Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Encryption Security Technology

Hackers Unlock Samsung Galaxy S8 With Fake Iris (vice.com) 79

From a Motherboard report: Despite Samsung stating that a user's irises are pretty much impossible to copy, a team of hackers has done just that. Using a bare-bones selection of equipment, researchers from the Chaos Computer Club (CCC) show in a video how they managed to bypass the scanner's protections and unlock the device. "We've had iris scanners that could be bypassed using a simple print-out," Linus Neumann, one of the hackers who appears in the video. The process itself was apparently pretty simple. The hackers took a medium range photo of their subject with a digital camera's night mode, and printed the infrared image. Then, presumably to give the image some depth, the hackers placed a contact lens on top of the printed picture. And, that's it. They're in.
This discussion has been archived. No new comments can be posted.

Hackers Unlock Samsung Galaxy S8 With Fake Iris

Comments Filter:
  • I unlocked it by playing a Goo Goo Dolls track [youtube.com].

  • Let's see.. their last phone literally exploded, but this one is safe enough to point a laser at your eye?
  • If a device only check for one thing, in this case, iris pattern, the device cannot know if it is a real eye for sure. Validating the iris and fingerprint, or iris and voice recognition, or iris and DNA would already be more secure, but as I come up with these ideas, I always find a way these things can be fooled together. It just makes it more complicated to fool 2 sensors at a time, but absolutely not out of reach of 3 letters agencies. I think iris scan combined with voice and a plain old password would already be some sort of security.
    • by Sique ( 173459 ) on Tuesday May 23, 2017 @12:40PM (#54470875) Homepage
      The general problem is still unsolved. If your iris and your fingerprint id are broken, how do you replace them with new ones?

      That's the general problem with biometric identification. Once you can overcome the limits of the scan mechanism, and impersonate someone else, there is nothing the impersonated one can do to close the door again, until new scan mechanisms are in place which have to be fooled in a new manner.

      • The general problem is still unsolved. If your iris and your fingerprint id are broken, how do you replace them with new ones?

        This statement indicates that you erroneously believe that biometric authentication security (such as it is) is based on secrecy of the biometric patterns. This is not the case, and cannot be the case. Since the security (such as it is) does not derive from secrecy, rotation is useless and irrelevant. Your biometrics are public information; fingerprints are left everywhere and your iris structure can be extracted from any decent photograph. Given that, supposing you could rotate your biometrics, the new val

        • by Sique ( 173459 )
          This answer assumes errorneously that I would consider biometric information a secret.

          Quite the contrary! You can't replace your biometric patterns. They are an intergral part of yourself, and everyone with the means to do so can check them. That's why they are used to identify you. But if they can be forged, they don't identify you anymore, and there is nothing you can do about that. You can't get a new iris. You can't get new fingerprints. They are like a lock with a second set of keys you don't control

          • This answer assumes errorneously that I would consider biometric information a secret.

            Okay, working from the assumption that biometrics are public information, it's easy to see why rotation is irrelevant. The whole purpose of password rotation is that passwords provide security only if they are secret, and secrecy erodes over time. Rotation is how we fix loss of secrecy. But biometrics are not secret and therefore there would be no security benefit of rotation even if you could do it.

            Which means that rotation is a red herring.

            • by Sique ( 173459 )
              Any pair of key and lock which is compromitted should be replaced. You change your locks once someone broke in your home, or someone has a key you don't trust any longer. You change your password once you notice someone was in your account. But you can't change your biometrics. So what happens to the locks your biometrics were the key to?
              • Any pair of key and lock which is compromitted should be replaced. You change your locks once someone broke in your home, or someone has a key you don't trust any longer. You change your password once you notice someone was in your account. But you can't change your biometrics. So what happens to the locks your biometrics were the key to?

                Locks are a bad analogy, just like passwords. Locks also rely on secrecy, in this case on the secrecy of the shape of the key.

                Rather than trying to analogize, analyze the security of biometric systems directly, on their own basis. Assume that the biometric data is known to the attacker (this is the only reasonable assumption), and if rotation were feasible, that that attacker would also know the new data. Think about the contexts in which the system will be used, and the obstacles that the attacker must o

                • by Sique ( 173459 )
                  You constantly ignore the problem. I don't talk about secrecy. I don't talk about rotation.

                  I talk about that a compromised security system has to be replaced or to be repaired -- whatever the breach was.

                  But you can't neither replace nor repair your own biometrics. Once they are compromised, they stay compromised. Biometrics rely on the fact that they are unique to one person. Once they aren't unique anymore, they lose their security feature. They can't be used anymore to reliably identify the person who

                  • You constantly ignore the problem. I don't talk about secrecy. I don't talk about rotation.

                    I talk about that a compromised security system has to be replaced or to be repaired -- whatever the breach was.

                    But you can't neither replace nor repair your own biometrics. Once they are compromised, they stay compromised.

                    You're confusing the system with the data.

                    Okay, let's try this. Suppose I have two systems: my phone, and the nuclear weapons storage facility that I work at. The phone has a cheap scanner will accept anything that looks vaguely like my fingerprint. The nuclear weapons storage facility has a high-quality fingerprint scanner with such tight matching parameters that I must scrub my finger clean before attempting to scan it, and is overseen by an armed guard who checks that my finger is my finger, nothing mo

                    • Your nuclear weapons plant security is a pipe dream.

                      Have you ever worked in nuclear weapons security? I have. I have a very good idea of what is and is not practical in that context.

                      However, I will readily admit that I exaggerated both systems; I described a phone scanner that is considerably worse than real devices, and a nuclear weapons storage entry scanner that is probably stricter than what would really be implemented.

                    • The original complaint was that the system in and of itself is not a good security system due to it being useful for identification but NOT authentication, and any system that uses it for both, is easily and irrevocably broken.

                      No, the original complaint was that biometrics (in general, not this specific system) are insecure because you can't change your body parts. Read back up the thread.

                      Also, no system under discussion uses biometrics for both identification and authentication. I don't know what you're talking about.

                      You keep changing the circumstances to justify your argument. Now we're up to armed guard in a nuclear weapons facility as proof that a biometric authentication system is somehow "secure".

                      I was illustrating a highly secure implementation, to demonstrate that it's the system as a whole that matters.

                      Sorry but "put a big guy holding a gun next to it" doesn't fix the broken authentication mechanism, it just prevents others from trying to take advantage of the fact it's broken.

                      You missed the point. It's not the gun that matters, it's the scrutiny of the finger, which makes fool

      • by Trogre ( 513942 )

        This is another example why Something You Know authentication (a password) is much better than Something You Have (an eyeball, fingerprint or key) for unlocking digital devices.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Biometrics are really analogous to user names, not passwords. I really have no idea why they keep insisting that they are the next thing in security.

      • Biometrics are really analogous to user names, not passwords.

        They're neither. Usernames require uniqueness and exactness of matching that biometrics lack. Matching efficiency of biometrics is also absysmally low, compared to good usernames.

        Passwords require secrecy that biometrics lack.

        Biometrics simply do not fit into the username/password security model. Biometrics can provide useful security, depending on the context and the requirements, but they work differently. To work well, they also need to be paired with a username (like passwords do), so that you can t

    • That the difference between identification and authentication.

      You can ID people with iris,fingerprint,DNA.
      You cannot authenticate their intent that way. That's why we have PIN numbers and passwords.

      • You can ID people with iris,fingerprint,DNA.

        You can't, really.

        You can take a database of potential matches and narrow it down probabilistically using biometrics, but absolute identification cannot be achieved. There is no guarantee of uniqueness, and even if there were, the matching process is inherently fuzzy and imprecise, so even if two people absolutely have different fingerprints (or whatever), it may still be that their prints are similar enough that the matching process decides they're the same.

        You cannot authenticate their intent that way. That's why we have PIN numbers and passwords.

        In general, you can't authenticate intent with

      • Nope.

        Identification - Who you claim to be.
        Authentication - Proving you are who you claim to be.
        Authorization - What you are allowed to do.

        It's so fucking simple, yet you fucking retards keep trying to shit it up by chipping away at the authentication piece and relying more on the identification piece.

        • Can you give examples of how you'd do Authentication vs. Authorization.

          I can't see Authorization being done as a "logging-in" type of action.

          I see Authorization as the WAY the account is set up (e.g. file Permissions, etc.)

          • That's it exactly what it is. It's what you are allowed to do. It is enforced by the authority that authenticates you or the systems that trust that authority.

    • by sjames ( 1099 )

      Fingerprint scanners can be fooled fairly easily. Two easy to fool things may discourage casual access, but it's hardly TLA type stuff. It's well within the reach of crazy ex or business rival.

      • Fingerprint scanners can be fooled fairly easily. Two easy to fool things may discourage casual access, but it's hardly TLA type stuff. It's well within the reach of crazy ex or business rival.

        In general, if TLA security is your goal, you have two realistic options: (1) Hide among the masses or (2) give up. It's a certainty that no consumer-level device will keep you secure if you're being targeted by a nation-state.

        With respect to fingerprint, etc., scanners in phones, just keep in mind that biometric authentication is strictly weaker security than a PIN[1] and you're good.

        [1] "Weaker than a PIN" is an approximation. Whether or not it's true depends on who the attacker is. If the attacker is a

    • Building on what you said, biometrics are generally safe to use for identification (i.e. I'm referring to X person), not authentication (i.e. I am X person). In much the same way that many of us here are identifiable by unique usernames that everyone else can see, biometrics are merely pieces of information that (mostly) uniquely identify each of us, but we should not assume that they will remain private or secure.

      If you're dealing with a secure system, you shouldn't be treating biometrics as anything more

    • The real problem here is not two-factor yadda yadda, it's that this is implemented on a sub-$1000 phone . The device itself and almost certainly whatever algorithms they are using cannot possibly be as rigorous as, say, the biometrics used to access the anthrax lab or the room President Trump keeps his Russian cypher equipment in.

  • I am so happy! According to Hollywood, hacking into an iris-scan protected phone means ripping out somebody's eyeball. https://www.youtube.com/watch?... [youtube.com]

    I'm glad to hear you can do it with a camera instead.

    • I am so happy! According to Hollywood, hacking into an iris-scan protected phone means ripping out somebody's eyeball. https://www.youtube.com/watch [youtube.com]?... I'm glad to hear you can do it with a camera instead.

      Except do you think some street thug who wants to get into you phone that badly is going to carry a camera, printer and contact lens? Realistically, they'll probably punch most people once and they'll be happy to unlock the phone to avoid being hit again. Failing that, it's probably simpler to just knock the owner out and scan their eye to unlock the phone while they're unconscious.

      • Obvious problem with that. Does the scanner work if you have a black eye?

        • Obvious problem with that. Does the scanner work if you have a black eye?

          Yes, as long as it's not swollen to the point it can't be pried open. Besides, there are many other places to hit someone other than the eye. And I believe it or not, most people have two eyes.

    • Sure but where is the fun in that.
  • Iris (or retina) scanning is scary, because it encourages thieves to steal your eyeballs. http://www.flickeringmyth.com/... [flickeringmyth.com]
  • It's not like these companies are entrusted with anything special. Millions of people don't use their smart phones for anything more than calling and texting family or friends. And there's absolutely nothing which can be done with that information. So who cares about privacy? This is just enough for you to feel like there's security in place. Just like with the fingerprint scanner. There's no way those could have flaws which allow someone to bypass it with one of twenty possible fake fingerprints.

    That'd be

  • In my LinkedIn feed, someone posted the results of an attempt to use the retina scanner at an airport in order to go through the faster "Clear" security line.

    The scanner identified the person's retina as belonging to a completely different person.

    And we rely on these systems?

  • ...wait, I was told AI was right around the corner. Are you telling me we can't even make simple software work?
    • by tsqr ( 808554 )

      ...wait, I was told AI was right around the corner. Are you telling me we can't even make simple software work?

      I guess this means that making simple software work is around the same corner.

    • Are you telling me we can't even make simple software work?

      Of course we can. Now the real question is: Do we want to put the effort into making simple software work?
      Or a better question would be: Is Samsung capable of making anything work?

      Don't over complicate a very simple issue.

  • There are many sci-fi works of fiction that came up with plausible ways to circumvent eye scanner passwords, this is hardly a shock. Everyone said fingerprints would enhance security , Well we could get past that with talcum and scotch tape. Voice print->voice recorders. Eyes->high scale image scanners/cameras. What's next? Brain scanners? I'M happy with rotating passwords of 16+ chars thanks.
  • more unlocked and unblocked information in http://unblockedgames7788.weeb... [weebly.com]
  • No more Movies with people popping the eyeballs out to get past the biometric's. No Wait, This is Hollywood. Nevermind.....

  • by green1 ( 322787 ) on Tuesday May 23, 2017 @01:52PM (#54471473)

    I think by now everyone on Slashdot knows that biometrics provide very little actual security. That said, they do provide a very real solution to a very real problem. My phone has too much information on it to leave completely unprotected, but at the same time, I unlock it so many times a day that entering a long and complex passphrase each time is impractical.
    Now that said, the phone situation is also not like any other computer security issue either. I pay pretty close attention to where my phone is at all times, and that place is usually on my person. So it could be argued that it doesn't need as much security. It is in very real terms not much different that way from my wallet, and a thief doesn't need to pass any authentication at all if he steals my wallet, and that contains not only cash and credit cards, but also my ID, which would be enough to steal my whole identity.

    I see the fingerprint authentication on my phone as being enough to stop my toddler from doing too much harm to my settings, or my friends from pranking me at the bar, it's also enough to foil the vast majority of casual pickpockets. It won't protect me against any government agency, or dedicated crime syndicate, but really, who am I fooling, neither of those groups is going to care about my phone, and if they do, there's no authentication I could put on it that will actually provide real protection from them (between "rubber hose" attacks, and whatever hacking tool they've found and not released yet)

    Now if I was asked to use biometrics to authenticate my car, house, workplace, or bank account, I'd object a lot more, after all, those things are often left unattended, and the incentive for a malicious party to get in to them is much higher than my phone.

    • I think by now everyone on Slashdot knows that biometrics provide very little actual security.

      It depends on the context and on the details of the biometric system. Of course, this is *always* true; "security" not only isn't a boolean, it's not even a continuum. It's an n-dimensional tensor. To determine what security you have, you have to think about the avenues of attack, the nature of likely attackers and the risk that you're trying to protect against.

      For example, it would be fine to use a fingerprint sensor to control access to a nuclear missile silo. The fingerprint sensor wouldn't be the only

      • by green1 ( 322787 )

        Are you sure your phone isn't a key to any of those things? Odds are good that it *is* a key to your bank account.

        I think you misunderstood my point. The point is that my phone is "guarded" by me, and doesn't get left unattended in random parking lots like my car, left alone for hours or days at a time like my house, or completely unsupervised (by me) like my bank.

        If someone wants to steal my car, they are far better to grab my key fob than my phone, they're both in the same pocket, but one requires no authentication, while the other requires a fingerprint. Same idea for my money, they could take my phone, unlock it wi

        • I think you misunderstood my point.

          I did. Thanks for the clarification.

          As for iris being better than fingerprint.

          And I think you misunderstood mine :-).

          I wasn't claiming that iris is generally better than fingerprint, I was saying that it's likely more secure against penetration by a phone thief. Security is context-dependent, and in that context iris is probably harder to get past than fingerprint. Iris is probably less secure than fingerprint against friends and family, who probably have many high-quality photographs of your eyes, and can easily get more.

          I suspect that the speed and accuracy of the fingerprint scanner adds more to it's convenience than the iris scanner

          Perhaps. If the iris sca

          • by green1 ( 322787 )

            I shy away from anything with smooth plastic as I like to be able to hold on to my phone without dropping it. My note4 has a textured back. Easier to hold and doesn't hold prints either. The fascination with smooth backs on phones is a disaster in every regard.

  • Time and again, they have been shown to be much easier to subvert than people thought and, worse, once compromised, they can't be repudiated - imagine getting new fingerprints or a new iris.
  • Apple lawyers are getting ready to sue, since hearing that Samsung are infringing on the eyePhone.

  • Such a simple concept that so many companies/people, like Apple and Samsung, just don't understand who true it is. Finger prints, your eye balls, etc are usernames, not passwords.
  • Simon Phoenix already figured out how to bypass retina locks with nothing but a pen.

      Howto video:
    https://youtu.be/CbM--4-z0cs [youtu.be]

    Be Well

  • Just follow current best practices and change your iris every 90 days.

"To IBM, 'open' means there is a modicum of interoperability among some of their equipment." -- Harv Masterson

Working...