Fooling Samsung Galaxy S8 Iris Recognition

We have a love-hate relationship with biometric ID. After all, it looks so cool when the hero in a sci-fi movie enters the restricted-access area after having his hand and iris scanned. But that’s about the best you can say about biometric security. It’s conceptually flawed in a bunch of ways, and nearly every implementation we’ve seen gets broken sooner or later.

Case in point: prolific anti-biometry hacker [starbug] and a group of friends at the Berlin CCC are able to authenticate to the “Samsung Pay” payment system through the iris scanner. The video, embedded below, shows you how: take a picture of the target’s eye, print it out, and hold it up to the phone. That was hard!

Sarcasm aside, the iris sensor uses IR to recognize patterns in your eye, so [starbug] and Co. had to use a camera with night vision mode.  A contact lens placed over the photo completes the illusion — we’re guessing it gets the reflections from room lighting right.  No etching fingerprint patterns into copper, no conductive gel — just a printout and a contact lens.

We’ve ranted about the insecurity of fingerprints before; they’re not a good secret, they’re irrevocable, and they’re hard to store securely. And on top of these conceptual problems, they’re quite spoofable, as [starbug] and many others have shown, going way back.

So why do we still use them? Fingerprint readers and iris scanners are “good enough” security and they’re fun to hack around with. Should you add one to your project for grins? Absolutely. Should you require your citizenry to use them for authentication, or use them for real security? We wouldn’t.

Thanks [mbln] for the tip!

34 thoughts on “Fooling Samsung Galaxy S8 Iris Recognition

  1. I’d be willing to bet that the camera in my LG V10 could pull a usable iris picture from a far enough distance that the image could be used while being able to avoid detection by the target if you’re careful. You could get a usable picture even further away with a higher MP sensor (the phone has a modest 16MP) in a mirrorless or DSLR camera and a quality telephoto lens. It might be worth the money to a private investigator, the police, and intelligence agencies to pull the IR shield off the image sensor of a reasonably expensive camera for just this purpose if the tech catches on with other phones (especially the iPhone).

  2. Fingerprint and Iris biometric “passwords” are in fact “revocable”, though most people would find the method of invalidating the “password” objectionable…

    In the case of fingerprints, passwords are changeable, to some degree. You can either scar your finger or change the finger you use, though you have a finite number of passwords to work with in the latter case. Again, not a good system, but technically possible. Now if you have a glass eye… Worlds of possibility…

  3. It’ll be interesting to see how well this works for views from the side. Unless you’re doing public speaking, it’s going to be tough for complete strangers to photo your eye undetected while directly in front of you at a distance, but may they’ll be able to if they’re not looking at you directly if that works.

  4. I think the use of an IR camera for an iris scanner is the perfect example of security though obscurity.
    Just get a camera such as the Olympus OM-D E-M5 and you probably could get a good enough photo of someone’s iris from fairly far away.

  5. It might be worth pointing out, that people are mixing up the ease of spoofing this implementation with the security of the actual method itself.

    Iris scanning is a very secure biometric identification method, when operated under proper supervised conditions. It has been deplayed years ago in the UAE and has showed zero(!) false positive matches.

    https://www.cl.cam.ac.uk/~jgd1000/UAEdeployment.pdf

    Btw – the reason why we only see a wide roll out of Iris scan now is that critical patents expired recently…

    1. That article is written by one of the principles of the firm that sells the tech. Caveat emptor. Still, it reads plausibly.

      Getting an arbitrary number of false positives is just a matter of setting a match threshold very conservatively. From the ad: “In 2.3 million iris comparison tests, there were no False Matches made, and only 0.2% False Rejections on the third attempt.” So they crank up the match threshold high enough that some people who aren’t on the list have to re-try three times or so.

      That’s probably the right thing to do, and their tech seems good. I’m not surprised — it looks like there’s a lot of detail in a controlled iris scan. They say they get 250 bits’ worth. These would have to be _very_ noisy to not separate out 2 million (21 bits) people. Makes you wonder how many bits of info the system that Samsung used had.

      All of this misses the point, though. These are controlled trials, under police supervision, no less. My guess is that nobody actually tried to game the system by holding up pieces of paper with contact lenses on them while armed guards stand by. It’s just a different application. ID vs password, observed vs private, etc.

      1. All of this misses the point? It’s exactly the point! Biometrics cannot be used securely for authentication, just for identification. Biometrics are great at identifying people with great accuracy and ease of use. But as every security guy will tell you, it is wrong to use it for authentication.

          1. You could already use a wang with a fingerprint sensor I suppose.

            As an alternative I always thought using part of a $1000 (or similar) bill as identifier would be good, since most people don’t have that on them, but it has precise microscopic elements. Only now many of the fingerprint sensors try to determine if the finger is alive, so you can’t use objects.

        1. Thank you, @Bitblade. I’m encouraged that people here use the term “biometric identification” An ID is just that; identification, not authentication, whether it’s biometric or not. Your fingerprints and eyes are visible all over the place, are not a secret, and cannot be “reset” comfortably if compromised. To use identification for authentication is what gets many people in trouble.

          Obligatory link to http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-not.html from 2013.

          1. You can theoretically ‘reset’ a fingerprint by adding a small permanent scar I would think.
            As for the iris.. theoretically you could change it a bit with a precise laser, it only needs a small change to have a new pattern I imagine. An in fact you could even do that with a retina, if you have that kind of dedication (since you would lose some cones and/or rods I fear).

    1. Well I do not deny that this could be occurring, I have technically been a foreign visitor to the US multiple times, and I can comfortably say that I have not had my iris scanned with my knowledge.
      Unless this is like every other TSA decision and it is only for people designated as “probable threats.” in which case I could see this being likely.

      It surprises me how bad security is when it all comes down to peoples decisions and opinions.
      People are kind of dumb, and can most often be fooled, or tricked, or make decisions to buy flawed products, or implement flawed solutions based on sales pitches and marketing…

Leave a Reply to Elliot WilliamsCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.