Selfies Could Fool the Galaxy S8's Iris Scanner A hack demonstrates that the iris scanner in Samsung's new flagship smartphone could unlock the device when presented with a photograph of the owner's eye.
By Tom Brant •
This story originally appeared on PCMag
Samsung describes the Galaxy S8's iris scanner, which lets you unlock the phone just by looking at it, as "one of the safest ways to keep your phone locked and the contents private." After all, "the patterns in your irises are unique to you and are virtually impossible to replicate," Samsung explains on its website.
But the company may now want to rethink the veracity of its marketing tactics, following a revelation this week that the Galaxy S8 iris-recognition system was hacked with a simple technique.
Members of the Chaos Computer Club (CCC), based in Germany, were able to unlock an S8 using a photo containing its registered iris. Theoretically, that means anyone who posts selfies online and has an S8 with iris recognition enabled is giving hackers a potential backdoor to unlock their phone.
In practice, it's not that simple. To pull off their hack, the CCC explained in a blog post that they used a clear picture of the phone owner's face, which was then printed using a laser printer. They then held a contact lens on top of the eye in the photograph, in order to give it the convex three dimensional shape required for the iris scanner to recognize it.
In addition to using high-resolution selfies, a hacker could also surreptitiously snap a photo of their intended victim, CCC notes.
Despite the simplicity of the hack, it doesn't reveal any fundamental flaws about Samsung's iris scanner itself. It's also worth noting that a similar technique could potentially be used to fool the S8's face recognition unlocking system, or any other phone with similar unlocking options.
Samsung did not immediately respond to a request for comment. But it does warn that face recognition (which uses the front-facing camera) is a less secure method of unlocking your phone, explaining in a footnote on its website that "face recognition is less secure than pattern, PIN or password."
