Hacking the Galaxy S8's Iris Biometric

It was easy:

The hackers took a medium range photo of their subject with a digital camera's night mode, and printed the infrared image. Then, presumably to give the image some depth, the hackers placed a contact lens on top of the printed picture.

Posted on May 26, 2017 at 12:50 PM • 12 Comments

Comments

Bob Dylan's Masterful FootMay 26, 2017 1:27 PM

It is easy if one is creative like that but to be perfectly honest that solution would not occur to me in a thousand years. Those rascals (shakes tiny fist)...

As Bruce has noted more than once being able to build things and being able to break things are not the same skill set.

Robert WoodMay 26, 2017 1:41 PM

Well, that being said it's probably not a good idea for any dissidents or any subversive minds to carry an s8, especially when traveling.


TerryMay 26, 2017 1:46 PM

@ As Bruce has noted more than once being able to build things and being able to break things are not the same skill set.

Except that the adage you're referring to can be equally interpreted to mean that no one build anything that works.

And then this crap get's repeated a billion times until everyone is brain dead. Like "you must drink 20 glasses of water a day"

MartinMay 26, 2017 1:53 PM

Perhaps each serious project should hire hackers to test the product in addition the usual rubber stamp product testers.

HaukeMay 26, 2017 4:46 PM

And strangely and yet unexplained, it worked best when the iris image was printed with a Samsung printer.

Jonathan WilsonMay 26, 2017 6:50 PM

Yet another reason not to use bio-metrics but to stick with a good old password or code instead (one that your adversaries can't easily guess and that is backed up by strong encryption on the device itself)

blue eyedMay 27, 2017 4:06 PM

When your password gets compromised you can easily change it. With your eyes it's not that easy. 8-)

Clive RobinsonMay 28, 2017 5:54 AM

@ Someone,

not sure if this is allowed here, but I will take my chances

Normally the current "Friday Squid" page is where you would put it.

As for the atteck vector, yes I would kind of expect it. Subtitles ar not just "text files" they often contain other information such as position on the screen, background and foreground colours, time marks, and links off to other files etc.

Some subtitle formats may alow not just for compression but actually small programs to interact with the UI, or as happens in PostScript files actually generate images for display in a "Device Independent" format. As is known Adobe PDF files and various image file formats have been used to hide malicious code in the past.

I guess we are going to have to wait for the gory technical details, but I suspect that where there is one sort of attack vector found and patched, there will be others just waiting to be found and exploited now the idea has been made public.

David AlexanderMay 30, 2017 10:53 AM

As with so many security controls, the attack shows that:
1) a badly implemented biometric control can usually be exploited.
2) knowing how to securely implement biometrics is essential for the design team

The iris oscillates in size at about 0.5 Hz, and a good iris scanner can detect this movement, it's not somersetting that a printed picture can do. In addition, a good infra-red scanner will work in the 700-900 nM range. A live iris containing oxygenated haemoglobin has a different IR absorption spectra to a dead eyeball (defeating the 'Minority Report' attack) or a printed image. If one or both of these controls were implemented correctly in the phone (and I accept that cost, space and processing power are limiting factors in a smart phone) then the attack would have failed.

Martin E.June 3, 2017 5:05 AM

Any use of any biometrics for identification and/or authentication (face, iris, fingerprints, veins, etc. - all of them!) should be immediately stopped. Using biometrics is inherently insecure, period. Unlike logins and passwords - you cannot change your biometric characteristics. Moreover, you leave your fingerprints and your DNA samples on every thing you touch. And collection of face photos or iris images enables mass surveillance: entities that operate CCTV cameras can then follow people and monitor automatically their movements.

Biometrics shouldn't be collected at borders, it shouldn't be stored in ID documents. It shouldn't be collected or stored at all.

The only exception are people suspected of *serious* crimes - their fingerprints may be collected, but should be stored only until such person is acquitted or his/her conviction becomes spent. Any other collection of fingerprints should be outlawed.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.