Weeks after a security researcher demonstrated how he could fool the facial recognition software in Samsung’s new Galaxy S8 smartphone with a digital photo, someone else has managed to hoodwink the phone, this time by tricking the phone’s iris scanner with a printed picture and a contact lens.
In a video by the Chaos Computer Club in Berlin, researchers snap a photo of a man at a medium distance away in night mode, because the S8’s sensor uses infrared light to better detect patterns in the iris.
Back in the lab, he prints out an enlarged infrared photo of his eyeball, and gently lays a contact lens over the iris. After registering his real irises with the phone, he holds up the photo to the sensor and boom — he’s in.
While it is unlikely that a hacker will go to such lengths to mimic your iris, Gizmodo notes that Samsung probably shouldn’t go around touting iris authentication as a secure method for locking your phone, or claiming that irises are “virtually impossible to replicate.”
In a response to Gizmodo, Samsung basically says it’s aware of the issue and will deal with any future shenanigans, should they arise.
“But we would like to assure our customers that the iris scanning technology in the Galaxy S8 has been developed through rigorous testing to provide a high level of accuracy and prevent attempts to compromise its security, such as images of a person’s iris,” the company said. “If there is a potential vulnerability or the advent of a new method that challenges our efforts to ensure security at any time, we will respond as quickly as possible to resolve the issue.”
If you’re worried about someone spoofing your irises or fooling the S8’s facial recognition tool, you can always use a good old-fashioned PIN or fingerprint.