back to article How good are selfies these days? Good enough to fool Samsung Galaxy S8 biometrics

Chaos Computer Club's "Starbug" has taken a look at the Samsung Galaxy S8's iris-scanning authentication feature and found you can beat it with a photograph. The tools the group used aren't even remotely sophisticated: a camera in night mode, a contact lens, and a printer. To fool the sensor, supplied to Samsung by Princeton …

  1. Anonymous Coward
    Anonymous Coward

    The current UNsecurity situation is a farce

    Another day another vulnerability 'that was considered impossible'... We need the 'Monty-Python' boys back to highlight the insanity of the path we're treading and bring realization to a deaf 'Tech Industry' and dumb 'Political / Regulatory' structure:

    "To fool the sensor, supplied to Samsung by Princeton Identity, the “attacker” took a photo of the subject from a few metres' distance, printed it out, and dropped the contact lens over the iris to imitate the curvature of an eye (note: the CCC video doesn't mention this, but you'd have to get the printout aspect right, so as to make the iris the same size as the contact lens). When that image was presented to the camera, it unlocked, right on cue."

    1. John Brown (no body) Silver badge

      Re: The current UNsecurity situation is a farce

      "Another day another vulnerability 'that was considered impossible'... We need the 'Monty-Python' boys back to highlight the insanity of the path we're treading and bring realization to a deaf 'Tech Industry' and dumb 'Political / Regulatory' structure:"

      Biometrics are for usernames only, and even that's a security risk. If you can't change it at will, it's not a password.

  2. Flocke Kroes Silver badge

    Best feature of the sensor

    Thieves do not have to steal your eyes to authenticate.

    1. Christian Berger

      Re: Best feature of the sensor

      Thieves are stupid, they probably still will steal your eyes. Yet another problem of biometry.

      1. allthecoolshortnamesweretaken

        Re: Best feature of the sensor

        Eyes grow back, right? Right?

        1. Eddy Ito

          Re: Best feature of the sensor

          Yes, yes they do but only if you're a salamander.

          1. Chemical Bob

            Re: Best feature of the sensor

            Oh, I'm good then...

  3. Charles 9 Silver badge

    But what if you have a terrible memory and can't remember a PIN. And yes, I know plenty of people with memories that bad, which is why they can only go to brick-and-mortar branches and use cards that don't require PINs.

    1. Charlie Clark Silver badge

      Patterns are pretty good for basic security and passphrased-based mnemonics can be used in a keychain for authorisations. But not using your phone for financial stuff is advisable anyway.

      1. Charles 9 Silver badge

        Not so good for palsied or arthritic hands. As for avoiding the phone, what if the bank is branchless?

        1. allthecoolshortnamesweretaken

          "... what if the bank is branchless?"

          Then it can't be "my" bank.

          (Yes, I know, not an option for everybody. But if it is an option for you, vote with your feet.)

        2. CrazyOldCatMan

          Not so good for palsied or arthritic hands

          Arthritis doesn't stop you using one finger to tap in a PIN. I know this both from personal experience[1] and from my elderly mother..

          [1] OK - mine's 'only' psoriatic arthritis but it sure hurts like the traditional kind.

          1. Charles 9 Silver badge

            But you have to MOVE the finger to do a pattern match, which you'd probably need if your memory is too poor to remember a PIN (and note that since I'm talking arthritis, this usually means the elderly whose memory is failing).

    2. Anonymous Coward
      Anonymous Coward

      "And yes, I know plenty of people with memories that bad, which is why they can only go to brick-and-mortar branches and use cards that don't require PINs."

      If I draw money over the counter at my Barclays branch - the teller always passes me a PinSentry device and expects me to use my ATM card and pin code to authorise the transaction.

    3. turnip handler

      Using biometrics requires you also set up a PIN which is used to unlock the phone for the first time after the phone is restarted, to perform certain setting changes and as a back up to the biometrics.

  4. A Non e-mouse Silver badge

    Three pillars of identity

    This (and all the other form of biometric & password hacks) is why security should be made of three things:

    - Something you know (a passswod)

    - Something you have (a piece of hardware)

    - Something you are (Biometrics)

    Any one on its own is not strong enough.

    1. Christian Berger

      Re: Three pillars of identity

      Actually that "Something you are" part is very bad, as in reality you want to give up your security in certain situations, i.e. when you face actual danger to yourself. It's much easier to give someone your password than having your finger cut off, or your eye removed. Stupid attackers may do that.

      To any smart attacker, Biometrics is not a hurdle at all, particually the stupid things like scanning irises.

    2. Charles 9 Silver badge

      Re: Three pillars of identity

      So what happens when you have a terrible memory (meaning there's little you know) and you tend to travel with little and keep losing things (meaning there's little you have) and you STILL need a strong identity?

      1. G2

        Re: Three pillars of identity

        quote:

        So what happens when you have a terrible memory (meaning there's little you know) and you tend to travel with little and keep losing things (meaning there's little you have) and you STILL need a strong identity?

        /quote

        solution: NFC / RFID chip implanted under your skin.

        Humans do this regularly to pets these days and from this point of view a pet has better 2-factor authentication than a human. (biometrics + chip ID)

        1. Mage Silver badge

          Re: RFID

          Never invented for security but tracking palettes etc instead of barcodes which are not convenient. The non--contact nature of RFID makes them inherently insecure.

          Criminal also can use a scanner and cut it out. I'd rather have a physical "electronic" key / card / dongle.

          The contactless debit and credit cards are already a disaster.

          A pet's RFID is NOTHING to do with security.

          1. G2

            Re: RFID

            quote:

            A pet's RFID is NOTHING to do with security.

            /quote.

            you're thinking of old-school RFID that only provides a serial number ... think instead of NFC and U2F / OpenPGP / PIV over NFC

            https://www.yubico.com/products/yubikey-hardware/yubikey-neo/

            https://fidoalliance.org/fido-alliance-equips-u2f-for-mobile-and-wireless-applications/

        2. CrazyOldCatMan

          Re: Three pillars of identity

          from this point of view a pet has better 2-factor authentication than a human. (biometrics + chip ID)

          Cool. I have 7 2FA devices running[1] around at home then! Now - how to carry one of the semi-feral ex-farm cats with me to the bank?

          [1] 6 of them cats. The only time some of them are seen to run is in the general direction of their food bowl..

      2. LDS Silver badge

        ... and you STILL need a strong identity

        Well, I wouldn't hire you for any job that require a strong identity - such a person would be unfit for the role, sorry.

        If it's your personal need, you made your bed, lie in it.

        1. Charles 9 Silver badge

          Re: ... and you STILL need a strong identity

          "Well, I wouldn't hire you for any job that require a strong identity - such a person would be unfit for the role, sorry."

          So basically it's, "Game Over. You Lose. Better Luck Next Life." How Spartan...

          Ever considered the person doesn't have to work...because he or she is retired? Old people still need to be able to access their accounts and so on, and if the last local branch closes...

      3. hplasm
        Facepalm

        Re: Three pillars of identity

        "So what happens when ..."

        You've probably forgotten where you left your phone already. No problem.

    3. Mage Silver badge

      Re: Three pillars of identity

      No, just forget biometrics. I said from the start it was just a Hollywood trope and doomed.

      Anything that can't be changed is no use for security.

      Also people believe computers, so you only have to hack in a desired biometric. It's worse than a password or dongle BECAUSE the real person can't easily change it without fake skin or contact lenses etc.

    4. CrazyOldCatMan

      Re: Three pillars of identity

      - Something you have (a piece of hardware)

      - Something you are (Biometrics)

      Those two are (mostly[1]) functionally identical.

      [1] Yes, yes - I know you can't change your fingerprints[2] like you can a 2FA device..

      [2] If you have them. EldestBrother (being a chainsaw wielding manual-working tree monkey) doesn't really have any..

  5. Anonymous Coward
    Anonymous Coward

    If does not matter

    Samsung is not Apple so it will be forgotten in the same time if take for a Daily Mail headline to decay.

    Unsure?

    How many times to Apple haters trot out 'you are holding it wrong' a year?

    You can make your own mind up but I get the feeling that this is a bit of tech that Samsung has rushed out in order to beat Cupertino to the market.

    I won't touch Samsung branded kit with a bargepole. The stack of dead Samsung HDD's in my office is my reason for the boycott.

    1. Richard 12 Silver badge

      Re: If does not matter

      Nah, everyone was expecting this as all the camera-based unlock are pretty awful.

      They kind of have to be because of their speed and user intolerance of false negatives.

      I assume someone has broken the face recognition as well.

      1. Anonymous Coward
        Anonymous Coward

        Re: If does not matter

        Samsung's facial recognition was broken immediately - just hold up a phone with a picture of the face to unlock it! The iris scan was hoped to be the more secure option.

        Some rumors claim Apple will be doing facial recognition using 3D scans of the face for the iPhone 8, which would prevent the "hold up a photo" attack, but such 3D scans can't be made too precise - if they are then if allergies made your eyes swell up a bit you couldn't unlock your phone. So while it would be more secure it won't be a panacea against all methods of attack, only raise the bar.

    2. Mage Silver badge
      FAIL

      Re: Dead Disks

      Anecdotal.

      We had 80 Segates fail in one day. Assembly area too cold, in days when you did low level formatting.

      Then half the disks in two classrooms of new computers we installed (I forget why?)

      Another period it was Quantum disks.

      Then all those Western Digital 0.5T and 1T SATA drives, loads. Was it a firmware bug?

      I've one faulty Samsung 1T drive, "dumped" yesterday.

      Replacing HDDs since 1983. All anecdotal. You need a BIG sample. You need to know if moved about, in smoker's atmosphere, weather, power cuts, storms, temperature of PC etc.

    3. Adam JC

      Re: If does not matter

      You do realise Seagate bought Samsung's hard-drive biz back in 2011 for $1.4b right...?

      1. allthecoolshortnamesweretaken

        Re: If does not matter

        Seagate. Oder sie geht nicht.

  6. Christian Berger

    Obviously they had fun with it...

    ... as there also is a version of the video with commentary in the style of a popular children's show in Germany:

    https://media.ccc.de/v/biometrie-s8-iris-fun

    1. allthecoolshortnamesweretaken
      Pint

      Re: Obviously they had fun with it...

      "The tools the group used aren't even remotely sophisticated: a camera in night mode, a contact lens, and a printer."

      The sophisticated bit is their minds.

      Which are sharp and alert because they all grew up watching Die Sendung mit der Maus. (Link links to english Jimbopedia entry, check it out). The pint is for Armin Maiwald.

  7. The Original Steve

    Windows Hello

    My understanding is that Microsoft's "Windows Hello" (what a crap name) does a combo of iris and facial recognition. The phones suck as they can only do iris recognition so I'd imagine have the same problems as reported in this article, however the version used on their Surface range is not only significantly faster and more accurate than their mobile efforts, I don't believe it's been tricked / hacked / spoofed yet into unlocking a device without the owner being present.

    I believe that the PC version of Windows Hello builds a 3D model of your face which it uses along with an iris scan. Due to the width restrictions of modern phones it's not possible to have an array of three cameras (one infrared plus two for the 3D face scan) thus crap on phones but excellent on laptops.

    Personally I'm sticking to a 6 digit PIN on my phone and Windows Hello on my Surface.

  8. Charlie Clark Silver badge

    Biometrics are fundamentally flawed

    But there's a big business in making them seem okay: governments love them because they add to the security theatre while allowing them to fire expensive meatware, which is easier to trick but harder to deceive.

    As the Veneer of Democracy Starts to Fade…

  9. 's water music

    phew

    So glad to hear someone else has cracked this and I can stop poking myself in the eye with gummy bears to make an imprint. It's been costing me a bomb in in optrex

    1. Anonymous Coward
      Anonymous Coward

      Re: phew

      Thank you for that. You actually made me laugh out loud.

    2. handleoclast
      Coat

      Re: phew

      You're doing it all wrong.

      To unlock somebody else's phone you need to poke the gummy bear in the other person's eye, not your eye.

      HTH

    3. CrazyOldCatMan

      Re: phew

      So glad to hear someone else has cracked this

      Some decades ago (when I was young and dinosaurs lived in data centres) the Nationwide Building Society had an iris recognition trial so see if it could be used to access bank accounts. They spent quite a bit of money on the trial with the (then) state of the art optics and computing.

      About half-way through the trial is was withdrawn and never mentioned again.

  10. DrXym Silver badge

    Hardly a big deal

    Unless the thief happens to have a picture of you in the proper light and knows this is how you unlock the phone then it's not going to help them. And theft is the biggest threat by far.

    I think the biggest problem with phones & security is one of usability and defaults. Some phones have "smart lock" functionality but it's very finnicky to set up and separate from the screen lock stuff.

    It needs to be redesigned and consolidated into a single screen that summarises what security is set, and the conditions that the rules apply. e.g. idle time, location, proximity to other devices. The easier it is to set up the security, the more likely people are to use it. The more people who have security enabled by default, the less reason thieves will have to steal phones.

    1. Just Enough

      Re: Hardly a big deal

      It is possible to have your phone stolen by someone you know.

      It is possible to have your phone stolen by someone who uses some ruse to obtain a photo first.

      It is possible that the information on your phone has a distinct, unique value that will tempt criminals to go to the lengths necessary.

      Yes, for most people the chances of these things happening are smaller than your everyday mugger. But the point of testing things in this manner is they demonstrate how it can be done. It therefore follows that, guaranteed, some criminals will perfect a way of doing it in a practical manner in real life. So the fact remains that this method of securing devices is fundamentally flawed. As long as you make your 'key' something that is in public view, and can be copied with increasing ease, accuracy and fidelity, then your 'key' is not secure.

      1. DrXym Silver badge

        Re: Hardly a big deal

        Yes it's possible all those things could happen AND you have iris enabled (don't forget that) AND you're prepared to put up with how crap the function works. Now think on the likelihood of all that actually happening in real life as opposed to some thought experiment and it's very slight.

        If security researchers want to improve security they should stop doing these silly experiments on esoteric features and an improbable chain of events and think of ways a phone can be made more secure by default. Not such a headline grabber but vastly more useful.

        1. Charles 9 Silver badge

          Re: Hardly a big deal

          The trouble with edge cases is that they don't REMAIN edge cases for long. Think STALKERS...

  11. Michael H.F. Wilkinson

    Iris scans can be done properly

    There are a few tests that can be done to distinguish a print from a real, live iris:

    Fourier analysis of the image, if taken at sufficient resolution, will show frequencies corresponding to the raster of the printer. Simply check the Fourier power spectrum for such regular spikes. This does not work on old-fashioned analog photography and printing, as the grains in the emulsion are placed randomly.

    The second test is to capture two images: one at a low illumination and one in brighter light. The pupil should contract, if it is a real, pupil attached in the usual way to a living brain. This is similar to proper fingerprint scanners which should incorporate IR Doppler to detect flowing blood under the skin.

    In case of high security applications, these tests must be done, and also make stealing someone's eyes useless. Infra-red imaging is essential to get the iris patterns clearly. In smartphones they probably did some cost cutting, resulting in poor security.

    1. Yet Another Anonymous coward Silver badge

      Re: Iris scans can be done properly

      So you are proposing a system that can recognise specific irises?

      The samsung one just seems to recognise that it is an iris !

      This could also work with passwords - rather than just have the computer recognise that you entered some sort of random collection of letters that was probably a password

    2. Charles 9 Silver badge

      Re: Iris scans can be done properly

      "This is similar to proper fingerprint scanners which should incorporate IR Doppler to detect flowing blood under the skin."

      Does that also defeat the gummy fingerprint on top of someone else's finger which would have live blood flow and everything?

  12. Mage Silver badge

    Other Options

    My phone is setup for Border Control.

    Only PAYG, so if stolen, no big bill.

    Four years old, and not an Apple, so not a huge target

    Only used for note taking, photos, FM Radio, SMS and phone calls. Nothing important kept on it.

    No PIN or lock, to allow instant calls.

    I appreciate it's a special use case ^_^ and not much help for most people. I only take my real laptop to known "secure" places, otherwise I take a semi-disposable small netbook (Linux Mint + LXDE).

    1. Charles 9 Silver badge

      Re: Other Options

      So what if they take your phone and then use it to make incriminating phone calls or texts in your name?

      1. Mage Silver badge

        Re: incriminating phone calls or texts in your name?

        Um,

        1) The SIM isn't registered to me, it's anonymous. I don't live in Spain, etc.

        2) You can be sure I'd complain loudly to everyone that my phone is stolen, inc the Garda, to beef up their crime statistics*

        So they'd need to take phone and replace it while I didn't notice (clone IMEI and SIM is possible) and somehow make the anonymous number/SIM be identified to me. I bought the phone S/H too. €50 cash, though the seller knows me.

        (* Someone in there gets bored and invents statistics, we don't know why, perhaps they'd like some real ones. I ALWAYS report crimes. Even if it seems pointless)

        1. Anonymous Coward
          Anonymous Coward

          Re: incriminating phone calls or texts in your name?

          Point is they can CLONE the SIM (so they don't have to replace your phone) and, since we're talking a STATE agency, they could do all sorts of havoc and you'd have no way to clear your name. If you complain, they'll just say you're lying and show their proof to corroborate their story.

  13. Alan1kiwi

    RFID ??

    I am tired of taking the cat to the ATM.

    Really, this whole nonsense is beyond belief.

    Penis recognition should do it.

    Although it could get problematical at the ATM.

    Girls could use tonsil recognition, as they do most things with their mouths open.

    Simple.

    :-)

    1. handleoclast
      Boffin

      Re: RFID ??

      @ Alan1kiwi

      From the four downvotes (so far) it appears that there are Reg commentards who are unable to recognize humour unless you use the "Joke" or "I'll get my coat" icon on your post. Merely writing something that is actually funny is insufficient for them to understand that it is, in fact, a joke.

      That or they're commentards who are embarrassed by penises. Or cats. Or cats with penises. Or girls with tonsils. Or girls with penises (actually, I can sympathise with that one).

      [Icon chosen for reasons that will be obvious to those with a sense of humour and utterly incomprehensible to those who downvoted you].

      1. Anonymous Coward
        Anonymous Coward

        Re: RFID ??

        Either that or the jokes are considered in poor taste. Not only is penile recognition not possible with women and eunuchs, but there's the matter of lesbians and people who've had tonsilectomies.

        IOW, Dude, Not Funny!

        1. handleoclast

          Re: IOW

          To continue in your humorous vein of pretending not to get a joke, I'll agree with you that the Isle of Wight is not funny and never has been.

      2. Yet Another Anonymous coward Silver badge

        Re: RFID ??

        >Penis recognition should do it.

        >Although it could get problematical at the ATM.

        >Girls could use tonsil recognition, as they do most things with their mouths open.

        There was a young poster from Cheam

        Who invented an identification machine

        Concave or convex

        To suit either sex

        and I don't know how to finish this politely.....

        1. Charles 9 Silver badge

          Re: RFID ??

          "Concave or convex

          To suit either sex"

          But who'd use since ne'er was it clean.

      3. Hollerithevo

        Re: RFID ??

        @handleoclast, perhaps you forget that women are also Commentards? Would you suggest to a woman you worked with that her mouth was always open, because, y'know, woman...

        1. handleoclast

          Re: RFID ??

          @Hollerithevo

          Yeah, I noticed we have female commentards.

          In my experience, women are capable of reading a short post in its entirety and recognizing humorous intent throughout rather than focusing rather narrowly on one particular part of it. Especially if the author deprecates himself at the start of it. Or do you think OP really is so stupid he'd take his cat to the ATM and wish that it had penis recognition instead?

    2. VinceH

      Re: RFID ??

      "Girls could use tonsil recognition, as they do most things with their mouths open."

      That's just silly - what if they've had their tonsils removed?

  14. Anonymous Coward
    Anonymous Coward

    Does this mean...

    Tom Cruise swapped his eyes for nothing in Minority Report?

    Based on modern crime detection methods and device security if that movie would be awful if the tech involved was real.

    He'd be kidnapping a server while escaping in a Tesla over a very short distance stuck in traffic on the M1 while fumbling around with printouts of eyeballs stuck to practical joke glasses frames. Naff.

  15. Baldrickk

    What happened to blinking?

    My old HTC Desire (or my Galaxy S3, I forget which) back in the day had facial recognition to unlock it as an option. An additional option required you to blink on demand to prove that you were not a static cutout.

    I'm surprised something like this isn't implemented in addition to the iris check. Still not secure, but it prevents just a photo getting you in and should be trivial to (re)implement.

    "selfie flash" feature as mentioned somewhere above to incite iris contraction would also be a good feature to 'prove' that it is a real eyeball, somewhat.

    1. Mage Silver badge

      Re: What happened to blinking?

      A suitably programmed tablet can blink or contract irises.

      There are other ways too.

      You can tweak biometrics and later it will fail again. Some ideas are just dead ends. Security wise, Biometrics and/or RFID are doomed.

      You can't change your own biometrics

      RFID is INHERENTLY vulnerable to sniffing/eavesdropping etc, as is WiFi and BT. A physical contact to card/key/dongle is the only secure method other than PIN or Password. The accelerometer and any other such sensors should be disabled during any security data entry.

      1. Anonymous Coward
        Anonymous Coward

        Re: What happened to blinking?

        No even PHYSICAL interfaces can be made secure. Think skimmers and wire intercepts. And as for the accelerometer, what if it's checking to see if it's on a mobile base?

  16. Gis Bun

    You can't fool Windows 10 with a supported web camera. Windows 10 [with camera] will detect for heat presence.

    1. CrazyOldCatMan

      You can't fool Windows 10 with a supported web camera. Windows 10 [with camera] will detect for heat presence.

      So you hold an IR lamp (or a lit candle) behind the picture. Will give a convincing IR trace..

      Anyway - you don't need to fool it that way - you can just use an exploit and get in directly :-)

      1. Charles 9 Silver badge

        You'd have to match the IR map of a face against a cold background: not possible with a candle and tricky with a lamp without a sophisticated heat mask.

  17. pleb

    infrared filter switched off...

    ... how? It's a physical thing, a piece in the light path. You can't "switch it off". You can try removing it:

    https://www.ifixit.com/Answers/View/144899/Can+IR-blocking+filter+be+removed

  18. Jin

    Another demonstration of "unique" being different to "secret"

    Authentication by biometrics comes with poorer security than PIN/password-only authentication. This video explains how biomerics makes a backdoor to password-protected information.

    https://youtu.be/5e2oHZccMe4

    Also there is an interesting discussion about this issue on Payments Journal

    http://www.paymentsjournal.com/Content/Blogs/Industry_Blog/35382/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021