Image: GSMtube.

On Monday, the Chaos Computer Club (CCC) published a new method through which they managed to fool the Samsung Galaxy S8’s iris scanner. The hackers managed to unlock the device using a printed picture and a contact lens.

The German cyber security organization has regularly informed consumers about the vulnerabilities of new technologies, often disproving the claims of their allegedly safe features.

A couple of years back, the CCC was also behind the scandalous discovery of a technique that allowed people to copy fingerprints from pictures too. These digital copies could then be used to fool scanners on mobile devices like the iPhone’s TouchID.

CCC’s three-step method to beat the eye scanner

Security researchers of the CCC conducted a few tests to try and deceive the Samsung Galaxy S8’s iris scanner to gain access. It took them just two days to come up with the method.

First, they took a picture of one of the team members from a five-meter distance with a standard digital camera. However, they shot the photo in night mode because the otherwise active infrared filter makes it harder to capture details of the iris.

Then, after they had their photo, they printed it on a sheet of paper. Coincidentally, they found the best results they got were using a Samsung laser printer.

Finally, to simulate the brightness and curvature of the eye, the researchers placed a contact lens on top of the photograph.

Samsung has unrealistic hopes for its Iris Scanner

The Chaos Computer Club has long been an advocate of stronger security measures in tech, and they often repeat just how flawed and easy to bypass these modern biometric authentication systems are.

A couple of days after launch, other researchers also fooled the facial recognition system of the phone using a photo taken with another device. Princeton Identity Inc. and Samsung Electronics have refused to comment when reached by media outlets. The official website reads:

Galaxy s8 and s8+ iris scanner
Samsung official website on the iris scanner

Techniques like this are easily applicable since all it would take is a standard definition photo of someone’s face with a clear view of their eyes. Considering the number of selfies people take nowadays, this has raised reasonable concerns.

Private data in your phone is just one mockup picture away from hackers’ reach. It could be potentially more serious if the user had payments, for example, set to confirm their identity using iris scanning as their method of choice.

Source: Chaos Computer Club