We have a love-hate relationship with biometric ID. After all, it looks so cool when the hero in a sci-fi movie enters the restricted-access area after having his hand and iris scanned. But that’s about the best you can say about biometric security. It’s conceptually flawed in a bunch of ways, and nearly every implementation we’ve seen gets broken sooner or later.
Case in point: prolific anti-biometry hacker [starbug] and a group of friends at the Berlin CCC are able to authenticate to the “Samsung Pay” payment system through the iris scanner. The video, embedded below, shows you how: take a picture of the target’s eye, print it out, and hold it up to the phone. That was hard!
Sarcasm aside, the iris sensor uses IR to recognize patterns in your eye, so [starbug] and Co. had to use a camera with night vision mode. A contact lens placed over the photo completes the illusion — we’re guessing it gets the reflections from room lighting right. No etching fingerprint patterns into copper, no conductive gel — just a printout and a contact lens.
We’ve ranted about the insecurity of fingerprints before; they’re not a good secret, they’re irrevocable, and they’re hard to store securely. And on top of these conceptual problems, they’re quite spoofable, as [starbug] and many others have shown, going way back.
So why do we still use them? Fingerprint readers and iris scanners are “good enough” security and they’re fun to hack around with. Should you add one to your project for grins? Absolutely. Should you require your citizenry to use them for authentication, or use them for real security? We wouldn’t.
Thanks [mbln] for the tip!