Samsung wants you to think that the iris scan technology on its new flagship phone, the Galaxy S8, is unbeatable. But it should surprise no one who pays attention to the security world that this is not the case. In fact, Samsung’s new iris scanner is very easy to trick.
A security researcher at the Chaos Computer Club in Berlin recently pulled off the feat with nothing but a camera, a contact lens, and a printer. To do it, Jan “Starbug” Krissler simply used the night mode setting on a Sony digital camera to capture an image of his buddy’s eyes. (Using night mode or removing a camera’s infrared filter makes it easier to capture the iris pattern details in people with dark eyes.) Then, using a Samsung printer, he printed out a life-size image of one eye and glued a contact lens to the picture to provide depth. Sure enough, the Galaxy S8 iris scanner didn’t know the difference between this art project and the phone owner’s actual eye. One second later, the hacker had gained full access to the phone, including Samsung Pay.
This sounds scary, but consider the caveats. A hacker would have to be determined as hell—and probably sort of a weirdo—to gain access to your data by spoofing your iris. There are many ways to hack a smartphone after all, including tricking the finger print scanner or the facial recognition software. Starbug is actually famous for bypassing Apple’s Touch ID fingerprint scanner 48 hours after its release, while another hacker reportedly tricked the Galaxy S8's facial recognition software with a photo on the same day that Samsung released the device.
But let’s just assume this iris scanner trick is a last resort. Even though Starbug’s method is simple, a hacker would still need to get relatively close to the victim’s face to snap a clear photo of their eyeball. (Starbug says it’s possible from as far as 15 feet.) Then, there’s the whole printing situation, which would be limited by the quality of any given printer. (Ironically, Starbug found the best results with a Samsung printer.) And then, the hacker would need physical access to the device.
Would any reasonable hacker go through all these steps, when it’s likely possible to steal your data more easily? Surely not. Is Samsung full of shit when it says that irises “are virtually impossible to replicate” and that “iris authentication is one of the safest ways to keep your phone locked and the contents private?” Absolutely, and the company probably knows it.
This isn’t even the first time that Samsung’s been called out for a vulnerable iris scanner. Starbug himself managed to trick some common iris scanner technology made by Panasonic using nothing but a Google image search and a printer. This led many experts to worry about the security of the Iris Scanner on the Galaxy Note 7. Then again, the Note 7 had much bigger problems than a crappy iris scanner. The iris scanner on the Galaxy S8 is made by a company called Princeton Identity Inc., however, not Panasonic.
It’s unclear if Samsung knows about the iris scanner vulnerability or what it plans to do—if anything. We’ve reached out to Samsung and will update this post when we hear back. In the meantime, don’t assume that your new Galaxy S8 is impenetrable. Hackers probably won’t be trying to break into your phone through the iris scanner, but news that they can brings us back to the one great truth of the security world: Nothing is impenetrable.
Update 2:20pm EST - Samsung sent us the following statement:
We are aware of the issue, but we would like to assure our customers that the iris scanning technology in the Galaxy S8 has been developed through rigorous testing to provide a high level of accuracy and prevent attempts to compromise its security, such as images of a person’s iris. If there is a potential vulnerability or the advent of a new method that challenges our efforts to ensure security at any time, we will respond as quickly as possible to resolve the issue.