Iris scanning technology may seem like a safe bet for keeping a smartphone secure, but with only a photograph, printer and contact lens, hackers have proven the Samsung Galaxy S8’s system can be easily fooled. This hack proves biometric security systems, or at least those found in consumer products, still have a long way to go before users can confidently replace the traditional password.
In a video released by hacker Jan Krissler, also known as Starbug, a photograph taken using the infrared mode of a standard digital camera is the only personal information needed to perform the bypass. The photo is printed out and a contact lens is stuck over the iris to give the eye an authentic reflective sheen. When held up to the camera, this is enough for the Galaxy S8 to register the image as the smartphone’s owner.
Biometric security systems, or at least those found in consumer products, still have a long way to go
This is not the only biometric security flaw found in the Galaxy S8. In March, the smartphone’s facial scanning technology was fooled with only a photograph, the Verge reported. In response to this, Samsung said facial recognition is a convenient way to unlock your phone and not a complete security feature.
Krissler has a long history of finding flaws in biometric security features. In 2013, he demonstrated a way to bypass the iPhone’s then-new fingerprint scanner by using a detailed photograph of a person’s fingerprint to create a latex mould. In 2014, he claimed to have reproduced German defence minister Ursula von der Leyen’s fingerprint using only photos taken at public events like press conferences. While these techniques are currently impractical for the average hacker, the demonstrations do prove biometric security systems are far from fool proof.
Finding a secure and effective alternative to passwords has been a steep challenge. While biometrics may be convenient, if a person’s details are compromised they cannot be changed or replaced. Additionally, biometric security features are constantly publicly displayed, unless a person is wearing sunglasses and gloves.
While passwords may be inconvenient and suffer the occasional large-scale breach, they still feature the best mix of effectiveness and convenience for security measures.