Hackers Can Unlock Samsung's Galaxy S8 Using Fake Irises

For years, proponents of biometric authentication have advertised new and elaborate systems for ensuring that your computer knows it's "really you" attempting to unlock it. For years, hackers have demonstrated that these biometric authentication systems are woefully inadequate in many situations.

They also don't protect you in certain legal ways that passcodes or passwords do: Judges in the United States have generally ruled that you can be required to provide biometric authentication information to unlock a system, even if you can't be compelled to turn over a password. (The distinction made here is between something you "are," as opposed to something you may know.) Only the second case, at least so far, has been ruled as protected by the Fifth Amendment's guard against self-incrimination.

There are, in other words, multiple reasons to consider biometric security as fundamentally insecure in and of itself. The Chaos Computer Club(Opens in a new window), which tackled the Samsung Galaxy S8, has now demonstrated the truth of that reasoning by proving the iris sensor on the Galaxy S8 can be relatively easy to fool. Here's what Samsung says about its own iris scanning technology and its security:

The CCC describes how this particular hack works. First, you need a camera with a night vision mode or with the infrared filter removed. A good digital camera with a 200mm lens was able to take successful images at up to five meters, or about 17 feet. Distance from the subject will obviously depend on the quality of the camera, the lighting conditions, the angle of the photo, and the skill of the photographer.

Once the photo is taken, the final image can be printed on a high-quality laser printer (CCC reports that, ironically, Samsung printers worked best for their own security testing). Place a contact lens over the iris photo to simulate the effects of a real eye's curvature, and voila -- you've got a solution that can bypass Android security. A video of the exploit is provided below:

Whether you view these attacks as significant will depend on how you evaluate device security, period. But here's our advice: If you're going to use biometric authentication of any stripe, pair it with a passcode. Don't rely on a single form of security to protect your mobile phone, especially if you use it to handle mobile payments or have bank account or other personal information there. Two-factor authentication isn't perfect either, but at the least, it should present additional obstacles to accessing your private information.

Finally, be aware of the laws that govern the country or state in which you live, and how biometric authentication is treated. Be aware of what information you can and cannot be legally compelled to turn over, not because you intend to live an exciting life on the wrong side of the law, but because understanding these rules can have an impact on how an encounter with the legal system plays out, even if you haven't done anything wrong. Assume biometric authentication technology is at least as insecure as passwords on the whole and don't believe anything any company tells you to the contrary (including Apple). After all, we're still finding critical vulnerabilities in technologies that were supposedly safe for the past six years.