Researchers Bypass Samsung Galaxy S8's Iris Recognition System With A Photo And A Contact Lens

[Lucian Armasu]

Chaos Computer Club "hacker" Jan Krissler was able to bypass the Samsung Galaxy S8's iris authentication system with a high-quality photo of an iris and a contact lens emulating the curvature of the eye.

Researchers Bypass Samsung Galaxy S8's Iris Recognition System With A Photo And A Contact Lens : Read more

 

[Jake Hall]

Should gone Retinal, Samsung... don't get cheap on me

 

[DookieDraws]

D'OH!

 

[InvalidError]

Should gone Retinal, Samsung... don't get cheap on me

I would never recommend relying on biometric as a password replacement as it is merely a matter of time before someone finds a way to fool sensors and there is no way for you to prevent a would-be aggressor from coercing the ID out of you, with or without your knowing. Also, once your biometric ID has been compromised, there is no practical way for you to change it.

Biometrics as the only authentication factor is only suitable for low security application where biometrics are used more for convenience than security.

 

[10tacle]

On another note, what is up with Samsung and their Galaxy updates so frequently? I'm still using my one and a half year old Note 5 when they had the matching Galaxy S6. Now they are coming out with the 4K Note 8 this fall (they skipped the Note 6 series and went with the exploder Note 7) and Galaxy S9 next spring.

I can't keep up anymore but I guess I'm getting old - I like to keep my phones for 3 years or so before feeling the need to upgrade (better cameras, better resolution, larger screen, better Android support from the carrier, etc.). And now that carriers (in the US anyway) make you buy the phone up front instead of "giving" you one with a new 2-year subsidized contract, it's just becoming ridiculous.

 

[alextheblue]

Should gone Retinal, Samsung... don't get cheap on me

I would never recommend relying on biometric as a password replacement as it is merely a matter of time before someone finds a way to fool sensors and there is no way for you to prevent a would-be aggressor from coercing the ID out of you, with or without your knowing. Also, once your biometric ID has been compromised, there is no practical way for you to change it.

Biometrics as the only authentication factor is only suitable for low security application where biometrics are used more for convenience than security.

Exactly, low-security or as a tertiary factor. Anyway, has anyone bypassed the Windows Hello Iris or facial recognition with something similar yet? It's still breakable I'm certain, it's still biometrics and the same rules apply, but it seems to be a cut above the others.

 

[mrmez]

Ouch!
Plenty of photos of my face around.
Not so many of my fingerprints.

 

[therealduckofdeath]

If you notice someone taking a photo of you with a 200 mm lens less than five metres away, you really should be worried.
Remember, you literally will have to look at the perp for them to succeed.

 

[humorific]

Biometrics were always fools gold. As much as we everyone likes to bash passwords, ultimately they are still the best, most secure, most flexible option, and likely to stay that way. Remember, the purpose of security is to be secure, not convenient.

 

[Deleted member 1353997]

So you don't have ANY photos of your face ANYWHERE?

Nothing on Facebook, Twitter, Tumblr, Twitch, Tinder, Youtube, etc etc etc.

You must be very paranoid or very ugly.

Or maybe they're just not vain enough to want the whole world to see their pictures.

 

[Shagoii]

I think that the person could select more than 1 method of security. Exemple:
Iris + Biometric
or password + pin code
or pin code + iris
or password + iris + biometric
or password + pin code + iris + biometric

If the person want security, he select more than 1, if not select 1 ou none

 

[bentonsl_2010]

This is BS

So you have to have the person's phone.
Then know who Said person is (Most phone a stolen because someone loses them)
Then Have a copy of a high res photo the said person eyes
Then go buy a contact lens
Then have a lazer printer

All of that before I remote wipe the phone and or change the info on the account. Good luck with that.

 

[techy1966]

So how is it Samsung's fault someone decided to try and bypass the security? It does not matter what security you use there will always be someone out there that will try and find a way to break it. I would think if you actually are worried about this just use a couple different security methods to protect your phone. It don't matter much then because even if they get through one method there is another hurdle to get through with the second security protection.

By this time the thief will most likely be so upset that they will either smash the phone or just toss it out. My other way of thinking is like someone else stated here. If the thief has to go through several steps to get through this security by the time he/she does the phone will most likely be already wiped and tagged as stolen by the owner and the mobile company.

My other thought is if a thief finds a phone how the hell would he even know what the person looks like to get a photo. If the phone was lost I am sure the owner is not going to sit around and let the thief take a picture of them so the thief can steal your phone and your account data.

 

[Jeff Fx]

I opened my eyes wide for the scanner when I stored my iris print, so it only opens if I do the same when unlocking it. I'd have to be very surprised in a close-up photo for someone to acquire an image of my entire iris.

I know this is not a solution for everyone, but I recommend that anyone else who's entire iris is not normally visible do the same.

 

[ledhead11]

Biometrics on consumer equipment have been shaky at best. Apple had similar problems so no surprise with Samsung. I've also read stories of people finding the file locations and hacking them to retrieve whatever was needed.

I've even watched videos of security labs lifting fingerprints with silly puddy and then tricking finger print sensors.

 

[ex_bubblehead]

I will only issue this one warning with regard to the off topic sniping that I just removed. If I see any more of it, from anyone, there will be sanctions levied, on all participants.

The ONLY acceptable response here is "I have read and understand the warning", anything else is vacation time.

 

[lsatenstein]

This cellphone is most secure. Lets see how you can break security.
a) You have to be captured by a gang of photographers who will photograph both your eyes, (in case the one eye chosen was the wrong one)
b) You have to give your cellphone to one of these gang members or
c) He is able to wrestle your cellphone out of your hot little hands.
d) He has to wait for dark to use the security stuff built into the phone.

So, want your cellphone broken into, go through the above steps.