This week, a security research report began doing the rounds showing a flaw in Samsung’s Galaxy S8 iris scanner. The report went on to show how someone could trick the phone into unlocking using a picture of someone’s eye and a series of other steps that further complicate matters. It is a highly trivial scenario and one that won’t affect many but still, Samsung has responded.
On Tuesday this week, the German group Chaos Computer Club (CCC), who found a way around Apple’s Touch ID sensor back in 2013, revealed a way to crack the iris scanner on the Galaxy S8. The group used a digital camera to snap a shot of the phone owner’s eyes, the photo was then cropped and printed out using a laser printer. From there, you need to obtain a contact lens to place over your printed image to help simulate the curvature of a real eye. Once you’ve achieved all that, the iris scanner will unlock the phone, thinking it is looking at a real eye.
Given that the iris scanner had been bypassed, Samsung was contacted for comment by various outlets. One particular spokesperson gave the following statement to The Inquirer this afternoon: “We were aware of the report, but would like to assure our customers that the iris scanning technology in the Galaxy S8 has been developed through rigorous testing to provide a high level of accuracy and prevent against attempts to compromise its security, such as images of a person’s iris”.
“The reporter’s claims could only have been made under a rare combination of circumstances. It would require the unlikely situation of having possession of the high-resolution image of the smartphone owner’s iris with IR camera, a contact lens and possession of their smartphone at the same time. We have conducted internal demonstrations under the same circumstances however it was extremely difficult to replicate such a result.”
Now while Samsung does believe that this scenario is highly unlikely, the company will be looking to ensure tighter security going forward. With this new information in hand, Samsung will begin working on tweaking its scanner firmware to try and combat this scenario.
KitGuru Says: While the average phone thief likely isn’t going to go through the effort of creating a ‘dummy eye’ to unlock your Galaxy S8, this is still a security vulnerability. Hopefully Samsung is able to do something about it just in-case. After all, now that this issue is public, there are bound to be some people out there looking to test it out.