WHY THIS MATTERS IN BRIEF
Biometric security systems are awesome, until they’re hacked, and increasingly companies and individuals are finding that their latest and greatest biometric security systems are easier to hack than the password systems they replaced.
Criminals know you love taking selfies, and they love your selfies too – especially the ones where you’re holding your fingers up in a victory sign. They also love the fact that your photos are good enough quality for them to print out a high definition print of your eyes and fingerprints. And they especially love the fact that these alone are good enough to help them unlock all of your biometric protected stuff and gadgets.
I love your new galaxy smartphone by the way – great cat wallpaper.
In yet another stab in the back for biometric security hackers have published details of a method to break the iris based authentication in Samsung’s shiny new Galaxy S8 that involves the use of a number of basic, everyday items.
Published by German whitehat hacking group Chaos Computer Club (CCC), the hack involves the use of a digital camera, a laser printer, with Samsung models, ironically, working best, and a simple everyday contact lens.
To bypass the Iris scanning feature, they use a digital camera to take a picture of a phone owner’s face and print it out on the laser printer. The contact lens is then placed on top of the face to mimic an actual iris, held in front of the phone and bingo – the Galaxy S8 unlocks.
Whoohoo! By the way – I deleted all your cat videos. Sorry it was a mistake – honest!
While the hack is fairly simple, there are some provisos in its implementation, including, obviously, making sure the quality of the photo is good enough to capture the details of the iris.
When it was first introduced Samsung’s iris scanning feature, which is powered by a biometric scanner manufactured by Princeton Identity, promised to be an easier way for users to unlock their phones, and when the Galaxy S8 launched, Samsung said it offered “one of the safest ways to keep your phone locked.”
“Iris recognition may be barely sufficient to protect a phone against complete strangers unlocking it. But whoever has a photo of the legitimate owner can easily unlock the phone,” said CCC spokesman Dirk, “if you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN protection is a safer approach than using body features for authentication.”
While the Galaxy S8 does offer fingerprint scanning as an alternative to iris scanning, and no one yet has published a way to hack it, fingerprint scanners themselves have already been shown to be vulnerable to duping which is why companies are now busy creating ultrasound based fingerprint scanners that move away from today’s more basic electro-sensitive scanners.
That said though, with new hacks and technologies such as Adobe Voco and LyreBird, which can copy and reproduce your voice print with just a minutes worth of audio, for example, off of YouTube, and new fingerprint and ‘Photo morph’ hacks that fool facial recognition systems I think some of today’s biometric security companies need to go back to the corner of the room and get back to the drawing board.