A photo of a person's eye taken at a medium distance is more than enough to trick a Samsung Galaxy S8 smartphone, according to researchers from the Chaos Computer Club (CCC).
Samsung added the iris scanner authentication feature with the release of the Galaxy Note 7 model, launched last year, but the feature was hardly used as the company was forced to recall Galaxy Note 7 handsets due to faulty batteries that kept catching fire out of the blue.
Arguably, it's with the company's latest line of flagship products where this feature will be really tested and used by most of its customers.
Launched on March 29, the Galaxy S8 model is Samsung's most advanced product to date, featuring multiple biometrics authentication systems on top of the classic pattern and PIN locking systems. This includes a fingerprint scanner, a facial recognition system, and an iris scanner.
According to research published today, it took a CCC researcher less than two months to breake the latter.
Named Jan “Starbug” Krissler, this CCC researcher realized that by taking a photo of a phone owner's face, an attacker with physical access to the device would be able to unlock the phone just by printing the photo on paper and flashing it in front of the phone's front camera.
But there's a trick to the attack. Modern iris scanners (and facial recognition systems) are programmed to use image depth in order to distinguish between (2D) photos and a human's real (3D) eye.
Krissler bypassed this hurdle by gluing a contact lens on top of the image depicting the eye. This created a round surface on top of the iris photo, which was more than enough to trick the phone.
To get the best results, Krissler recommends that users take photos using a camera's night-shot mode, as it captures iris details better for individuals with darker eye colors.
Ironically, Krissler also said he achieved the best results when he printed the iris photos using a Samsung laser printer.
According to the researcher, "a good digital camera with 200mm-lens at a distance of up to five meters is sufficient to capture suitably good pictures to fool iris recognition systems."
The attack is worrisome on different levels. First off, Samsung announced the iris scanner feature would also be used to approve payments sent via Samsung Pay. The attack announced today not only endangers data stored on the phone but also funds stored in the user's Samsung Pay wallet.
Second, many users that opt to use the iris scanners are inherently in danger because photos of someone's iris — or face for that matter — are incredibly easy to come by in today's age when everybody shares high-quality photos on a regular basis.
For now, experts from the Chaos Computer Club recommend that users continue to use classic PIN-based authentication systems. Below is a video showing a step-by-step guide to how the iris scanner bypass works.
The researcher behind this attack has a long history of hacking biometrics systems.
Krissler is the same person that two years ago had successfully bypassed the biometric security of Apple's Touch ID (fingerprint authentication) system.
In the same year, the researcher also bypassed Panasonic's Authenticam BM-ET200 iris recognition technology, using nothing more than images he obtained off Google Image Search.
In late 2014, Krissler achieved his biggest hack after he created a clone thumbprint of the German Defense Minister just by photographing her hand at a press conference.
Earlier this year, Spanish phone expert MarcianoTech bypassed the Galaxy S8 facial recognition system two days after Samsung launched the phone. MarcianoTech bypassed the facial recognition scanner by using a photo of his face stored on another smartphone.
If someone finds a way to bypass the Samsung Galaxy S8 fingerprint scanner in the following weeks, Samsung should just scrape its entire biometrics authentication systems and start from scratch for its next smartphone flagship series.