A group of hackers was able to defeat the iris scanner in the Samsung Galaxy S8 smartphone using relatively common supplies, creating concerns that biometric logins may not be as foolproof a security measure as once believed.
The German hacking collective Chaos Computer Club revealed Monday it was able to gain access to a user’s Galaxy S8 with a MacGyver-like solution that involved using a point-and-shoot camera, laser printer and contact lens.
Chaos Computer Club completed the hack by taking a photo of a target from about 15 feet. The group took that photo, zoomed in on the target’s eye and printed the image with a laser printer made, fittingly, by Samsung.
Finally, the group took the printout of the eye and placed it atop the surface of the contact lens to replicate the curvature of an actual eyeball. When the makeshift eye was held up to the Samsung smartphone, the device unlocked as if the owner was looking into the iris scanner.
“The by far most expensive part of the iris biometry hack was the purchase of the Galaxy S8 smartphone,” the group said in a blog post.
“The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot,” said Dirk Engling, the spokesman for Chaos Computer Club. “Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris.”
Hacking the Galaxy S8’s iris scanner is not the group’s first foray into breaking biometric systems. Chaos Computer Club also defeated the fingerprint scanner in the iPhone 5S by using photos of fingerprints photographed from glass surfaces.
In both cases, the hacks are relatively novel and would require a targeted effort to pull off, but present challenges to the belief that biometric security measures offer a safer alternative to passwords.
Biometrics have started to take hold as a password alternative, be it the fingerprint scanner found in iPhones and other smartphones or the iris scanner found in the Galaxy S8 and a number of other upcoming handsets — including rumors the iPhone 8 may include such a sensor. Other options, like selfies and face scans, also have been implemented by companies like Mastercard and Alibaba.
Biometrics are moving beyond mobile, as well. Apple has added its Touch ID fingerprint sensor to the latest series of MacBooks, and companies like Samsung and LG have started experimenting with retinal scanners and facial recognition tools that would allow a user to log in just by looking at a device’s camera. Even government agencies have started adding face scans as security checks.
As these methods of login continue to come to market, it’s important for companies to ensure they are taking precautions to make sure they cannot be cracked. Samsung, in particular, has already had problems with this: In 2015, it was discovered the company was storing fingerprint data in a way that made it easy for a hacker or malicious software to gain access to it.
Without taking proper precautions to protect user biometric data, fingerprints and eyes are no more secure than a password, even if they require more effort to hack.