Hackers trick Galaxy S8 lock on iris scanner

A woman uses the Galaxy S8’s iris scanner to unlock the phone. [PARK SANG-MOON]

A group of German hackers unlocked Samsung Electronics’ Galaxy S8 iris scanner with a photo of one eye and contact lens.

The Berlin-based association Chaos Computer Club, or CCC, uploaded Tuesday a one-minute, 16 seconds video to YouTube that showed the entire process - taking a photo of the experimenter with an infrared camera, printing it and adding a contact lens on top of the photo to add the eye dimension. In the video, the set easily passed Galaxy S8’s iris screening test without delay.

The video also showed that the photo of the experimenter in the task didn’t have to be taken close to the pupil, but from a moderate distance capable of capturing the subject’s bust shot at about 5 meters (16 feet).

“The security risk to the user from iris recognition is even bigger than with fingerprints, as we expose our irises a lot,” Dirk Engling, CCC’s spokesperson told the Guardian newspaper. He also added that the traditional pin-protection, or password setting, is safer than any other methods using features of the human body.

CCC is Europe’s largest hacker association and was the first to break through Apple’s fingerprint sensor not long after iPhone 5’s release in 2013.

The Galaxy S8 is currently the only smartphone model on the market that uses an iris scanner for personal identification. The technology was used in Samsung’s Galaxy Note7, but production and sales were halted last year after several explosions.

The electronics giant’s reaction to the video was that fooling the iris recognition system is not as easy as it looks in the video because it requires a combination of specific situations.

First, the photo of the eye has to be taken by an infrared camera which is currently not released in Korea. The camera CCC used for the shoot was a Sony model made in 2003. An infrared camera is the core technology of Galaxy S8 iris recognition.

Secondly, the photo of the smartphone owner must be taken to show the iris pattern. Moreover, even if the counterfeiter does succeed in taking the photo, the phone must be stolen to gain access to information or financial transactions.

“We’re still trying to get a hold of the situation and devise additional ways to strengthen security of the function even further,” said a company spokesman.

In the Galaxy S8, iris recognition is used as the key to not only unlocking phones, but also for personal verification when gaining access to various services including banking and making payments.

Iris recognition was deemed the most security-safe among other body recognition functions using fingerprints and faces. When Samsung Electronics unveiled the function last year, it explained that every person has a unique set of irises that remain fixed from 18 months old - the possibility of two people having the same iris pattern is one in a billion.

Back then at a press conference, the company’s researcher ruled out possibilities of counterfeiting iris data, as retrieving an iris from a dead person is impossible and so is copying information.

BY SONG KYOUNG-SON AND PARK TAE-HEE [song.kyoungson@joongang.co.kr]