Hackers Unlock Samsung Galaxy S8 With Fake Iris

From a Motherboard report: Despite Samsung stating that a user's irises are pretty much impossible to copy, a team of hackers has done just that. Using a bare-bones selection of equipment, researchers from the Chaos Computer Club (CCC) show in a video how they managed to bypass the scanner's protections and unlock the device. "We've had iris scanners that could be bypassed using a simple print-out," Linus Neumann, one of the hackers who appears in the video. The process itself was apparently pretty simple. The hackers took a medium range photo of their subject with a digital camera's night mode, and printed the infrared image. Then, presumably to give the image some depth, the hackers placed a contact lens on top of the printed picture. And, that's it. They're in.

That's nothing.

[93 Escort Wagon]

I unlocked it by playing a Goo Goo Dolls track [youtube.com].

Who would point a Samsung laser at their eye?

[bit trollent]

Let's see.. their last phone literally exploded, but this one is safe enough to point a laser at your eye?

Re:

[Cro Magnon]

That should work fine. Twice.

Single biological authentication doesn't work

[courteaudotbiz]

If a device only check for one thing, in this case, iris pattern, the device cannot know if it is a real eye for sure. Validating the iris and fingerprint, or iris and voice recognition, or iris and DNA would already be more secure, but as I come up with these ideas, I always find a way these things can be fooled together. It just makes it more complicated to fool 2 sensors at a time, but absolutely not out of reach of 3 letters agencies. I think iris scan combined with voice and a plain old password would already be some sort of security.

Re:Single biological authentication doesn't work

[Sique]

The general problem is still unsolved. If your iris and your fingerprint id are broken, how do you replace them with new ones?

That's the general problem with biometric identification. Once you can overcome the limits of the scan mechanism, and impersonate someone else, there is nothing the impersonated one can do to close the door again, until new scan mechanisms are in place which have to be fooled in a new manner.

Re:

[swillden]

The general problem is still unsolved. If your iris and your fingerprint id are broken, how do you replace them with new ones?

This statement indicates that you erroneously believe that biometric authentication security (such as it is) is based on secrecy of the biometric patterns. This is not the case, and cannot be the case. Since the security (such as it is) does not derive from secrecy, rotation is useless and irrelevant. Your biometrics are public information; fingerprints are left everywhere and your iris structure can be extracted from any decent photograph. Given that, supposing you could rotate your biometrics, the new val

Re:

[Sique]

This answer assumes errorneously that I would consider biometric information a secret.

Quite the contrary! You can't replace your biometric patterns. They are an intergral part of yourself, and everyone with the means to do so can check them. That's why they are used to identify you. But if they can be forged, they don't identify you anymore, and there is nothing you can do about that. You can't get a new iris. You can't get new fingerprints. They are like a lock with a second set of keys you don't control

Re:

[swillden]

This answer assumes errorneously that I would consider biometric information a secret.

Okay, working from the assumption that biometrics are public information, it's easy to see why rotation is irrelevant. The whole purpose of password rotation is that passwords provide security only if they are secret, and secrecy erodes over time. Rotation is how we fix loss of secrecy. But biometrics are not secret and therefore there would be no security benefit of rotation even if you could do it.

Which means that rotation is a red herring.

Re:

[Sique]

Any pair of key and lock which is compromitted should be replaced. You change your locks once someone broke in your home, or someone has a key you don't trust any longer. You change your password once you notice someone was in your account. But you can't change your biometrics. So what happens to the locks your biometrics were the key to?

Re:

[swillden]

Any pair of key and lock which is compromitted should be replaced. You change your locks once someone broke in your home, or someone has a key you don't trust any longer. You change your password once you notice someone was in your account. But you can't change your biometrics. So what happens to the locks your biometrics were the key to?

Locks are a bad analogy, just like passwords. Locks also rely on secrecy, in this case on the secrecy of the shape of the key.

Rather than trying to analogize, analyze the security of biometric systems directly, on their own basis. Assume that the biometric data is known to the attacker (this is the only reasonable assumption), and if rotation were feasible, that that attacker would also know the new data. Think about the contexts in which the system will be used, and the obstacles that the attacker must o

Re:

[Sique]

You constantly ignore the problem. I don't talk about secrecy. I don't talk about rotation.

I talk about that a compromised security system has to be replaced or to be repaired -- whatever the breach was.

But you can't neither replace nor repair your own biometrics. Once they are compromised, they stay compromised. Biometrics rely on the fact that they are unique to one person. Once they aren't unique anymore, they lose their security feature. They can't be used anymore to reliably identify the person who

Re:

[swillden]

You constantly ignore the problem. I don't talk about secrecy. I don't talk about rotation.

I talk about that a compromised security system has to be replaced or to be repaired -- whatever the breach was.

But you can't neither replace nor repair your own biometrics. Once they are compromised, they stay compromised.

You're confusing the system with the data.

Okay, let's try this. Suppose I have two systems: my phone, and the nuclear weapons storage facility that I work at. The phone has a cheap scanner will accept anything that looks vaguely like my fingerprint. The nuclear weapons storage facility has a high-quality fingerprint scanner with such tight matching parameters that I must scrub my finger clean before attempting to scan it, and is overseen by an armed guard who checks that my finger is my finger, nothing mo

Re:

[swillden]

Your nuclear weapons plant security is a pipe dream.

Have you ever worked in nuclear weapons security? I have. I have a very good idea of what is and is not practical in that context.

However, I will readily admit that I exaggerated both systems; I described a phone scanner that is considerably worse than real devices, and a nuclear weapons storage entry scanner that is probably stricter than what would really be implemented.

Re:

[swillden]

The original complaint was that the system in and of itself is not a good security system due to it being useful for identification but NOT authentication, and any system that uses it for both, is easily and irrevocably broken.

No, the original complaint was that biometrics (in general, not this specific system) are insecure because you can't change your body parts. Read back up the thread.

Also, no system under discussion uses biometrics for both identification and authentication. I don't know what you're talking about.

You keep changing the circumstances to justify your argument. Now we're up to armed guard in a nuclear weapons facility as proof that a biometric authentication system is somehow "secure".

I was illustrating a highly secure implementation, to demonstrate that it's the system as a whole that matters.

Sorry but "put a big guy holding a gun next to it" doesn't fix the broken authentication mechanism, it just prevents others from trying to take advantage of the fact it's broken.

You missed the point. It's not the gun that matters, it's the scrutiny of the finger, which makes fool

Re:

[Trogre]

This is another example why Something You Know authentication (a password) is much better than Something You Have (an eyeball, fingerprint or key) for unlocking digital devices.

Re:

[Anonymous Coward]

Biometrics are really analogous to user names, not passwords. I really have no idea why they keep insisting that they are the next thing in security.

Re:

[swillden]

Biometrics are really analogous to user names, not passwords.

They're neither. Usernames require uniqueness and exactness of matching that biometrics lack. Matching efficiency of biometrics is also absysmally low, compared to good usernames.

Passwords require secrecy that biometrics lack.

Biometrics simply do not fit into the username/password security model. Biometrics can provide useful security, depending on the context and the requirements, but they work differently. To work well, they also need to be paired with a username (like passwords do), so that you can t

Re:

[denis-The-menace]

That the difference between identification and authentication.

You can ID people with iris,fingerprint,DNA.
You cannot authenticate their intent that way. That's why we have PIN numbers and passwords.

Re:

[swillden]

You can ID people with iris,fingerprint,DNA.

You can't, really.

You can take a database of potential matches and narrow it down probabilistically using biometrics, but absolute identification cannot be achieved. There is no guarantee of uniqueness, and even if there were, the matching process is inherently fuzzy and imprecise, so even if two people absolutely have different fingerprints (or whatever), it may still be that their prints are similar enough that the matching process decides they're the same.

You cannot authenticate their intent that way. That's why we have PIN numbers and passwords.

In general, you can't authenticate intent with

Re:

[sexconker]

Nope.

Identification - Who you claim to be.
Authentication - Proving you are who you claim to be.
Authorization - What you are allowed to do.

It's so fucking simple, yet you fucking retards keep trying to shit it up by chipping away at the authentication piece and relying more on the identification piece.

Re:

[denis-The-menace]

Can you give examples of how you'd do Authentication vs. Authorization.

I can't see Authorization being done as a "logging-in" type of action.

I see Authorization as the WAY the account is set up (e.g. file Permissions, etc.)

Re:

[sexconker]

That's it exactly what it is. It's what you are allowed to do. It is enforced by the authority that authenticates you or the systems that trust that authority.

Re:

[sjames]

Fingerprint scanners can be fooled fairly easily. Two easy to fool things may discourage casual access, but it's hardly TLA type stuff. It's well within the reach of crazy ex or business rival.

Re:

[swillden]

Fingerprint scanners can be fooled fairly easily. Two easy to fool things may discourage casual access, but it's hardly TLA type stuff. It's well within the reach of crazy ex or business rival.

In general, if TLA security is your goal, you have two realistic options: (1) Hide among the masses or (2) give up. It's a certainty that no consumer-level device will keep you secure if you're being targeted by a nation-state.

With respect to fingerprint, etc., scanners in phones, just keep in mind that biometric authentication is strictly weaker security than a PIN[1] and you're good.

[1] "Weaker than a PIN" is an approximation. Whether or not it's true depends on who the attacker is. If the attacker is a

Re:

[Anubis IV]

Building on what you said, biometrics are generally safe to use for identification (i.e. I'm referring to X person), not authentication (i.e. I am X person). In much the same way that many of us here are identifiable by unique usernames that everyone else can see, biometrics are merely pieces of information that (mostly) uniquely identify each of us, but we should not assume that they will remain private or secure.

If you're dealing with a secure system, you shouldn't be treating biometrics as anything more

Re:

[Frosty Piss]

The real problem here is not two-factor yadda yadda, it's that this is implemented on a sub-$1000 phone . The device itself and almost certainly whatever algorithms they are using cannot possibly be as rigorous as, say, the biometrics used to access the anthrax lab or the room President Trump keeps his Russian cypher equipment in.

I am so happy!

[XXongo]

I am so happy! According to Hollywood, hacking into an iris-scan protected phone means ripping out somebody's eyeball. https://www.youtube.com/watch?... [youtube.com]

I'm glad to hear you can do it with a camera instead.

Re:

[The Grim Reefer]

I am so happy! According to Hollywood, hacking into an iris-scan protected phone means ripping out somebody's eyeball. https://www.youtube.com/watch [youtube.com]?... I'm glad to hear you can do it with a camera instead.

Except do you think some street thug who wants to get into you phone that badly is going to carry a camera, printer and contact lens? Realistically, they'll probably punch most people once and they'll be happy to unlock the phone to avoid being hit again. Failing that, it's probably simpler to just knock the owner out and scan their eye to unlock the phone while they're unconscious.

Re:

[Cro Magnon]

Obvious problem with that. Does the scanner work if you have a black eye?

Re:

[The Grim Reefer]

Obvious problem with that. Does the scanner work if you have a black eye?

Yes, as long as it's not swollen to the point it can't be pried open. Besides, there are many other places to hit someone other than the eye. And I believe it or not, most people have two eyes.

Re:

[will_die]

Sure but where is the fun in that.

I'd rather keep my eyeballs

[Doke]

Iris (or retina) scanning is scary, because it encourages thieves to steal your eyeballs. http://www.flickeringmyth.com/... [flickeringmyth.com]

No big surprise there

[H3lldr0p]

It's not like these companies are entrusted with anything special. Millions of people don't use their smart phones for anything more than calling and texting family or friends. And there's absolutely nothing which can be done with that information. So who cares about privacy? This is just enough for you to feel like there's security in place. Just like with the fingerprint scanner. There's no way those could have flaws which allow someone to bypass it with one of twenty possible fake fingerprints.

That'd be

Retina scans not unique? Or just bad?

[whoever57]

In my LinkedIn feed, someone posted the results of an attempt to use the retina scanner at an airport in order to go through the faster "Clear" security line.

The scanner identified the person's retina as belonging to a completely different person.

And we rely on these systems?

But wait...

[110010001000]

...wait, I was told AI was right around the corner. Are you telling me we can't even make simple software work?

Re:

[tsqr]

...wait, I was told AI was right around the corner. Are you telling me we can't even make simple software work?

I guess this means that making simple software work is around the same corner.

Re:

[thegarbz]

Are you telling me we can't even make simple software work?

Of course we can. Now the real question is: Do we want to put the effort into making simple software work?
Or a better question would be: Is Samsung capable of making anything work?

Don't over complicate a very simple issue.

Re:

[rodrigoandrade]

Something you have
Something you know
Something you are

Your iris is only one of them, therefore the system isn't too secure.

Re:

[geekmux]

A halfway solution is not a solution.

The only solution identified to solve for was removing the effort normally required to authenticate to your smartphone.

Biometrics was created to meet the needs of the lazy generation.

nothing is impossible to copy

[evolutionary]

There are many sci-fi works of fiction that came up with plausible ways to circumvent eye scanner passwords, this is hardly a shock. Everyone said fingerprints would enhance security , Well we could get past that with talcum and scotch tape. Voice print->voice recorders. Eyes->high scale image scanners/cameras. What's next? Brain scanners? I'M happy with rotating passwords of 16+ chars thanks.

Re:

[Geoffrey.landis]

Of course not. The average thief would just purchase the hacked irises and fingerprints on the internets, where they are for sale by people who are professional at stealing irises and fingerprints. Just like today there are people professional at stealing credit card numbers, and different people who actually buy the stolen credit card numbers to use.

Re:

[ledow]

The average petty thief isn't guessing a four-digit PIN that locks out after too many attempts either.

Anyone with a basic modicum of security realises that what you're paying for is a VERY VERY VERY expensive way to tap in four digits automatically.

But at least you have to give up the PIN, whereas your iris scan can be taken from you without your knowledge. And I'm sure a non-petty thief (i.e. a guy on a moped swiping phones from city centres all day long) would love to have a way to turn your lock screen

unblocked

[tamara346]

more unlocked and unblocked information in http://unblockedgames7788.weeb... [weebly.com]

So much for the movie drama

[wizkid]

No more Movies with people popping the eyeballs out to get past the biometric's. No Wait, This is Hollywood. Nevermind.....

Security vs Convenience

[green1]

I think by now everyone on Slashdot knows that biometrics provide very little actual security. That said, they do provide a very real solution to a very real problem. My phone has too much information on it to leave completely unprotected, but at the same time, I unlock it so many times a day that entering a long and complex passphrase each time is impractical.
Now that said, the phone situation is also not like any other computer security issue either. I pay pretty close attention to where my phone is at all times, and that place is usually on my person. So it could be argued that it doesn't need as much security. It is in very real terms not much different that way from my wallet, and a thief doesn't need to pass any authentication at all if he steals my wallet, and that contains not only cash and credit cards, but also my ID, which would be enough to steal my whole identity.

I see the fingerprint authentication on my phone as being enough to stop my toddler from doing too much harm to my settings, or my friends from pranking me at the bar, it's also enough to foil the vast majority of casual pickpockets. It won't protect me against any government agency, or dedicated crime syndicate, but really, who am I fooling, neither of those groups is going to care about my phone, and if they do, there's no authentication I could put on it that will actually provide real protection from them (between "rubber hose" attacks, and whatever hacking tool they've found and not released yet)

Now if I was asked to use biometrics to authenticate my car, house, workplace, or bank account, I'd object a lot more, after all, those things are often left unattended, and the incentive for a malicious party to get in to them is much higher than my phone.

Re:

[swillden]

I think by now everyone on Slashdot knows that biometrics provide very little actual security.

It depends on the context and on the details of the biometric system. Of course, this is *always* true; "security" not only isn't a boolean, it's not even a continuum. It's an n-dimensional tensor. To determine what security you have, you have to think about the avenues of attack, the nature of likely attackers and the risk that you're trying to protect against.

For example, it would be fine to use a fingerprint sensor to control access to a nuclear missile silo. The fingerprint sensor wouldn't be the only

Re:

[green1]

Are you sure your phone isn't a key to any of those things? Odds are good that it *is* a key to your bank account.

I think you misunderstood my point. The point is that my phone is "guarded" by me, and doesn't get left unattended in random parking lots like my car, left alone for hours or days at a time like my house, or completely unsupervised (by me) like my bank.

If someone wants to steal my car, they are far better to grab my key fob than my phone, they're both in the same pocket, but one requires no authentication, while the other requires a fingerprint. Same idea for my money, they could take my phone, unlock it wi

Re:

[swillden]

I think you misunderstood my point.

I did. Thanks for the clarification.

As for iris being better than fingerprint.

And I think you misunderstood mine :-).

I wasn't claiming that iris is generally better than fingerprint, I was saying that it's likely more secure against penetration by a phone thief. Security is context-dependent, and in that context iris is probably harder to get past than fingerprint. Iris is probably less secure than fingerprint against friends and family, who probably have many high-quality photographs of your eyes, and can easily get more.

I suspect that the speed and accuracy of the fingerprint scanner adds more to it's convenience than the iris scanner

Perhaps. If the iris sca

Re:

[green1]

I shy away from anything with smooth plastic as I like to be able to hold on to my phone without dropping it. My note4 has a textured back. Easier to hold and doesn't hold prints either. The fascination with smooth backs on phones is a disaster in every regard.

Re:

[swillden]

In fact, nuclear weapon security *does* rely on biometric authentication, but it's normally the old-fashioned face recognition kind, where one human attempts to match another human's face against a small photo on a plastic card. Fingerprint scanners are harder to fool than that, assuming the guard doesn't know the entrant personally.

One human attempts to match another human's face against a small photo on a computer screen that's been signed by a DOD crypto key. That's a little harder to fool than a fingerprint scanner. Fingerprint overlays are easier to fake and conceal than convincing masks.

The digital signature confirms that the face in the photo is authorized. It does nothing to improve the human's ability to match live face against photo. In the fingerprint case, something analogous to that digital signature is also required. It could be a digitally-signed fingerprint template, or it could be that the template is retrieved from a secure database.

This highlights one aspect of biometric matching systems that I haven't mentioned in these threads: It's crucial to be sure that the template you

Re:

[sexconker]

I've never seen such a requirement, but I guarantee you it would be trivial to trick. I bet you could simply place your index and middle finger in front of the fake iris model and make a scissoring motion when it asks you to blink.

Re:

[green1]

If they can fake the iris, don't you think they could figure out how to fake an eyelid closing?

Biometrics are a joke

[OneHundredAndTen]

Time and again, they have been shown to be much easier to subvert than people thought and, worse, once compromised, they can't be repudiated - imagine getting new fingerprints or a new iris.

Patent litigation in 3.2.1

[billybob2001]

Apple lawyers are getting ready to sue, since hearing that Samsung are infringing on the eyePhone.

Something you have plus something you know

[mrun4982]

Such a simple concept that so many companies/people, like Apple and Samsung, just don't understand who true it is. Finger prints, your eye balls, etc are usernames, not passwords.

Re:

[account_deleted]

Comment removed based on user account deletion

What's the big deal?

[sootman]

Just follow current best practices and change your iris every 90 days.