Hacker beats Galaxy S8 iris scanner using an IR image and a contact lens

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Based on name alone, the futuristic iris-scanning feature on the Galaxy S8 sounds like it would be the most secure way to lock your phone. Hacker Jan Krissler, who goes by the name Starbug, shows in a recent video that, despite the impressive technology in unlocking your phone with your eyes, the security system can be beaten with a relatively low-tech hack.

As the video shows, Starbug is able to take a infrared picture of a person’s face using the night mode setting on a regular point and shoot camera. Print it out on an ordinary laser printer and it fools the camera by placing a contact lens over the image to give it the appearance of an actual human eye. While it certainly is a little more effort than, say, circumventing the S8’s facial recognition with a picture, the hack is certainly simple enough for the average person to do on their own.

It’s also not Starbug’s first impressive hack of this nature. In the past, he’s re-created the fingerprint of Germany’s defense minister Ursula von der Leyen using pictures of her fingers, and was one of the first to bypass Apple’s TouchID with fake fingerprints just days after it launched.

It’s a good reminder that while phones like the Samsung Galaxy S8 offer numerous ways to secure your phone — a traditional passcode, a swipe pattern, a fingerprint scan, facial recognition, and more — even the most secure biometric locks can eventually be broken by a determined hacker.

Comments

As long as it can accurately differentiate between one person’s iris vs another’s, I think it’s good enough for day to day security. But if you have any security concerns beyond the average joe, a long password is the way to go.

I love the theological discussion around biometric security b/c even us humans don’t have a good grasp on the concept of "who am i and how can i prove it?" If someone else has every biological feature of "mine" – who’s to say it’s not "me" ?

Ummm, DNA? I mean not in a sense that it can be used for unlocking phones, but as an answer to your question … It’s the safest way to prove someone’s identity.

Except that we leave DNA laying around everywhere we go.

Every biometric security measure can be defeated. Fingerprints have fallen, face scanning has fallen and now iris scanning has fallen. Our only hope is anus scanning which I hear Samsung is working on.

I guess that depends what your goals are?

Are you trying to protect ultra sensitive information or keep your info away from somebody nosey just snooping from your unattended phone?

Are you trying to protect your ass? Then the anal scanner may not be for you, as it gives criminals an easy backdoor entrance. It’s a gaping hole that Samsung needs to address.

Damn those puns

I’m glad that tech is finally coming to consumers, didn’t it start when NASA used it for the probe to Uranus?

BURN BABY, BURN!

Mobile biometrics are still in their infancy. A bit to go. But, forget that part! This stuff is not for general consumption for possible eye damage! They have a disclaimer on the phone (directly from their S8) that says:

"To protect your eyes, keep the screen at least 8 inches away from your face when using iris recognition."

and…

"Do not use iris recognition with infants. Doing so may damage their eyesight."

I don’t know about anyone else, but I won’t be using it for any reason, even if it was secure! How could they think this was a good idea, particularly after all the hits they’ve taken, from phones on fire to simple face rec and eye scan hacks?! This is serious.

View All Comments
Back to top ↑