1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
title: Chaos Computer Clubs breaks iris recognition system of the Samsung Galaxy S8
date: 2017-05-22 22:24:00
updated: 2017-05-24 15:30:12
author: 46halbe
tags: update, pressemitteilung
Biometric authentication systems – again – don’t deliver on their security promise: The iris recognition system of the new Samsung Galaxy S8 was successfully defeated by hackers of the Chaos Computer Club (CCC). A video demonstrates how the simple technique works.
<!-- TEASER_END -->
The Samsung Galaxy S8 is the first flagship smartphone with iris
recognition. The manufacturer of the biometric solution is the company
Princeton Identity Inc. The system promises secure individual user
authentication by using the unique pattern of the human iris.
A new test conducted by CCC hackers shows that this promise cannot be
kept: With a simple to make dummy-eye the phone can be fooled into
believing that it sees the eye of the legitimate owner. A video shows
the simplicity of the method. \[0\]
Iris recognition may be barely sufficient to protect a phone against
complete strangers unlocking it. But whoever has a photo of the
legitimate owner can trivially unlock the phone. „If you value the data
on your phone – and possibly want to even use it for payment – using the
traditional PIN-protection is a safer approach than using body features
for authentication“, says Dirk Engling, spokesperson for the CCC.
Samsung announced integration of their iris recognition authentication
with its payment system „Samsung Pay“. A successful attacker gets access
not only to the phone’s data, but also the owner’s mobile wallet.
Iris recognition in general is about to break into the mass market:
Access control systems, also at airports and borders, mobile phones, the
inevitable IoT devices, even payment solutions and VR systems are being
equipped with the technology. But biometric authentication does not
fulfill the advertised security promises.
CCC member and biometrics security researcher starbug has demonstrated
time and again how easily biometrics can be defeated with his hacks on
fingerprint authentication systems – most recently with his successful
defeat of the fingerprint sensor „Touch ID“ on Apple’s iPhone. \[1\]
„The security risk to the user from iris recognition is even bigger than
with fingerprints as we expose our irises a lot. Under some
circumstances, a high-resolution picture from the internet is sufficient
to capture an iris“, Dirk Engling remarked.
But it is not sufficient to not upload selfies to the internet: The
easiest way for a thief to capture iris pictures is with a digital
camera in night-shot mode or the infrared filter removed. In the
infrared light spectrum – usually filtered in cameras – the fine,
normally hard to distinguish details of the iris of dark eyes are well
recognizable. Starbug was able to demonstrate that a good digital camera
with 200mm-lens at a distance of up to five meters is sufficient to
capture suitably good pictures to fool iris recognition systems. \[2\]
Depending on the picture quality, brightness and contrast might need to
be adjusted. If all structures are well visible, the iris picture is
printed on a laser printer. Ironically, we got the best results with
laser printers made by Samsung. To emulate the curvature of a real eye’s
surface, a normal contact lens is placed on top of the print. This
successfully fools the iris recognition system into acting as though the
real eye were in front of the camera.
The by far most expensive part of the iris biometry hack was the
purchase of the Galaxy S8 smartphone. Rumor has it that the next
generation iPhone will also come with iris recognition unlock. We will
keep you posted.
**Update May 24, 5:00pm:** Sebastian of Verbraucherzentrale Sachsen has
demonstrated a similar attack in a video dated May 15 \[3\].
Congratulations!
**Links**:
\[0\] Video [in English](https://media.ccc.de/v/biometrie-s8-iris-en)
(HD), also [in German](https://media.ccc.de/v/biometrie-s8-iris-fun)
\[1\] [Chaos Computer Club breaks Apple
TouchID](/en/updates/2013/ccc-breaks-apple-touchid)
\[2\] Video (in German): [Ich sehe, also bin ich … Du – Gefahren von
Kameras für (biometrische)
Authentifizierungsverfahren](https://media.ccc.de/v/31c3_-_6450_-_de_-_saal_1_-_201412272030_-_ich_sehe_also_bin_ich_du_-_starbug)
\[3\] Video by Verbraucherzentrale Sachsen: [Let's Setup Together:
Samsung Galaxy S8: Wie sicher sind die biometrischen
Funktionen?](https://www.youtube.com/watch?v=Gbiyr7beAuo)
|