May 24, 2017 weblog
CCC members show iris recognition bypass using photo, contact lens
(Tech Xplore)—Mobile vendors have turned to novel biometric ways to unlock smartphones. Now iris recognition joins the biometric family, with the concept being that the user looks and an iris scanner can unlock a phone.
Samsung said this about an option for iris scans on its site: "The patterns in your irises are unique to you and are virtually impossible to replicate, meaning iris authentication is one of the safest ways to keep your phone locked and the contents private."
(Instructions, for example, from Samsung are "Hold up your Galaxy S8 or S8+ and align your eyes with the twin circles on-screen to scan your irises. Your phone is unlocked with a look.")
Well, members of the Chaos Computer Club might have something to say. News coming from numerous the tech sites this week is that the German computer club came up with the fatal recipe ingredients for opening a phone and fooling the iris scanner. The not so magical ingredients were a digital photograph, an office printer and a contact lens.
Hackers tricked the Galaxy S8's iris scanner with those tools.
At the center of the feat was the artificial eye – "which is made using just a printer and a contact lens to match the curvature of the eye," said The Guardian. Using pictures of the owner's eye you can make an artificial eye, said Alex Hern, technology reporter, with "a digital photograph taken in night mode" working best.
The BBC paid attention to the feat too and said the researcher set up the phone's security by registering a volunteer's eyes using the S8 iris scanner. They took a photograph of a volunteer's eyes. They used a digital camera with infra-red night vision setting.
After printing, the researcher placed a contact lens over the photograph. (The lens is to replicate an eye's curvature.)
Anyway, what is the big deal if few people use iris scanning? Is it really used that much in place of traditional pass codes or fingerprints?
Ask PhoneArena and you might be surprised. Not an indication of an enormous number but ample. They did a poll asking people how often they use the S8 iris scanner and 28 percent said they did almost always and 28.99 percent said they used the fingerprint almost exclusively.
The CCC's revelation of a hack heightened discussion about iris scanning, but Brian Reigh in Android Authority offered this reminder, that "it's important to note that the CCC's test was done in a perfectly controlled environment, meaning the likelihood of someone being able to capture your irises with a camera and stealing your Galaxy S8 device is quite low."
What is more, let us not forget other wins by hackers in stealing users' PINs or fingerprint scanners.
Business Insider reminded readers what has been done, or rather undone, in the phone hacking arena, such as fingerprint fooling feats by researchers at Michigan State University with special paper and, in 2013, when the CCC showed a fingerprint sensor hack.
Reigh said, "so the bottom line is that in theory, any security protection is susceptible to malicious hacking. We just need to be careful when using password or biometric protection..."
Samsung, meanwhile, issued a response to the recent Galaxy S8 smartphone hack.
"We are aware of the issue, but we would like to assure our customers that the iris scanning technology in the Galaxy S8 has been developed through rigorous testing to provide a high level of accuracy and prevent attempts to compromise its security, such as images of a person's iris. If there is a potential vulnerability or the advent of a new method that challenges our efforts to ensure security at any time, we will respond as quickly as possible to resolve the issue."
© 2017 Tech Xplore