Well, that didn’t take long. Samsung’s Galaxy S8 flagship smartphone has been out for only a month and its iris scanning biometric security feature has already been hacked. The Chaos Computer Club figured out how to trick the iris recognition technology, and it was surprisingly simple.
The Galaxy S8’s iris recognition is touted as a great alternative to tapping out an unlock passcode, and it lets you authenticate for credit card transactions through Samsung Pay—the company’s version of Apple Pay. It’s also apparently great at letting anyone who can snap a photo of your eye into your phone so they can rack up credit card charges through Samsung Pay.
The CCC defeated the Galaxy S8’s iris recognition by snapping a photo of someone’s eye using a smartphone camera in night shot mode—and they didn’t even need to be close to the subject. The image quality from shots taken as far away as 16 feet using a nice digital camera worked just fine, too.
Next, they adjusted the image so the iris was about actual size and output on a laser printer. Ironically, they got the best print quality of Samsung’s own models. The placed a regular contact lens over the iris print, and that was more than enough to trick the S8’s recognition system.
The CCC said, “By far the most expensive part of the iris biometry hack was the purchase of the Galaxy S8 smartphone.”
Samsung’s Galaxy S8 has already been declared the most breakable smartphone ever, and now its biometric security seems pretty weak at best—so it’s hackable and crackable. But at least it looks nice.
CCC spokesperson Dirk Engling offered up some advice for Galaxy S8 owners saying,
If you value the data on your phone—and possibly want to even use it for payment—using the traditional PIN-protection is a safer approach than using body features for authentication.
I did a little online shopping to see how much it costs to hack the S8’s iris recognition, including buying the very phone you’re going to hack. It just seemed right to use the Galaxy S8 to hack the Galaxy S8.
- Samsung Galaxy S8 smartphone (for a selfie of your eye, and to hack) $738
- Samsung Xpress color laser printer (to print out the iris photograph) $115
- Contact lens about $3
- Schadenfreude from bypassing the S8’s biometric security priceless
Of course, if the iPhone 8 includes iris recognition that turns out to be as easy to hack I’ll be eating some serious digital crow. Until then, here’s the CCC’s video showing the hack in action. It’s crazy how simple it is.