German Hackers Use Contact Lens to Circumvent Samsung Galaxy S8 Iris Scan Feature

What was supposed to be an extra layer of security for users of Samsung’s Galaxy S8 phones has turned out to be an outright vulnerability. German researchers have hacked the iris-scanning feature on the device using a point-and-shoot camera, a printer and a contact lens. The hack can be replicated by anyone with the same resources and determination.

A video published by Chaos Computer Club shows how the biometric feature can be circumvented by taking an infrared photo of the owner’s face, cropping out the eye portion, printing it and placing a contact lens over the printed image to simulate the curvature of the eye. Without fail, the phone is duped into recognizing the dummy image as the real owner, and unlocks its contents for the hacker.

“For those who love the data on their phones or who even think they want to pay with their phone, they are better off using the proven PIN code protection instead of their own personal characteristics,” said Dirk Engling, spokesman for the CCC (Google translation). “Samsung plans to integrate iris recognition into its ‘Samsung Pay’ payment system. This allows attackers not only to get access to the phone, but also to the wallet.”

“The safety risk is even greater in the iris than in fingerprints,” Engling added, “as the biometric feature displayed is more exposed. In the simplest case, a high-resolution image from the Internet is enough to capture images from the iris, “said Dirk Engling.

The S8 is the first flagship phone equipped with iris recognition for unlocking the device. Other vendors, including Apple with its upcoming iPhone 8, are expected to introduce the biometric unlock feature as well.

Since Apple’s introduction of the Touch ID with the iPhone 5S, hackers have been having a blast bypassing the fingerprint recognition system now on almost all high-end smartphones. It seems the 4-digit PIN code is still the best way to keep a phone’s contents safe from prying eyes.

Leave a Reply

Your email address will not be published.