Hackers of the German Chaos Computer Club have found a way to break the iris recognition system of the Samsung Galaxy S8 with no more than a picture of an iris and a contact lens. The Samsung Galaxy S8 is the first popular smartphone with iris recognition as a biometric authentication method.
The biometric system should be able to recognize users based on their unique iris pattern, but can be easily bypassed. In a video the CCC hackers demonstrate how they make a picture of someone's eyes using the night mode of a camera. Night mode is required because the iris recognition sensor uses infrared light.
After the photo is made, it is printed using a laser printer. By placing a normal contact lens on the print, the curvature of a real eye’s surface is simulated. The print and the contact lens together is all that is needed to bypass the iris recognition and unlock the phone.
"Ironically, we got the best results with laser printers made by Samsung", the hackers write on their site.
Iris recognition can also be used for Samsung Pay, but CCC advises against that, "if you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication."
The hackers from CCC previously also hacked Apple's fingerprint recognition system TouchID.
