Samsung's 'Airtight' Iris Scanning Technology For The S8 Defeated With A Camera, Printer, And Contact Lens
from the a-new-theatre-for-security dept
The thing about biometric scanning as a security practice is it is one of those things that sounds great. “Lock your phone with your fingerprint or facial scan”, shout the manufacturers and security companies that came up with the scans. Well, shit, thinks the average person, if nobody else has my face I’m in the clear. Even when movies and television tackle the subject, the methods for breaking the biometric security typically involve convoluted plans and insane stunts so brazen they would make Danny Ocean’s jaw drop.
The problem is that the hype around this tech is typically more effective than the tech itself. Fingerprint scanners are easily fooled and facial recognition software has been shown to be defeatable by, and I swear this is true, printouts of a person’s face. That isn’t security, it’s a punchline. So, when Samsung and its security partner decide to pimp the iris-scanning security feature of the Galaxy S8 with language like “airtight” and suggestions that owners of the phone can “finally trust that their phones are protected”, one would expect those claims to be backed up by strong technology.
It isn’t.
Hackers have broken the iris-based authentication in Samsung’s Galaxy S8 smartphone in an easy-to-execute attack that’s at odds with the manufacturer’s claim that the mechanism is “one of the safest ways to keep your phone locked.”
The cost of the hack is less than the $725 price for an unlocked Galaxy S8 phone, hackers with the Chaos Computer Club in Germany said Tuesday. All that was required was a digital camera, a laser printer (ironically, models made by Samsung provided the best results), and a contact lens. The hack required taking a picture of the subject’s face, printing it on paper, superimposing the contact lens, and holding the image in front of the locked Galaxy S8. The photo need not be a close up, although using night-shot mode or removing the infrared filter helps. The hackers provided a video demonstration of the bypass.
As they did in the previous facial recognition flaw post referenced above, some will, at this point, be diving for their keyboards to point out that this type of security isn’t really designed to make a device impermeable. Rather, it’s to keep easy break-ins from occurring. And, hey, that’s true! Good job, you guys! The problem here isn’t that Samsung’s security tech failed to be 100% effective. It’s that it’s barely effective, yet at the same time Samsung is pitching it as the end of phone break-ins. I’m not the one making wild claims here; they are.
And this tech is going to be rolled out in a big way, likely pitched to the public in the same manner.
“Iris recognition is the next big thing with mobile devices,” Starbug wrote in an e-mail. “The technology, especially with the packed space and low computing power of mobile devices, is hard to make hack proof. You can’t hide your iris, and it’s even worse than fingerprints.” At the same time, “mobile devices are holding more and more sensitive data.”
Advertising this iris security as “airtight” is actively misleading the public on the security of a device becoming all the more important and one on which the public is more often storing sensitive information. For a company like Samsung to be so vociferous in its claims in light of this easy workaround ought to result in a ding to its credibility.
For biometrics generally, a good pin number is probably still your best bet. The tech may improve to the point of being the most effective option some day, but we’re not there yet.
Filed Under: iris scan, privacy, s8, security
Companies: samsung
Comments on “Samsung's 'Airtight' Iris Scanning Technology For The S8 Defeated With A Camera, Printer, And Contact Lens”
Bio-metrics
Ever since I heard about bio-metrics (long ago and far away), I was concerned that once my fingerprint, iris, or whatever was digitized all a bad person, or a person who is supposedly good (government lackey) had to do was copy those digits.
As many others have said, bio-metrics make sense as an ID or user name, not for a password. Even then, someone else spoofing my ‘digits’ to impersonate me is not a good thing.
Re: Bio-metrics
Not to mention the police and other bad guys violating your rights can force you to unlock your bio-metrics/iris stuff pretty easily.
Passwords however can’t be stolen so easily.
Eyes open
Not looking good for Samsung.
From the last two decades’ DRM wars to the recent CIA&NSA malware leaks, it should be obvious that every electronic “security” feature ever conceived can and will be broken, in many cases with the simplest of tools and methods.
Yet as always the hype will continue, as every new development (in a never ending chain) in “security” gets touted as the absolute final solution … until it’s obviously not.
Technical question about phone security
Personally, I think you’re being a little hard on Samsung. But that is just my opinion. My technical question is: no one actually encrypts the raw data on a phone, right? If they did, then you could not easily and rapidly change the password, because the encrypted data would have to be rewritten. So, why is not obvious to the casual observer that just copying and analyzing the raw data on the internal flash will “break” all the security on a phone, just as it would on Windows or pretty much any other OS? There is no “encryption at rest” on phones, right? There must be some reason this is not trivially easy to break into, basically the equivalent of booting a Windows machine on another disk and then poking around on the original boot drive. Any phone data storage experts out there?
Re: Technical question about phone security
I’d say not hard enough, considering they’re being dishonest.
Not true. Are you dishonest, like Samsung, or just ignorant?
Re: Re: Technical question about phone security
Well, gosh, your questions are kind of a mirror into your inner world, aren’t they? I express an opinion, ask a question, and I am either dishonest or ignorant (probably both). Are those my only choices? Maybe it was an honest question. I’ve never actually encrypted a phone, never had a need to.
Regarding Samsung, how are they different from every other company that is trying to peddle their product? Look at your own TechDirt products that you peddle. Likely their benefits are overblown a little, right? I have no idea why your expectation of Samsung would be higher than everyone else, is yours a paid opinion? Or do you have a particular ax to grind?
Re: Re: Re: Technical question about phone security
Can’t say for every implementation, but usually there’s an encrypted decryption key on a keyring. Change your password, and the encrypted key gets rewritten, but that’s it. This makes changing your password a fairly simple thing, update the file/database entry for your password, and rewrite the decryption key to be encrypted (and decrypted) with your password.
Re: Re: Re:2 Technical question about phone security
Which would imply that the original data was written without any reference to the encryption key, right, since the encryption key can change without changing the data. Does that follow?
Re: Re: Re:3
When you change a password it adds a key without immediately
deleting the old one. ‌‌ New data is encrypted to the new key
and old data is slowly converted in the background. ‌‌
Once all the data is updated the old key is deleted. ‌‌
The whole process is not so slow or inefficient that it
drains your battery before completion.
Re: Re: Re:4
Also, Ben S is right that filesystem encryption is a layer
removed from your password. ‌‌ The encryption key for that is
preserved but re-encrypted along with other sensitive data
when you change your password.
Re: Re: Re:5 Re:
Interesting, more sophisticated than what I would have expected. Thanks.
Re: Re: Re:4 Re:
This is wrong, and shows a basic misunderstanding about how encryption works (especially Public-Private key pairs).
What most OSes do when encrypting is that it generates a key. This key does not normally change and is transparent to the user. The password you use encrypts this key and only this key. This way, you can grant other users access to your files (and the system / root user) in a multiuser system without giving or remembering your password.
When you change a password, it simply decrypts the key, and re-encrpyts it. Only the new encrypted key is written to the hard drive – nothing else needs to be changed.
With your method, you need to write the old password/key down somewhere should the system be restarted during the rewrite — this leaves a MASSIVE security issue as a full drive rewrite of 100s of GB will take at least 30-60 minutes.
Re: Re: Re:5 Keep reading.
The next post mentions the filesystem encryption. ‌ ‌ ;]
Re: Re: Re: Technical question about phone security
Well, gosh, you made a false statement of fact when you wrote "If they did, then you could not easily and rapidly change the password, because the encrypted data would have to be rewritten." Considering your defense of Samsung’s dishonesty, I’m guessing you were possibly being both dishonest and ignorant.
Re: Re: Re:2 Technical question about phone security
No, nothing was false, I was stating the obvious. When you encrypt data with a key, the data then requires THAT KEY to be decrypted. If you change the key, the old encrypted data needs to be read, and the new encrypted data, produced with the new key, needs to be written. That is what I meant about “the encrypted data would have to be rewritten”. Hello? Are you with me?
Re: Re: Re:3 Technical question about phone security
Seems I was right. You seem to be both ignorant and dishonest.
Re: Re: Re:4 Technical question about phone security
Dude. Deep breaths. You are not helping anyone by being this hostile.
Ignorant should not be an insult, and someone asking questions is not being WILLFULLY ignorant. Being polite and respectful in correcting them goes a long way.
Also, opinions are opinions. You can disagree with them without calling the other person a liar. Yes, he was mistaken on this; insulting people when they ask for clarification is only going to make them mistaken and stubborn about it.
Re: Re: Re:5 Technical question about phone security
I wish I had more than one upvote for this.
Re: Re: Re:4 Technical question about phone security
Perhaps a better approach might be to inform and educate the other person as to why they were being ‘ignorant’. This would then have the effect of removing the alleged ignorance, while also enlightening other readers, who may also be ‘ignorant’.
This would also have the added bonus of making you look less like:
a) a person who is also ignorant, but wants to appear not to be so.
b) a person who wants others to remain ignorant, so that they can be smugly superior to others who have a perceived lesser knowledge of the subject.
c) an inflammatory trolling asshole.
d) any or all of the above.
Re: Re: Technical question about phone security
So which products do you use?
You better not have an idevice, as their lawyers literally say that their advertising is bullshit and you shouldn’t believe anything they say.
Google “No reasonable person would believe our advertisements”. It’ll autocomplete with the full sentence about halfway typing that.
Re: Technical question about phone security
Yes, there is.
Android devices have offered full-disk encryption since Android 4.2 or thereabouts, though the implementation prior to Android 5.0 sucked. Full-disk encryption is opt-out starting with Android 7.0, meaning that Android devices are encrypted unless the user takes steps to disable that.
I forget the state of iOS, as that’s not my area of expertise, but I am under the impression that full-disk encryption is the norm on newer versions of iOS.
Re: Re: Technical question about phone security
Interesting, thanks. Pretty surprising the phones are so much more intelligent than disk drives or storage arrays.
Re: Re: Re: Technical question about phone security
To be fair, that’s kind of a nonsense comparison. It’d make more sense to compare a phone to a computer, not a dosc drive; the programs on the phone encrypt the data, as does a standing-encryption program on a computer. A disc drive is only part of a computer, just as memory is only part of a phone.
Dunno if that made sense, but I tried XD
Re: Re: Re:2 Curse my fat fingers yet again.
Bleh. *disk. Is there still no way to edit posts..?
Re: Re: Re:2 Technical question about phone security
facial recognition flaws
I tried facial recognition for a time, as a test, on a samsung tablet.
You know why I stopped? It’s because my daughter unlocked it.
Sure, people say ‘looks like you just spit her out’, but I’m a man in my mid-30s with a beard, she was a pre-pubescent girl of 9 with long hair.
It’s like samsung wasn’t even trying.
Re: facial recognition flaws
Well, if you don’t like the product, why not just buy something else? ‘Let the buyer beware’, as we say in America.
Re: Re: facial recognition flaws
Because since all the advertising for the product and paid product placement touts how good all that security is, you don’t know until after you’ve already purchased it that there are issues.
And, depending on how ‘into’ phones you are, setting up a new phone – especially if changing manufacturer as well – can be a large effort. So if you discover these flaws in a $700+ phone after you’ve spent a couple weeks faffing about with it to set it up just right, well, I can understand not wanting to replace it (assuming you can get some sort of decent warranty/exchange) outside a normal (1-3 years depending on the person) upgrade cycle.
Re: Re: Re: facial recognition flaws
The library near me has a 3d printer that anyone can use.
This renders all fingerprint scanners vulnerable and I don’t even have to pay a cent!
Tell me which company has a disclaimer on their website that it’s not secure.
Also, Samsung never said Facial Recognition was secure — setting it up actually warns you that it isn’t.
The warning is somewhat overblown and it’s actually safer than fingerprints. Fingers prints you leave everywhere, especially on the surface of the phone. As a malicious attacker, I have everything I need just by stealing the phone.
Iris scanner? Requires a good picture with a decent camera. If they don’t take a good picture, they’re screwed as you’re gone.
Airtight? Maybe not, and should be correected. However, other companies seem to get a free pass for their marketing…
Re: Re: Re:2 facial recognition flaws
Facebook pictures.
Re: Re: facial recognition flaws
Well, You might have money to throw around on products, hundreds of dollars every few weeks when something happens.
I don’t (I have teenagers)
I never expected it to be the most reliable, but when a completely different person can unlock it, the facial recognition was not fit for purpose.
I still use the tablet, but only with the passcode (which unlike my face, fingerprint or iris, requires the product of my mind, and not my body (‘the coma standard’)
I C what Samsung did thar…
Big helping of "Nope!"
There’s a fundamental flaw in using biometrics for security that doesn’t seem to get talked about as much as the breakability, and I can’t see how it would ever be overcome (Except in part by the sensible current practice of using the biometric as part of security not the whole):
The flaw is in the "trusted ID". E.g. for a credit card, the "trusted" part of the ID – the thing that makes it worth your money – is the 16-digit number on the front. If the number is compromised by fraud, it’s rendered invalid, they issue you a new one and, "hey, presto!", trusted again.
If your biometric is your security and it’s compromised, how can it (i.e. you) ever be re-trusted? And if an "unbreakable" biometric security method is developed that seems to stand up comes along, well that just means it will be used for more and more secure and valuable things making it worth putting more money into trying to crack it until it inevitably is.
Nope, think I’ll stick with the PIN.
Re: Big helping of "Nope!"
Re: Re: Big helping of "Nope!"
Thanks for the TL;DR version 🙂
Both a fingerprint reader and iris scanner are less effective than a pin code. Someone (or a couple of people) can force you to open your eyes, look at the phone, and that iris scanner will unlock it, or place your finger on the figure print reader and unlock it. If the wrong pin code is typed in enough times, the phone could be wiped, so I’ll be sticking with a pin code and avoiding fingerprint readers and iris scanners. No thanks.
They do this to get your biometric data, not for security reasons.
Re: Re:
That’s interesting.
Biometrics shouldn’t be the password, they should be the username. IE: The thing that’s secret shouldn’t be the thing you cannot change.
They most certainly do this to get your biometric data, not for security reasons. Princeton Identity is an offshoot of DARPA-funded Sarnoff, which developed Iris on the Move tech decades ago to track “interesting people”.
Maharashtra Land Records
for more information visit my website
facial recognition flaws
I tried facial recognition for a time, as a test, on a samsung tablet.
You know why I stopped? It’s because my daughter unlocked it.
Sure, people say ‘looks like you just spit her out’, but I’m a man in my mid-30s with a beard, she was a pre-pubescent girl of 9 with long hair.
It’s like samsung wasn’t even trying.
Re: facial recognition flaws
ignore this, browser restart opened this and resubmitted it.