Samsung S8 Iris Scanner may not be quite as secure...

[WMGroomAK]

Well, in a strange turn of events where if you go someone a challenge, they'll find a way around it, a researcher with the Chaos Computer Club has found a way to fool the Iris Scanner on the Samsung S8...  It would appear that this process involves getting a good resolution photo of the persons face/eye, printing it off on paper and gluing a contact lens on top of the eye.  According to the Bleeping Computer Article:

https://www.bleepingcomputer.com/news/security/samsung-galaxy-s8-iris-scanner-fooled-by-a-photo/

Quote

Launched on March 29, the Galaxy S8 model is Samsung's most advanced product to date, featuring multiple biometrics authentication systems on top of the classic pattern and PIN locking systems. This includes a fingerprint scanner, a facial recognition system, and an iris scanner.

 

According to research published today, it took a CCC researcher less than two months to breake the latter.

 

Named Jan “Starbug” Krissler, this CCC researcher realized that by taking a photo of a phone owner's face, an attacker with physical access to the device would be able to unlock the phone just by printing the photo on paper and flashing it in front of the phone's front camera.

 

But there's a trick to the attack. Modern iris scanners (and facial recognition systems) are programmed to use image depth in order to distinguish between (2D) photos and a human's real (3D) eye.

 

Krissler bypassed this hurdle by gluing a contact lens on top of the image depicting the eye. This created a round surface on top of the iris photo, which was more than enough to trick the phone.

 

To get the best results, Krissler recommends that users take photos using a camera's night-shot mode, as it captures iris details better for individuals with darker eye colors.

 

Ironically, Krissler also said he achieved the best results when he printed the iris photos using a Samsung laser printer.

 

According to the researcher, "a good digital camera with 200mm-lens at a distance of up to five meters is sufficient to capture suitably good pictures to fool iris recognition systems."

So in addition to the facial recognition not being quite as up to par as was previously reported by @GoodBytes, it now appears that the Iris Scanner can be fooled.  In my opinion, this is a good reason to have multi-factor identification on hand, including something that you have to have memorized, as it is a lot harder to read or spoof your memory...  

 

 

[NTDaws]

I feel like you can trick any of these Iris Cameras. Not just Samsung.

[CyberFerno]

9 minutes ago, WMGroomAK said:

Well, in a strange turn of events where if you go someone a challenge, they'll find a way around it, a researcher with the Chaos Computer Club has found a way to fool the Iris Scanner on the Samsung S8...  It would appear that this process involves getting a good resolution photo of the persons face/eye, printing it off on paper and gluing a contact lens on top of the eye.  According to the Bleeping Computer Article:

https://www.bleepingcomputer.com/news/security/samsung-galaxy-s8-iris-scanner-fooled-by-a-photo/

So in addition to the facial recognition not being quite as up to par as was previously reported by @GoodBytes, it now appears that the Iris Scanner can be fooled.  In my opinion, this is a good reason to have multi-factor identification on hand, including something that you have to have memorized, as it is a lot harder to read or spoof your memory...  

 

 

no offense but u know if this info can be used to bypass s8 security why put it online i mean people can look at this info and might actually try to steal s8's to try to unlock without paying any money i don't know why people do this if u find some trick or hack keep it to yourself

[Billy_Mays]

Welp DNA scanners next

[Nikolithebear]

Just now, CyberFerno said:

no offense but u know if this info can be used to bypass s8 security why put it online i mean people can look at this info and might actually try to steal s8's to try to unlock without paying any money i don't know why people do this if u find some trick or hack keep it to yourself

Generally its not public knowledge or he or they let Samsung know.  If they dont respond within 5 days of contact you are technically allowed to release the bug to further public knowledge on the security of their devices.  

[CyberFerno]

2 minutes ago, Nikolithebear said:

Generally its not public knowledge or he or they let Samsung know.  If they dont respond within 5 days of contact you are technically allowed to release the bug to further public knowledge on the security of their devices.  

but 99% of the time, people don't try this one person found out how to unlock an iphone without the passcode so he went ooh yes people will watch a video on this and i'll get views so let's make a video on this and post it

[Nikolithebear]

Just now, CyberFerno said:

but 99% of the time, people don't try this one person found out how to unlock an iphone without the passcode so he went ooh yes people will watch a video on this and i'll get views so let's make a video on this and post it

Making this public, and making a video can be for personal gain and make them be as you'd say "Unethical" however this still puts the error in the light of day and allows others to decide to either lock their phones with a thumb print or just a passcode. Also if and more of when Samsung sees this they'll fix it.  I understand what you're getting at but you're not seeing the full picture. 

[CyberFerno]

1 minute ago, Nikolithebear said:

Making this public, and making a video can be for personal gain and make them be as you'd say "Unethical" however this still puts the error in the light of day and allows others to decide to either lock their phones with a thumb print or just a passcode. Also if and more of when Samsung sees this they'll fix it.  I understand what you're getting at but you're not seeing the full picture. 

oh alright

[dexT]

There's always the old fashioned way

 

[AnonymousGuy]

It took this guy 2 months to figure this out?  This sounds like something Mythbusters would have tried in the first hour.

 

Also, good luck getting a high enough resolution image of someone's eye for this to work.

[GDRRiley]

1 hour ago, AnonymousGuy said:

It took this guy 2 months to figure this out?  This sounds like something Mythbusters would have tried in the first hour.

 

Also, good luck getting a high enough resolution image of someone's eye for this to work.

really? a 350$ DSLR shoots at over 5k and can easily get the res needed. 

[Tech_Dreamer]

6 hours ago, WMGroomAK said:

t this process involves getting a good resolution photo of the persons face/eye, printing it off on paper and gluing a contact lens on top of the eye.  

Boy , That sounded like an episode of Mr.Bean trying to break in through the security system

[samiscool51]

i'm just sitting here with my nexus 5x running Android O and thinking, yea....i won't be upgrading for a long time.....

[RedRound2]

Since we're talking about the safety of authentication methods, I would like to point out, if I'm not wrong that there doesn't seem to be a single reported case where the second gen touch ID of iPhone 6S and later phones being spoofed.

 

It would be impressive if the first method that they used to trick 5S and 6 didn't work, even though it was pretty cumbersome method, to begin with 

[Bensemus]

2 hours ago, AnonymousGuy said:

Also, good luck getting a high enough resolution image of someone's eye for this to work.

 

7 hours ago, WMGroomAK said:

According to the researcher, "a good digital camera with 200mm-lens at a distance of up to five meters is sufficient to capture suitably good pictures to fool iris recognition systems."

They covered that part. Not easy but not hard either.

[captain cactus]

20 minutes ago, RedRound2 said:

Since we're talking about the safety of authentication methods, I would like to point out, if I'm not wrong that there doesn't seem to be a single reported case where the second gen touch ID of iPhone 6S and later phones being spoofed.

 

It would be impressive if the first method that they used to trick 5S and 6 didn't work, even though it was pretty cumbersome method, to begin with 

Because the TouchID sensor also reads underneath the skin, not just the top layer. That's why it's very hard to fool it with something like a silicon finger or something.

[VerticalDiscussions]

Ah, consumer grade biometrics for experienced penetrators are like butter vs axe when their will to discover a flaw is endless.

 

Professional ones more than likely are miles better than what you get on a phone built for people.

[tlink]

9 hours ago, CyberFerno said:

no offense but u know if this info can be used to bypass s8 security why put it online i mean people can look at this info and might actually try to steal s8's to try to unlock without paying any money i don't know why people do this if u find some trick or hack keep it to yourself

because security by obscurity is bad. other hackers and other people with bad intentions will find this flaw, its their income to do so. would you rather only have them know it?

[RedRound2]

7 hours ago, lots of unexplainable lag said:

Because the TouchID sensor also reads underneath the skin, not just the top layer. That's why it's very hard to fool it with something like a silicon finger or something.

Well, then it's pretty secure. As far as I see we iris scanner seems to be a step backwards when we already have something proven and equally if not more convenient. 

[Trixanity]

10 hours ago, AnonymousGuy said:

It took this guy 2 months to figure this out?  This sounds like something Mythbusters would have tried in the first hour.

 

Also, good luck getting a high enough resolution image of someone's eye for this to work.

Probably more like it two months to get the method working. Probably a lot of trial and error. I don't think it took two months to come up with the idea - or at least I would hope not.

[Doobeedoo]

I use fingerprint along pattern though. Have S6 and funny how iris and face recognision gets passed so easily. 

[captain_to_fire]

15 hours ago, Being Delirious said:

I feel like you can trick any of these Iris Cameras. Not just Samsung.

Windows Hello? Not at the moment, at least as far as I'm concerned.

 

8 hours ago, RedRound2 said:

Since we're talking about the safety of authentication methods, I would like to point out, if I'm not wrong that there doesn't seem to be a single reported case where the second gen touch ID of iPhone 6S and later phones being spoofed.

 

It would be impressive if the first method that they used to trick 5S and 6 didn't work, even though it was pretty cumbersome method, to begin with 

There are methods to spoof Touch ID but it requires the actual finger of the person. 

 

[captain_to_fire]

15 hours ago, Billy_Mays said:

Welp DNA scanners next

I'm not buying a phone that needs a spit sample to unlock

[mynameisjuan]

Hey look, another thing blown out of proportion

[Devin92]

digital identification is easy to break since its all pattern recognition. if you can simulate the pattern you break it. same as face recognition and finger print. so yeah, you want true security, it will be a sensor that take live sample from your body, fresh blood, tissue, spit etc.