From 53b1a292e843726ed1c55723c00ea6a89c486dd5 Mon Sep 17 00:00:00 2001 From: 46halbe <46halbe@berlin.ccc.de> Date: Tue, 23 May 2017 08:58:56 +0000 Subject: committing page revision 1 --- updates/2017/iriden.en.md | 80 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 updates/2017/iriden.en.md diff --git a/updates/2017/iriden.en.md b/updates/2017/iriden.en.md new file mode 100644 index 00000000..fdb2d212 --- /dev/null +++ b/updates/2017/iriden.en.md @@ -0,0 +1,80 @@ +title: Chaos Computer Clubs breaks iris recognition system of the Samsung Galaxy S8 +date: 2017-05-22 22:24:00 +updated: 2017-05-23 08:58:56 +author: 46halbe +tags: update, pressemitteilung + +Biometric authentication systems – again – don’t deliver on their security promise: The iris recognition system of the new Samsung Galaxy S8 was successfully defeated by hackers of the Chaos Computer Club (CCC). A video demonstrates how the simple technique works. + + + +The Samsung Galaxy S8 is the first flagship smartphone with iris +recognition. The manufacturer of the biometric solution is the company +Princeton Identity Inc. The system promises secure individual user +authentication by using the unique pattern of the human iris. + +A new test conducted by CCC hackers shows that this promise cannot be +kept: With a simple to make dummy-eye the phone can be fooled into +believing that it sees the eye of the legitimate owner. A video shows +the simplicity of the method. \[0\] + +Iris recognition may be barely sufficient to protect a phone against +complete strangers unlocking it. But whoever has a photo of the +legitimate owner can trivially unlock the phone. „If you value the data +on your phone – and possibly want to even use it for payment – using the +traditional PIN-protection is a safer approach than using body features +for authentication“, says Dirk Engling, spokesperson for the CCC. +Samsung announced integration of their iris recognition authentication +with its payment system „Samsung Pay“. A successful attacker gets access +not only to the phone’s data, but also the owner’s mobile wallet. + +Iris recognition in general is about to break into the mass market: +Access control systems, also at airports and borders, mobile phones, the +inevitable IoT devices, even payment solutions and VR systems are being +equipped with the technology. But biometric authentication does not +fulfill the advertised security promises. + +CCC member and biometrics security researcher starbug has demonstrated +time and again how easily biometrics can be defeated with his hacks on +fingerprint authentication systems – most recently with his successful +defeat of the fingerprint sensor „Touch ID“ on Apple’s iPhone. \[1\] +„The security risk to the user from iris recognition is even bigger than +with fingerprints as we expose our irises a lot. Under some +circumstances, a high-resolution picture from the internet is sufficient +to capture an iris“, Dirk Engling remarked. + +But it is not sufficient to not upload selfies to the internet: The +easiest way for a thief to capture iris pictures is with a digital +camera in night-shot mode or the infrared filter removed. In the +infrared light spectrum – usually filtered in cameras – the fine, +normally hard to distinguish details of the iris of dark eyes are well +recognizable. Starbug was able to demonstrate that a good digital camera +with 200mm-lens at a distance of up to five meters is sufficient to +capture suitably good pictures to fool iris recognition systems. \[2\] + +Depending on the picture quality, brightness and contrast might need to +be adjusted. If all structures are well visible, the iris picture is +printed on a laser printer. Ironically, we got the best results with +laser printers made by Samsung. To emulate the curvature of a real eye’s +surface, a normal contact lens is placed on top of the print. This +successfully fools the iris recognition system into acting as though the +real eye were in front of the camera. + +The by far most expensive part of the iris biometry hack was the +purchase of the Galaxy S8 smartphone. Rumor has it that the next +generation iPhone will also come with iris recognition unlock. We will +keep you posted. + +**Links**: + +\[0\] Video [in +English](http://live.ber.c3voc.de/releases/biometrie/11-hd.mp4) (HD), +also on [media.ccc.de](https://media.ccc.de/v/biometrie-s8-iris-en), +more Videos [in German](http://live.ber.c3voc.de/releases/biometrie/) + +\[1\] [Chaos Computer Club breaks Apple +TouchID](/en/updates/2013/ccc-breaks-apple-touchid) + +\[2\] Video (in German): [Ich sehe, also bin ich … Du – Gefahren von +Kameras für (biometrische) +Authentifizierungsverfahren](https://media.ccc.de/v/31c3_-_6450_-_de_-_saal_1_-_201412272030_-_ich_sehe_also_bin_ich_du_-_starbug) -- cgit v1.2.3