How to Beat an Iris Scanner

Wednesday, May 24, 2017 @ 09:05 AM gHale


Iris recognition is the wave of the future when it comes to security verification – or so we thought.

That is because researchers at Germany’s Chaos Computer Club (CCC) figured out a way to beat the iris recognition system on Samsung’s Galaxy S8 smartphones.

RELATED STORIES
Smartphone Programs Earn DHS Funding
Defense from Tainted Mobile Devices
Kaspersky Starts Threat Intelligence Portal
Exploit Attacks Growing, More Effective

The Samsung Galaxy S8 has several biometrics-based authentication systems, including face recognition, a fingerprint scanner, and an iris scanner.

The iris authentication, which allows users to unlock their device and authorize payments, is advertised by Samsung as “one of the safest ways to keep your phone locked.”

While an individual’s iris is unique, CCC researchers found a way to whip Samsung’s iris scanner by showing it a picture of the victim’s eye. It’s worth noting that members of the CCC were the first to bypass Apple’s fingerprint-based Touch ID system in 2013.

There are multiple ways to obtain iris data, including from high-resolution pictures posted by users on the Internet. Another method is to take a picture of the targeted individual’s eye using a digital camera with night-shot mode or the infrared filter disabled.

Researchers showed a camera with a 200mm lens can capture a usable picture of the iris from up to 16 feet away.

“In the infrared light spectrum – usually filtered in cameras – the fine, normally hard to distinguish details of the iris of dark eyes are well recognizable,” the CCC said in a blog post. “Depending on the picture quality, brightness and contrast might need to be adjusted.”

Once the picture of the iris has been obtained, it can be printed out using a laser printer. The last step is to place a contact lens on top of the print to mimic the curvature of a real eye. Placing the photo in front of the Galaxy S8’s iris scanner successfully unlocks the device.



Leave a Reply

You must be logged in to post a comment.