Eye Don’t Know About This Iris Scanning Thing
Like PKI and Linux on the desktop in the last decade, it seems as though biometrics have become this decade’s promising technology that never really fully delivers on its promise.
The latest evidence comes from a project done by hackers from Germany’s Chaos Computer Club who were able to fool the iris-recognition system on a new Samsung Galaxy S8 phone using a printed photo.
The Galaxy S8 is Samsung’s new flagship Android phone and it includes several different methods with which users can unlock it. In addition to the normal PIN passcode, users also can unlock the phone with their fingerprints, iris scans, or facial scans. In order to use one of the biometric options, the user needs to enroll her fingerprint, iris, or face scan in the device. After doing so, the user no longer needs to use her PIN or a gesture to unlock the phone and can simply raise it and use the biometric that’s enrolled.
In the experiment done by the CCC, one man used a point-and-shoot digital camera to take a photo of his friend’s eye from a few feet away. They used the night shooting mode on the camera in order to capture the details of the iris and then printed the picture on a laser printer. The hacker whose eyes were photographed then enrolled his iris scans on the Galaxy S8. For the final step they took a normal contact lens and placed it on the printed picture of the iris, which simulates the curvature of an eyeball. He then held the picture up to the phone’s camera and unlocked the device.
For someone who knows the technique, it would all take about five minutes. Ten if you had to walk a long way to the printer. But there are a couple of caveats, too. In order to execute the attack, you would need physical possession of a victim’s phone, which is generally considered game over for victims anyway. If an attacker has your phone in his hands, you have serious problems. Also, the attacker would need a way to take a high-quality photo of the victim’s eyes, presumably on the sly. That may not be easy, but it’s not impossible either, given the fact that everyone is taking a picture of something in public at all times these days.
Device manufacturers have been adding biometric security measures to their phones, tablets, and laptops for a long time, with varying degrees of success. Some of the early fingerprint readers on laptops were, shall we say, sub-optimal. But when Apple introduced its Touch ID fingerprint sensor in 2013, things turned a corner. Touch ID generally just works, and even though researchers have found ways to bypass it as well – including with a photo of a fingerprint – it has proven to be a secure, useful addition to the iPhone.
Although biometrics have advanced quite a bit in the last few years, there are still plenty of limitations, as the CCC research shows.
“The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot. Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris,” Dirk Engling of the CCC said.
There is a long, long, long, history of vendors rushing headlong into the warm embrace of shiny new technologies without considering the security implications. See: Wifi. See also: mobile phones. See also, also: IoT. While biometrics are by no means new, they also aren’t perfect. There are plenty of kinks that still need to be worked out and it’s up to the vendors to ensure that happens before putting them into the hands of users.