Biometric authentication systems – again – don’t deliver on their security promise: The iris recognition system of the new Samsung Galaxy S8 was successfully defeated by hackers of the Chaos Computer Club (CCC). A video demonstrates how the simple technique works.

The Samsung Galaxy S8 is the first flagship smartphone with iris recognition. The manufacturer of the biometric solution is the company Princeton Identity Inc. The system promises secure individual user authentication by using the unique pattern of the human iris.

A new test conducted by CCC hackers shows that this promise cannot be kept: With a simple to make dummy-eye the phone can be fooled into believing that it sees the eye of the legitimate owner. A video shows the simplicity of the method. [0]

Iris recognition may be barely sufficient to protect a phone against complete strangers unlocking it. But whoever has a photo of the legitimate owner can trivially unlock the phone. „If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication“, says Dirk Engling, spokesperson for the CCC. Samsung announced integration of their iris recognition authentication with its payment system „Samsung Pay“. A successful attacker gets access not only to the phone’s data, but also the owner’s mobile wallet.

Iris recognition in general is about to break into the mass market: Access control systems, also at airports and borders, mobile phones, the inevitable IoT devices, even payment solutions and VR systems are being equipped with the technology. But biometric authentication does not fulfill the advertised security promises.

CCC member and biometrics security researcher starbug has demonstrated time and again how easily biometrics can be defeated with his hacks on fingerprint authentication systems – most recently with his successful defeat of the fingerprint sensor „Touch ID“ on Apple’s iPhone. [1] „The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot. Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris“, Dirk Engling remarked.

But it is not sufficient to not upload selfies to the internet: The easiest way for a thief to capture iris pictures is with a digital camera in night-shot mode or the infrared filter removed. In the infrared light spectrum – usually filtered in cameras – the fine, normally hard to distinguish details of the iris of dark eyes are well recognizable. Starbug was able to demonstrate that a good digital camera with 200mm-lens at a distance of up to five meters is sufficient to capture suitably good pictures to fool iris recognition systems. [2]

Depending on the picture quality, brightness and contrast might need to be adjusted. If all structures are well visible, the iris picture is printed on a laser printer. Ironically, we got the best results with laser printers made by Samsung. To emulate the curvature of a real eye’s surface, a normal contact lens is placed on top of the print. This successfully fools the iris recognition system into acting as though the real eye were in front of the camera.

The by far most expensive part of the iris biometry hack was the purchase of the Galaxy S8 smartphone. Rumor has it that the next generation iPhone will also come with iris recognition unlock. We will keep you posted.

Links:

[0] Video in English (HD), also in German

[1] Chaos Computer Club breaks Apple TouchID

[2] Video (in German): Ich sehe, also bin ich … Du – Gefahren von Kameras für (biometrische) Authentifizierungsverfahren