Samsung’s iris recognition tech hacked using fake eye
24 May 2017
The iris recognition system of the Samsung Galaxy 8 was defeated by the Chaos Computer Club (CCC) simply by using a dummy eye.
Manufactured by Princeton Identity, the new Samsung is the first smartphone with iris recognition. It promises secure individual user authentication by using the unique pattern of the human eye.
CCC conducted a test whereby using a dummy eye, the phone can be fooled into thinking that it sees the eye of the legitimate owner. The technology may be sufficient to protect a phone against complete strangers but whoever has a photo of the legitimate owner can unlock the phone.
“If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication”, says Dirk Engling, spokesperson for the CCC. Using the iris technology in conjunction with Samsung Pay means a hacker can not only gain access to the phones data but the owner’s mobile wallet.
CCC member and biometrics security researcher starbug has demonstrated time and again how easily biometrics can be defeated with his hacks on fingerprint authentication systems – most recently with his successful defeat of the fingerprint sensor “Touch ID” on Apple’s iPhone. “The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot. Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris”, Dirk Engling remarked.
According to CCC, the easiest way for a thief to capture iris pictures is with a digital camera in night-shot mode or the infrared filter removed. In the infrared light spectrum – usually filtered in cameras – the fine, normally hard to distinguish details of the iris of dark eyes are well recognisable. Starbug was able to demonstrate that a good digital camera with 200mm lens at a distance of up to five meters is sufficient to capture suitably good pictures to fool iris recognition systems. Depending on the picture quality, brightness and contrast might need to be adjusted. If all structures are well visible, the iris picture is printed on a laser printer. Ironically, CCC got the best results with laser printers made by Samsung. To emulate the curvature of a real eye’s surface, a normal contact lens is placed on top of the print. This successfully fools the iris recognition system into acting as though the real eye were in front of the camera.
Materials provided by Computer Chaos Club (CCC)