This website uses cookies primarily for visitor analytics. Certain pages will ask you to fill in contact details to receive additional information. On these pages you have the option of having the site log your details for future visits. Indicating you want the site to remember your details will place a cookie on your device. To view our full cookie policy, please click here. You can also view it at any time by going to our Contact Us page.

Samsung’s iris recognition tech hacked using fake eye

24 May 2017

The iris recognition system of the Samsung Galaxy 8 was defeated by the Chaos Computer Club (CCC) simply by using a dummy eye.

To emulate the curvature of a real eye’s surface, a normal contact lens is placed on top of the print. This successfully fools the iris recognition system into acting as though the real eye were in front of the camera. (Credit: CCC)

Manufactured by Princeton Identity, the new Samsung is the first smartphone with iris recognition. It promises secure individual user authentication by using the unique pattern of the human eye.

CCC conducted a test whereby using a dummy eye, the phone can be fooled into thinking that it sees the eye of the legitimate owner. The technology may be sufficient to protect a phone against complete strangers but whoever has a photo of the legitimate owner can unlock the phone. 

“If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication”, says Dirk Engling, spokesperson for the CCC. Using the iris technology in conjunction with Samsung Pay means a hacker can not only gain access to the phones data but the owner’s mobile wallet.

CCC member and biometrics security researcher starbug has demonstrated time and again how easily biometrics can be defeated with his hacks on fingerprint authentication systems – most recently with his successful defeat of the fingerprint sensor “Touch ID” on Apple’s iPhone. “The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot. Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris”, Dirk Engling remarked.

According to CCC, the easiest way for a thief to capture iris pictures is with a digital camera in night-shot mode or the infrared filter removed. In the infrared light spectrum – usually filtered in cameras – the fine, normally hard to distinguish details of the iris of dark eyes are well recognisable. Starbug was able to demonstrate that a good digital camera with 200mm lens at a distance of up to five meters is sufficient to capture suitably good pictures to fool iris recognition systems. Depending on the picture quality, brightness and contrast might need to be adjusted. If all structures are well visible, the iris picture is printed on a laser printer. Ironically, CCC got the best results with laser printers made by Samsung. To emulate the curvature of a real eye’s surface, a normal contact lens is placed on top of the print. This successfully fools the iris recognition system into acting as though the real eye were in front of the camera.

Materials provided by Computer Chaos Club (CCC)


Print this page | E-mail this page