Samsung's 'Airtight' Iris Scanning Technology For The S8 Defeated With A Camera, Printer, And Contact Lens

from the a-new-theatre-for-security dept

The thing about biometric scanning as a security practice is it is one of those things that sounds great. “Lock your phone with your fingerprint or facial scan”, shout the manufacturers and security companies that came up with the scans. Well, shit, thinks the average person, if nobody else has my face I’m in the clear. Even when movies and television tackle the subject, the methods for breaking the biometric security typically involve convoluted plans and insane stunts so brazen they would make Danny Ocean’s jaw drop.

The problem is that the hype around this tech is typically more effective than the tech itself. Fingerprint scanners are easily fooled and facial recognition software has been shown to be defeatable by, and I swear this is true, printouts of a person’s face. That isn’t security, it’s a punchline. So, when Samsung and its security partner decide to pimp the iris-scanning security feature of the Galaxy S8 with language like “airtight” and suggestions that owners of the phone can “finally trust that their phones are protected”, one would expect those claims to be backed up by strong technology.

It isn’t.

Hackers have broken the iris-based authentication in Samsung’s Galaxy S8 smartphone in an easy-to-execute attack that’s at odds with the manufacturer’s claim that the mechanism is “one of the safest ways to keep your phone locked.”

The cost of the hack is less than the $725 price for an unlocked Galaxy S8 phone, hackers with the Chaos Computer Club in Germany said Tuesday. All that was required was a digital camera, a laser printer (ironically, models made by Samsung provided the best results), and a contact lens. The hack required taking a picture of the subject’s face, printing it on paper, superimposing the contact lens, and holding the image in front of the locked Galaxy S8. The photo need not be a close up, although using night-shot mode or removing the infrared filter helps. The hackers provided a video demonstration of the bypass.

As they did in the previous facial recognition flaw post referenced above, some will, at this point, be diving for their keyboards to point out that this type of security isn’t really designed to make a device impermeable. Rather, it’s to keep easy break-ins from occurring. And, hey, that’s true! Good job, you guys! The problem here isn’t that Samsung’s security tech failed to be 100% effective. It’s that it’s barely effective, yet at the same time Samsung is pitching it as the end of phone break-ins. I’m not the one making wild claims here; they are.

And this tech is going to be rolled out in a big way, likely pitched to the public in the same manner.

“Iris recognition is the next big thing with mobile devices,” Starbug wrote in an e-mail. “The technology, especially with the packed space and low computing power of mobile devices, is hard to make hack proof. You can’t hide your iris, and it’s even worse than fingerprints.” At the same time, “mobile devices are holding more and more sensitive data.”

Advertising this iris security as “airtight” is actively misleading the public on the security of a device becoming all the more important and one on which the public is more often storing sensitive information. For a company like Samsung to be so vociferous in its claims in light of this easy workaround ought to result in a ding to its credibility.

For biometrics generally, a good pin number is probably still your best bet. The tech may improve to the point of being the most effective option some day, but we’re not there yet.

Filed Under: , , ,
Companies: samsung

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Samsung's 'Airtight' Iris Scanning Technology For The S8 Defeated With A Camera, Printer, And Contact Lens”

Subscribe: RSS Leave a comment
44 Comments
Anonymous Anonymous Cowardsays:

Bio-metrics

Ever since I heard about bio-metrics (long ago and far away), I was concerned that once my fingerprint, iris, or whatever was digitized all a bad person, or a person who is supposedly good (government lackey) had to do was copy those digits.

As many others have said, bio-metrics make sense as an ID or user name, not for a password. Even then, someone else spoofing my ‘digits’ to impersonate me is not a good thing.

Anonymoussays:

From the last two decades’ DRM wars to the recent CIA&NSA malware leaks, it should be obvious that every electronic “security” feature ever conceived can and will be broken, in many cases with the simplest of tools and methods.

Yet as always the hype will continue, as every new development (in a never ending chain) in “security” gets touted as the absolute final solution … until it’s obviously not.

Anonymoussays:

Technical question about phone security

Personally, I think you’re being a little hard on Samsung. But that is just my opinion. My technical question is: no one actually encrypts the raw data on a phone, right? If they did, then you could not easily and rapidly change the password, because the encrypted data would have to be rewritten. So, why is not obvious to the casual observer that just copying and analyzing the raw data on the internal flash will “break” all the security on a phone, just as it would on Windows or pretty much any other OS? There is no “encryption at rest” on phones, right? There must be some reason this is not trivially easy to break into, basically the equivalent of booting a Windows machine on another disk and then poking around on the original boot drive. Any phone data storage experts out there?

Anonymoussays:

Re: Technical question about phone security

Personally, I think you’re being a little hard on Samsung.

I’d say not hard enough, considering they’re being dishonest.

My technical question is: no one actually encrypts the raw data on a phone, right? If they did, then you could not easily and rapidly change the password, because the encrypted data would have to be rewritten.

Not true. Are you dishonest, like Samsung, or just ignorant?

Anonymoussays:

Re: Re: Technical question about phone security

Well, gosh, your questions are kind of a mirror into your inner world, aren’t they? I express an opinion, ask a question, and I am either dishonest or ignorant (probably both). Are those my only choices? Maybe it was an honest question. I’ve never actually encrypted a phone, never had a need to.

Regarding Samsung, how are they different from every other company that is trying to peddle their product? Look at your own TechDirt products that you peddle. Likely their benefits are overblown a little, right? I have no idea why your expectation of Samsung would be higher than everyone else, is yours a paid opinion? Or do you have a particular ax to grind?

Ben Ssays:

Re: Re: Re: Technical question about phone security

Can’t say for every implementation, but usually there’s an encrypted decryption key on a keyring. Change your password, and the encrypted key gets rewritten, but that’s it. This makes changing your password a fairly simple thing, update the file/database entry for your password, and rewrite the decryption key to be encrypted (and decrypted) with your password.

Aaron Walkhousesays:

When you change a password it adds a key without immediately
deleting the old one. ?? New data is encrypted to the new key
and old data is slowly converted in the background. ??

Once all the data is updated the old key is deleted. ??

The whole process is not so slow or inefficient that it
drains your battery before completion.

Someone asdfsays:

Re:

This is wrong, and shows a basic misunderstanding about how encryption works (especially Public-Private key pairs).

What most OSes do when encrypting is that it generates a key. This key does not normally change and is transparent to the user. The password you use encrypts this key and only this key. This way, you can grant other users access to your files (and the system / root user) in a multiuser system without giving or remembering your password.

When you change a password, it simply decrypts the key, and re-encrpyts it. Only the new encrypted key is written to the hard drive – nothing else needs to be changed.

With your method, you need to write the old password/key down somewhere should the system be restarted during the rewrite — this leaves a MASSIVE security issue as a full drive rewrite of 100s of GB will take at least 30-60 minutes.

Anonymoussays:

Re: Re: Re: Technical question about phone security

Well, gosh, you made a false statement of fact when you wrote "If they did, then you could not easily and rapidly change the password, because the encrypted data would have to be rewritten." Considering your defense of Samsung’s dishonesty, I’m guessing you were possibly being both dishonest and ignorant.

Anonymoussays:

Re: Re: Re: Re: Technical question about phone security

No, nothing was false, I was stating the obvious. When you encrypt data with a key, the data then requires THAT KEY to be decrypted. If you change the key, the old encrypted data needs to be read, and the new encrypted data, produced with the new key, needs to be written. That is what I meant about “the encrypted data would have to be rewritten”. Hello? Are you with me?

William Braunfeldsays:

Re: Re: Re: Re: Re: Re: Technical question about phone security

Dude. Deep breaths. You are not helping anyone by being this hostile.
Ignorant should not be an insult, and someone asking questions is not being WILLFULLY ignorant. Being polite and respectful in correcting them goes a long way.
Also, opinions are opinions. You can disagree with them without calling the other person a liar. Yes, he was mistaken on this; insulting people when they ask for clarification is only going to make them mistaken and stubborn about it.

Alasdair Foxsays:

Re: Re: Re: Re: Re: Re: Technical question about phone security

Perhaps a better approach might be to inform and educate the other person as to why they were being ‘ignorant’. This would then have the effect of removing the alleged ignorance, while also enlightening other readers, who may also be ‘ignorant’.

This would also have the added bonus of making you look less like:
a) a person who is also ignorant, but wants to appear not to be so.

b) a person who wants others to remain ignorant, so that they can be smugly superior to others who have a perceived lesser knowledge of the subject.

c) an inflammatory trolling asshole.

d) any or all of the above.

Someone asdfsays:

Re: Re: Technical question about phone security

So which products do you use?

You better not have an idevice, as their lawyers literally say that their advertising is bullshit and you shouldn’t believe anything they say.

Google “No reasonable person would believe our advertisements”. It’ll autocomplete with the full sentence about halfway typing that.

Mark Murphysays:

Re: Technical question about phone security

There is no "encryption at rest" on phones, right?

Yes, there is.

Android devices have offered full-disk encryption since Android 4.2 or thereabouts, though the implementation prior to Android 5.0 sucked. Full-disk encryption is opt-out starting with Android 7.0, meaning that Android devices are encrypted unless the user takes steps to disable that.

I forget the state of iOS, as that’s not my area of expertise, but I am under the impression that full-disk encryption is the norm on newer versions of iOS.

William Braunfeldsays:

Re: Re: Re: Technical question about phone security

To be fair, that’s kind of a nonsense comparison. It’d make more sense to compare a phone to a computer, not a dosc drive; the programs on the phone encrypt the data, as does a standing-encryption program on a computer. A disc drive is only part of a computer, just as memory is only part of a phone.

Dunno if that made sense, but I tried XD

K`Tetchsays:

facial recognition flaws

I tried facial recognition for a time, as a test, on a samsung tablet.

You know why I stopped? It’s because my daughter unlocked it.

Sure, people say ‘looks like you just spit her out’, but I’m a man in my mid-30s with a beard, she was a pre-pubescent girl of 9 with long hair.

It’s like samsung wasn’t even trying.

Eldakkasays:

Re: Re: facial recognition flaws

Because since all the advertising for the product and paid product placement touts how good all that security is, you don’t know until after you’ve already purchased it that there are issues.

And, depending on how ‘into’ phones you are, setting up a new phone – especially if changing manufacturer as well – can be a large effort. So if you discover these flaws in a $700+ phone after you’ve spent a couple weeks faffing about with it to set it up just right, well, I can understand not wanting to replace it (assuming you can get some sort of decent warranty/exchange) outside a normal (1-3 years depending on the person) upgrade cycle.

Someone asdfsays:

Re: Re: Re: facial recognition flaws

The library near me has a 3d printer that anyone can use.

This renders all fingerprint scanners vulnerable and I don’t even have to pay a cent!

Tell me which company has a disclaimer on their website that it’s not secure.

Also, Samsung never said Facial Recognition was secure — setting it up actually warns you that it isn’t.

The warning is somewhat overblown and it’s actually safer than fingerprints. Fingers prints you leave everywhere, especially on the surface of the phone. As a malicious attacker, I have everything I need just by stealing the phone.

Iris scanner? Requires a good picture with a decent camera. If they don’t take a good picture, they’re screwed as you’re gone.

Airtight? Maybe not, and should be correected. However, other companies seem to get a free pass for their marketing…

K`Tetchsays:

Re: Re: facial recognition flaws

Well, You might have money to throw around on products, hundreds of dollars every few weeks when something happens.
I don’t (I have teenagers)

I never expected it to be the most reliable, but when a completely different person can unlock it, the facial recognition was not fit for purpose.

I still use the tablet, but only with the passcode (which unlike my face, fingerprint or iris, requires the product of my mind, and not my body (‘the coma standard’)

Not an Electronic Rodentsays:

Big helping of "Nope!"

For biometrics generally, a good pin number is probably still your best bet. The tech may improve to the point of being the most effective option some day, but we’re not there yet.

There’s a fundamental flaw in using biometrics for security that doesn’t seem to get talked about as much as the breakability, and I can’t see how it would ever be overcome (Except in part by the sensible current practice of using the biometric as part of security not the whole):

The flaw is in the "trusted ID". E.g. for a credit card, the "trusted" part of the ID – the thing that makes it worth your money – is the 16-digit number on the front. If the number is compromised by fraud, it’s rendered invalid, they issue you a new one and, "hey, presto!", trusted again.

If your biometric is your security and it’s compromised, how can it (i.e. you) ever be re-trusted? And if an "unbreakable" biometric security method is developed that seems to stand up comes along, well that just means it will be used for more and more secure and valuable things making it worth putting more money into trying to crack it until it inevitably is.

Nope, think I’ll stick with the PIN.

DarkKnightsays:

Both a fingerprint reader and iris scanner are less effective than a pin code. Someone (or a couple of people) can force you to open your eyes, look at the phone, and that iris scanner will unlock it, or place your finger on the figure print reader and unlock it. If the wrong pin code is typed in enough times, the phone could be wiped, so I’ll be sticking with a pin code and avoiding fingerprint readers and iris scanners. No thanks.

K`Tetchsays:

facial recognition flaws

I tried facial recognition for a time, as a test, on a samsung tablet.

You know why I stopped? It’s because my daughter unlocked it.

Sure, people say ‘looks like you just spit her out’, but I’m a man in my mid-30s with a beard, she was a pre-pubescent girl of 9 with long hair.

It’s like samsung wasn’t even trying.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop ┬╗

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it