This story is over 5 years old.


Hackers Unlock Samsung Galaxy S8 With Fake Iris

Using a camera, a printer, and a contact lens, hackers managed to bypass the S8's iris scanner.

Biometric locks for phones are just getting more and more elaborate. Not content with fingerprints, some devices now offer facial recognition tech for accessing a device, and in the Samsung Galaxy S8's case, an iris scanner too.

Despite Samsung stating that a user's irises are pretty much impossible to copy, a team of hackers has done just that. Using a bare-bones selection of equipment, researchers from the Chaos Computer Club (CCC) show in a video how they managed to bypass the scanner's protections and unlock the device.


"We've had iris scanners that could be bypassed using a simple print-out," Linus Neumann, one of the hackers who appears in the video, told Motherboard in a Twitter direct message.

The process itself was apparently pretty simple. The hackers took a medium range photo of their subject with a digital camera's night mode, and printed the infrared image. Then, presumably to give the image some depth, the hackers placed a contact lens on top of the printed picture.

And, that's it. They're in.

"The patterns in your irises are unique to you and are virtually impossible to replicate, meaning iris authentication is one of the safest ways to keep your phone locked and the contents private," Samsung's website reads.

The research didn't take all that much time, either.

"About a day of experimenting until the idea came up do use a contact lens. Then, a little charade of printers until it turned out that the Samsung printer provided the most reliable prints," Neumann told Motherboard.

Neither Samsung or Princeton Identity, the company behind the iris scanner technology, immediately responded to a request for comment.

Read more: Why Smartphones Are Now Adding Iris Scanners

Of course, this isn't the first time CCC has dug into biometric locks for phones. In 2014, the security researcher known as starbug, who worked on this latest research, demonstrated how he obtained a target's fingerprints just from a standard photo camera. In March, iDeviceHelp managed to fool the Galaxy S8's facial recognition feature too.

There's always going to be a trade-off when it comes to unlocking phones: do users want the convenience of just picking up the device, and it opening up, or do they prefer having to manually enter a code? Whatever your preference, now you know an iris scanner isn't on the more secure side of that spectrum.

Subscribe to Science Solved It , Motherboard's new show about the greatest mysteries that were solved by science.