Security experts claim to have cracked the iris recognition system on the new Samsung Galaxy S8 smartphone, using just a digital camera and a contact lens.
Chaos Computer Club (CCC) hackers explained in a video how easy it was to fool the biometric scanning system in the top-end device.
They claimed the security risks associated with iris recognition are much greater than fingerprints because users tend to expose their eyes more often.
The researchers managed to fool the system by taking a photo of the target using the night mode of a digital camera, making the details of the iris clearer on the image.
They claimed a good camera with a 200mm lens at a distance of up to five meters would do the trick.
They then printed out the image using a laser printer and placed a contact lens on top to simulate the curvature of an eye. Ironically, Samsung printers produced the best results, CCC said.
Samsung has raised the stakes for its biometric authentication system by linking it to Samsung Pay, meaning hackers with a digital image of the user’s eye could access their mobile wallet as well as their on-device data and online accounts.
“If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication,” explaineds Dirk Engling, spokesperson for the CCC.
The S8 is one of the first major handset models around to incorporate iris recognition, in this instance supplied by Princeton Identity, as an additional option to supplement passwords/PINs.
However, it will be back to the drawing board now, according to Alex Mathews, lead security evangelist at Positive Technologies.
“Any new high-profile security technology, such as the biometrics on the Samsung, are like a red rag to a bull for the cybersecurity community. It invites curious minds to try and figure out where vulnerabilities lie – so they can be fixed,” he explained.
“Doubtless the security teams at Samsung will take this report into account when developing the next iterations of such technology. This is why the relationship between the cybersecurity research community and manufacturers is so valuable.”
This is by no means the first phone-based biometric system to be cracked by researchers. In fact, CCC were the first to claim the scalp of Apple’s TouchID fingerprint scanner several years ago.