2017/iriden.en.md
@@ -0,0 +1,80 @@
	1	title: Chaos Computer Clubs breaks iris recognition system of the Samsung Galaxy S8
	2	date: 2017-05-22 22:24:00
	3	updated: 2017-05-23 08:58:56
	4	author: 46halbe
	5	tags: update, pressemitteilung
	6
	7	Biometric authentication systems – again – don’t deliver on their security promise: The iris recognition system of the new Samsung Galaxy S8 was successfully defeated by hackers of the Chaos Computer Club (CCC). A video demonstrates how the simple technique works.
	8
	9	<!-- TEASER_END -->
	10
	11	The Samsung Galaxy S8 is the first flagship smartphone with iris
	12	recognition. The manufacturer of the biometric solution is the company
	13	Princeton Identity Inc. The system promises secure individual user
	14	authentication by using the unique pattern of the human iris.
	15
	16	A new test conducted by CCC hackers shows that this promise cannot be
	17	kept: With a simple to make dummy-eye the phone can be fooled into
	18	believing that it sees the eye of the legitimate owner. A video shows
	19	the simplicity of the method. \[0\]
	20
	21	Iris recognition may be barely sufficient to protect a phone against
	22	complete strangers unlocking it. But whoever has a photo of the
	23	legitimate owner can trivially unlock the phone. „If you value the data
	24	on your phone – and possibly want to even use it for payment – using the
	25	traditional PIN-protection is a safer approach than using body features
	26	for authentication“, says Dirk Engling, spokesperson for the CCC.
	27	Samsung announced integration of their iris recognition authentication
	28	with its payment system „Samsung Pay“. A successful attacker gets access
	29	not only to the phone’s data, but also the owner’s mobile wallet.
	30
	31	Iris recognition in general is about to break into the mass market:
	32	Access control systems, also at airports and borders, mobile phones, the
	33	inevitable IoT devices, even payment solutions and VR systems are being
	34	equipped with the technology. But biometric authentication does not
	35	fulfill the advertised security promises.
	36
	37	CCC member and biometrics security researcher starbug has demonstrated
	38	time and again how easily biometrics can be defeated with his hacks on
	39	fingerprint authentication systems – most recently with his successful
	40	defeat of the fingerprint sensor „Touch ID“ on Apple’s iPhone. \[1\]
	41	„The security risk to the user from iris recognition is even bigger than
	42	with fingerprints as we expose our irises a lot. Under some
	43	circumstances, a high-resolution picture from the internet is sufficient
	44	to capture an iris“, Dirk Engling remarked.
	45
	46	But it is not sufficient to not upload selfies to the internet: The
	47	easiest way for a thief to capture iris pictures is with a digital
	48	camera in night-shot mode or the infrared filter removed. In the
	49	infrared light spectrum – usually filtered in cameras – the fine,
	50	normally hard to distinguish details of the iris of dark eyes are well
	51	recognizable. Starbug was able to demonstrate that a good digital camera
	52	with 200mm-lens at a distance of up to five meters is sufficient to
	53	capture suitably good pictures to fool iris recognition systems. \[2\]
	54
	55	Depending on the picture quality, brightness and contrast might need to
	56	be adjusted. If all structures are well visible, the iris picture is
	57	printed on a laser printer. Ironically, we got the best results with
	58	laser printers made by Samsung. To emulate the curvature of a real eye’s
	59	surface, a normal contact lens is placed on top of the print. This
	60	successfully fools the iris recognition system into acting as though the
	61	real eye were in front of the camera.
	62
	63	The by far most expensive part of the iris biometry hack was the
	64	purchase of the Galaxy S8 smartphone. Rumor has it that the next
	65	generation iPhone will also come with iris recognition unlock. We will
	66	keep you posted.
	67
	68	Links:
	69
	70	\[0\] Video [in
	71	English](http://live.ber.c3voc.de/releases/biometrie/11-hd.mp4) (HD),
	72	also on [media.ccc.de](https://media.ccc.de/v/biometrie-s8-iris-en),
	73	more Videos [in German](http://live.ber.c3voc.de/releases/biometrie/)
	74
	75	\[1\] [Chaos Computer Club breaks Apple
	76	TouchID](/en/updates/2013/ccc-breaks-apple-touchid)
	77
	78	\[2\] Video (in German): [Ich sehe, also bin ich … Du – Gefahren von
	79	Kameras für (biometrische)
	80	Authentifizierungsverfahren](https://media.ccc.de/v/31c3_-_6450_-_de_-_saal_1_-_201412272030_-_ich_sehe_also_bin_ich_du_-_starbug)