FOOLING SAMSUNG GALAXY S8 IRIS recognition
We have a love-hate relationship with biometric ID. After all, it looks so amazing when the hero in a sci-fi motion picture enters the restricted-access area after having his hand and iris scanned. but that’s about the best you can say about biometric security. It’s conceptually flawed in a bunch of ways, and nearly every implementation we’ve seen gets broken sooner or later.
Case in point: prolific anti-biometry hacker [starbug] and a group of pals at the Berlin CCC are able to authenticate to the “Samsung Pay” payment system through the iris scanner. The video, embedded below, shows you how: take a picture of the target’s eye, print it out, and hold it up to the phone. That was hard!
Sarcasm aside, the iris sensor uses IR to recognize patterns in your eye, so [starbug] and Co. had to use a cam with night vision mode. A contact lens placed over the photo completes the illusion — we’re guessing it gets the reflections from room lighting right. No etching fingerprint patterns into copper, no conductive gel — just a printout and a contact lens.
We’ve ranted about the insecurity of fingerprints before; they’re not a good secret, they’re irrevocable, and they’re hard to store securely. and on top of these conceptual problems, they’re quite spoofable, as [starbug] and lots of others have shown, going way back.
So why do we still use them? Fingerprint readers and iris scanners are “good enough” safety and they’re fun to hack around with. must you add one to your project for grins? Absolutely. must you require your citizenry to use them for authentication, or use them for real security? We wouldn’t.
Video Playerhttp://cdn.media.ccc.de/contributors/berlin/biometrie/h264-hd/biometrie-11-eng-Hacking_the_Samsung_Galaxy_S8_Irisscanner_hd.mp4
00:00
00:00
01:16
Thanks [mbln] for the tip!