It's Alarmingly Easy To Hack The Samsung Galaxy S8's Iris Scanner

Samsung wants you to think that the iris scan technology on its new flagship phone, the Galaxy S8, is unbeatable. But it should surprise no one who pays attention to the security world that this is not the case. In fact, Samsung's new iris scanner is very easy to trick.

A security researcher at the Chaos Computer Club in Berlin recently pulled off the feat with nothing but a camera, a contact lens, and a printer. To do it, Jan "Starbug" Krissler simply used the night mode setting on a Sony digital camera to capture an image of his buddy's eyes. (Using night mode or removing a camera's infrared filter makes it easier to capture the iris pattern details in people with dark eyes.) Then, using a Samsung printer, he printed out a life-size image of one eye and glued a contact lens to the picture to provide depth. Sure enough, the Galaxy S8 iris scanner didn't know the difference between this art project and the phone owner's actual eye. One second later, the hacker had gained full access to the phone, including Samsung Pay.

This sounds scary, but consider the caveats. A hacker would have to be determined as hell -- and probably sort of a weirdo -- to gain access to your data by spoofing your iris. There are many ways to hack a smartphone after all, including tricking the finger print scanner or the facial recognition software. Starbug is actually famous for bypassing Apple's Touch ID fingerprint scanner 48 hours after its release, while another hacker reportedly tricked the Galaxy S8's facial recognition software with a photo on the same day that Samsung released the device.

Image: Samsung

But let's just assume this iris scanner trick is a last resort. Even though Starbug's method is simple, a hacker would still need to get relatively close to the victim's face to snap a clear photo of their eyeball. (Starbug says it's possible from as far as 4.57m.) Then, there's the whole printing situation, which would be limited by the quality of any given printer. (Ironically, Starbug found the best results with a Samsung printer.) And then, the hacker would need physical access to the device.

Would any reasonable hacker go through all these steps, when it's likely possible to steal your data more easily? Surely not. Is Samsung full of shit when it says that irises "are virtually impossible to replicate" and that "iris authentication is one of the safest ways to keep your phone locked and the contents private?" Absolutely, and the company probably knows it.

Image: Samsung

This isn't even the first time that Samsung's been called out for a vulnerable iris scanner. Starbug himself managed to trick some common iris scanner technology made by Panasonic using nothing but a Google image search and a printer. This led many experts to worry about the security of the Iris Scanner on the Galaxy Note 7. Then again, the Note 7 had much bigger problems than a crappy iris scanner. The iris scanner on the Galaxy S8 is made by a company called Princeton Identity Inc., however, not Panasonic.

It's unclear if Samsung knows about the iris scanner vulnerability or what it plans to do -- if anything. We've reached out to Samsung and will update this post when we hear back. In the meantime, don't assume that your new Galaxy S8 is impenetrable. Hackers probably won't be trying to break into your phone through the iris scanner, but news that they can brings us back to the one great truth of the security world: Nothing is impenetrable.

Update 2:20pm EST - Samsung sent us the following statement:

We are aware of the issue, but we would like to assure our customers that the iris scanning technology in the Galaxy S8 has been developed through rigorous testing to provide a high level of accuracy and prevent attempts to compromise its security, such as images of a person's iris. If there is a potential vulnerability or the advent of a new method that challenges our efforts to ensure security at any time, we will respond as quickly as possible to resolve the issue.

[CCC via Motherboard]



    I wonder if this is related to the specific tech Samsung is using or would work with all iris scanners. I remember some attempts to defeat the Lumia 950 scanner when it came out but I don't remember it being bypassed. It's highly likely no one went to this degree to defeat it though.

    LOL! Why the FUD article? This wasn't "alarmingly easy", it was stupid and complicated.

      Just hold still while I get a high resolution night-mode photo of both your eyes...wait no, open your eyes more...great. Now just hand over your phone and don't ask any questions. And voila! As easy as just wiping your phone in the first place! Or not.

      The article also incorrectly states the facial recognition feature was fooled on the release version, but it actually happened on the day the phone was announced and was a device with beta software in it that was patched before the actual release.

      I agree - lets think about this for a second - you need to get close enough to someone to photograph their eyes for enough iris detail to be captured. Not a problem for an apple employee trying to make a point, but in the real world, it isnt easy at all.

      Then there's the no so easy matter of sticking a contact lens on a photo.

      It'd probably be easier to kidnap the person and interrogate them?

        If you have sunglasses with a built in camera, then it would be easy to get a photo of anyone's iris really.
        The rest can be done later, the only real problem is nabbing the phone.
        If you weren't in a hurry, you could get the photo, do all the setup stuff and get the phone at any future time, then unlock it, get what you need and put it back.
        The physical access to the phone is the tricky bit, I guess if the person was at the pool or showering or something like that.
        Not easy, but not difficult really if you really had a need, and playfully easy if you were arrested and refused to unlock your phone, as is fingerprint.

        Ok, thought about it for a second.
        You need a photo of someone's eyes from 5m or less. (Night mode preferred but not required)
        Fortunately people are too smart to post selfies on the internet.
        Then you need to print the picture.
        Fortunately less and less people actually have printers nowadays.
        Then you need to stick a contact lens to the printed photo.
        I'm sure even the NSA would have trouble doing that.
        Doesn't sound possible to me.

    I use the face recognition feature on my penis. When I need to pay for something I make it obvious that I am sticking the phone down my pants to authorize. Potential thieves are preturbed by the thought of touching the phone, let alone replicating the image ...although they are welcome to try.

    Last edited 24/05/17 8:56 pm

    how many close up selfies are done in bed? now think about the possibility that your selfie is posted on the internet. The fact that cameras continuously get better photos are uploaded in higher resolutions.

    Think of those possibilities

Join the discussion!