Another day, another biometric authentication system cracked. Last week we covered the BBC journalist who had his twin brother impersonate his ‘voiceprint’ (his voice, basically), to successfully log in to his phone banking.
I know what you’re thinking; that’s too specific to worry about. Not everyone has an identical twin, and we have to assume that not every twin is evil. But the reason this is a big deal is because it proves that a security system thought to be perfect can be duped.
The same is true of iris scanners, unfortunately. There’s something very sci-fi about iris scanning, which might give you the impression that it’s far too complicated to breach. But hackers have proven it’s actually pretty easy, specifically on the new Samsung Galaxy S8.
Your iris is one of the most unique things about you, along with your tongue-print and your gait (though don’t expect to log in to your phone with either of those anytime soon), so it was a surprise to find that The Chaos Computer Club, who describe themselves as ‘Europe’s largest association of hackers’, managed to bypass the security without even needing identical twins. Did you know that even identical twins don’t have the same irises? Am I talking about identical twins too much?
In fact, the hack used a far more rudimentary method to get past this futuristic cybersecurity. To dupe the Galaxy’s iris scanner they printed out a photo of the owner’s eye and held it up to the phone…. and that’s it.
I’ll give the hackers a little more credit. Their process involved printing out a photo of the victim’s eye taken with a good digital camera in night-mode, before placing a normal contact lens on top of the paper, to simulate the curvature of a real eye.
The hackers managed do this with photos taken up to five meters away from the victim, so whilst it’s not quite as easy as printing out someone’s profile picture, it’s also quite possible that there’s already a photo of you online with all of the iris data required to perform the hack. Maybe I’ll take a leaf out of Bono’s book and start wearing sunglasses indoors.
The real irony of this hack (apart from using basic consumer tech to fool sci-fi security), is that the hackers said they “got the best results with laser printers made by Samsung”.
Whilst it’s very cool to be able to unlock your phone without typing, if you’re serious about security or have state secrets stored on your new S8, it might still be safer to stick to a long PIN – just make sure no one’s looking.
If you’ve enjoyed dipping your toe into the world of cybersecurity, why not continue your exploration by checking out UKFast’s suite of security solutions.