Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Unlock Samsung Galaxy S8 With Fake Iris (vice.com)

Posted by msmash on from the there-you-go dept.

From a Motherboard report: Despite Samsung stating that a user's irises are pretty much impossible to copy, a team of hackers has done just that. Using a bare-bones selection of equipment, researchers from the Chaos Computer Club (CCC) show in a video how they managed to bypass the scanner's protections and unlock the device. "We've had iris scanners that could be bypassed using a simple print-out," Linus Neumann, one of the hackers who appears in the video. The process itself was apparently pretty simple. The hackers took a medium range photo of their subject with a digital camera's night mode, and printed the infrared image. Then, presumably to give the image some depth, the hackers placed a contact lens on top of the printed picture. And, that's it. They're in.

6 of 79 comments (clear)

  1. Single biological authentication doesn't work by courteaudotbiz · · Score: 2

    If a device only check for one thing, in this case, iris pattern, the device cannot know if it is a real eye for sure. Validating the iris and fingerprint, or iris and voice recognition, or iris and DNA would already be more secure, but as I come up with these ideas, I always find a way these things can be fooled together. It just makes it more complicated to fool 2 sensors at a time, but absolutely not out of reach of 3 letters agencies. I think iris scan combined with voice and a plain old password would already be some sort of security.

    1. Re:Single biological authentication doesn't work by Sique · · Score: 3, Insightful
      The general problem is still unsolved. If your iris and your fingerprint id are broken, how do you replace them with new ones?

      That's the general problem with biometric identification. Once you can overcome the limits of the scan mechanism, and impersonate someone else, there is nothing the impersonated one can do to close the door again, until new scan mechanisms are in place which have to be fooled in a new manner.

      --
      .sig: Sique *sigh*
    2. Re:Single biological authentication doesn't work by Anonymous Coward · · Score: 2, Insightful

      Biometrics are really analogous to user names, not passwords. I really have no idea why they keep insisting that they are the next thing in security.

    3. Re:Single biological authentication doesn't work by sexconker · · Score: 2

      Nope.

      Identification - Who you claim to be.
      Authentication - Proving you are who you claim to be.
      Authorization - What you are allowed to do.

      It's so fucking simple, yet you fucking retards keep trying to shit it up by chipping away at the authentication piece and relying more on the identification piece.

  2. Re:You must understand that the average petty thie by ledow · · Score: 2

    The average petty thief isn't guessing a four-digit PIN that locks out after too many attempts either.

    Anyone with a basic modicum of security realises that what you're paying for is a VERY VERY VERY expensive way to tap in four digits automatically.

    But at least you have to give up the PIN, whereas your iris scan can be taken from you without your knowledge. And I'm sure a non-petty thief (i.e. a guy on a moped swiping phones from city centres all day long) would love to have a way to turn your lock screen off to get the full resale value rather than a useless brick. Whether that be from fingerprints on the screen itself or an accomplice's selfie of you just before he nicks your phone.

    But think more of: You're at an airport, in the middle of nowhere. And a cop demands you unlock your phone. He could just get you to look in it. Or he could have to force a four-digit passcode from you, and/or get a warrant.

    Surely protecting against the former makes sense in any security situation, especially when even Apple refuse to help the FBI unlock people's phones.

  3. Security vs Convenience by green1 · · Score: 4, Insightful

    I think by now everyone on Slashdot knows that biometrics provide very little actual security. That said, they do provide a very real solution to a very real problem. My phone has too much information on it to leave completely unprotected, but at the same time, I unlock it so many times a day that entering a long and complex passphrase each time is impractical.
    Now that said, the phone situation is also not like any other computer security issue either. I pay pretty close attention to where my phone is at all times, and that place is usually on my person. So it could be argued that it doesn't need as much security. It is in very real terms not much different that way from my wallet, and a thief doesn't need to pass any authentication at all if he steals my wallet, and that contains not only cash and credit cards, but also my ID, which would be enough to steal my whole identity.

    I see the fingerprint authentication on my phone as being enough to stop my toddler from doing too much harm to my settings, or my friends from pranking me at the bar, it's also enough to foil the vast majority of casual pickpockets. It won't protect me against any government agency, or dedicated crime syndicate, but really, who am I fooling, neither of those groups is going to care about my phone, and if they do, there's no authentication I could put on it that will actually provide real protection from them (between "rubber hose" attacks, and whatever hacking tool they've found and not released yet)

    Now if I was asked to use biometrics to authenticate my car, house, workplace, or bank account, I'd object a lot more, after all, those things are often left unattended, and the incentive for a malicious party to get in to them is much higher than my phone.