Breaking Samsung’s iris scanner that supposedly ‘locks’ the Galaxy S8 is laughably easy

“Hackers have broken the iris-based authentication in Samsung’s Galaxy S8 smartphone in an easy-to-execute attack that’s at odds with the manufacturer’s claim that the mechanism is ‘one of the safest ways to keep your phone locked,'” Dan Goodin reports for Ars Technica.

“All that was required was a digital camera, a laser printer (ironically, models made by Samsung provided the best results), and a contact lens,” Goodin reports. “The hack required taking a picture of the subject’s face, printing it on paper, superimposing the contact lens, and holding the image in front of the locked Galaxy S8. The photo need not be a close up, although using night-shot mode or removing the infrared filter helps.”

Gooding reports, “The hackers [Chaos Computer Club in Germany] provided a video demonstration of the bypass.”

[protected-iframe id=”3a25231f0cc597b4bbd579fd4a40e14e-17146794-18685410″ info=”” width=”590″ height=”332″ frameborder=”0″ allowfullscreen=””]
Read more in the full article here.

MacDailyNews Take: Now, to be fair, this is only because Samsung is fully staffed with bullshitters, liars, and thieves who peddle half-assed iPhone wannabes to tech illiterates.

We care deeply about your privacy. So we put in place effective mechanisms that prevent unwanted snooping, while making it surprisingly convenient for you. There’s iris scanning for airtight security…Samsung

If it’s from a South Korean dishwasher maker, it’s not an iPhone.

Even more problems crop up with Samsung’s Galaxy S8 – May 1, 2017
Samsung Galaxy S8 and Galaxy S8+ users suffer randomly restarting phones – April 29, 2017
Samsung under fire: Galaxy S8 owners angry over ‘red tint’ display problems – April 18, 2017
Now beleaguered Samsung’s Galaxy S7 Edge is reportedly catching fire – October 25, 2016
Samsung refusing to pay for property damage caused by its exploding phones – October 22, 2016
Horror stories from the flight ban of Samsung’s exploding phones – October 17, 2016
Analyst estimates 5-7 million ex-Samsung phone users to switch to Apple iPhone – October 17, 2016
U.S. air passengers who try to take Samsung’s exploding phones onto planes face fines, confiscation, criminal prosecution – October 15, 201
Samsung has no clue why their phones explode, yet they shipped replacements anyway, assuring their customers they were safe – October 14, 2016
Study: iPhone users are smarter and richer than those who settle for Android phones – January 22, 2015
Why Android users can’t have the nicest things – January 5, 2015
iPhone users earn significantly more than those who settle for Android phones – October 8, 2014
Yet more proof that Android is for poor people – June 27, 2014
More proof that Android is for poor people – May 13, 2014
Android users poorer, shorter, unhealthier, less educated, far less charitable than Apple iPhone users – November 13, 2013
IDC data shows two thirds of Android’s 81% smartphone share are cheap junk phones – November 13, 2013
Apple will continue to ignore Android market share stats all the way to the bank – October 29, 2013
CIRP: Apple iPhone users are younger, richer, and better educated than those who settle for Samsung knockoff phones – August 19, 2013

[Thanks to MacDailyNews Reader “TJ” for the heads up.]


    1. I received a true retinal scan as a benchmark prior to working with Class IV lasers. It is really cool to see the blood vessel patterns in your own retina.

      Clearly, Samsung is not using retina scanning. The image that cracked the phone was taken from a distance, cropped and expanded, then printed on a color laser printer. How much useful retina data could possible remain in that image. But it worked… So Samsung must use a much cruder method than retinal scanning/matching. It does not appear to be any better than the facial recognition techniques that can be cracked with a simple photo.

      So far, Apple’s Touch ID is the gold standard for mass market consumer electronics. It can be cracked, but it takes a lot more work.

  1. You all know that hackers inGermany cracked the iPhone touch id sensors too, right? If your device is stolen and someone else has your fingerprint, your iPhone isn’t necessarily perfectly secure either. Keep an eye on your iphones.

    1. You know that hack would not work anymore… A passcode is required after a reboot and/or an 8 hour lapse after the device was unlocked. And if I remember correctly , that hack took a day or two and some very expensive equipment to generate the fake fingerprint.

      1. Passcode is sometimes required after a random time period too, it seems. Several times I’ve used my iPhone after unlocking with TouchID, lock it, then come back two minutes later and it’ll demand the passcode right away, TouchID not even an option.

    2. That particular workaround has been written about since soon after iPhones first featured fingerprint recognition, but doesn’t appear to be a practical workaround in the real world.

      If you want to know how vulnerable iPhones are to this method of attack, just ask yourself why there are tens of thousands of outstanding requests from Police forces wanting Apple to unlock iPhones used by criminals? The Police have perfect fingerprints of nearly all suspects and have access to tremendous technical resources, but they haven’t developed a method to reliably fake the iPhone’s fingerprint detection.

  2. Starting with Apple TouchID, biometric identification has now gone mainstream. (Even three year old kids’ fingerprints are being captured when they visit Disney World.) Hailed as being safer than digit-based passwords, biometric security data presents explosive potential in hackers’ hands. In the aftermath of the compromise of 5.6 million US government military, civilian and contractor personnel fingerprints, Eva Velasquez, CEO of the Identity Theft Resource Center, explained that stolen fingerprints may be a big problem in the future if biometric technology is used to verify bank accounts, home security systems and even travel verifications.

    Doug Clare, Information Management, on Feb 09, 2017

    1. The fundamental problem with Disney, bank, passport and similar biometric pass systems is that they’re *centralized* systems. They have to be, and that means your print is stored in a database somewhere where multiple devices can access it.

      With the iPhone at least, the print’s signature is stored on a single device, so the potential for compromising your biometric data is far less.

      So, what we need is an Apple Pay-like system which has one level of separation between your profile and your biometric data. YOU carry your own bio data around on a cross-certified ID card (i.e. probably gov-issue, but could be bank-issued, either way it’s trusted by other systems) with something like the secure enclave. The card would have write-once storage to capture whatever biometric data it needs, and that ID card interfaces with whatever centralized system it needs to (Disney, bank, etc) to verify you are who you claim to be.

    1. Actually, Samsung did the right thing in doing a quicky quirky feature with minimal expense.

      They put in a new “gotta have” for the clueless crowd who don’t read MDN, Slashdot or wired. It is for those who buy feature lists.

  3. Again, if apple has not implemented something, it is because its not ready for the market. Don’t be cheap and buy knock offs, buy the real thing, there is a reason it is called “REAL”.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.