starbug strikes again - Samsung S8 iris recognition hacked

Childlike Empress

Banned
Childlike Empress
Joined
Jun 4, 2006
Messages
20,632
Location
Ivory Tower
With a rather illustrous history of sidelining biometrical systems, a German hacker known as starbug now tricked the iris recognition system of the Samsung S8 smartphone with rather primitive methods (see video).

Must be a relieve for everyone having to fear Russian hackers or US border police longing for their eyeballs. And for those who object to making stuff like that public: If there's a bad guy as smart and determined as the good guy starbug is, he's at least about to find out exploits like that.
 
So if you have someone's S8 you can break into it. Provided you have a clear infrared image of their eye.

So insecure. :rolleyes:

I have a Samsung Galaxy S8 and I have the Iris scanner on. Not even slightly worried. It works really well.
 
Tony Stark said:
So if you have someone's S8 you can break into it. Provided you have a clear infrared image of their eye.

So insecure. :rolleyes:

I have a Samsung Galaxy S8 and I have the Iris scanner on. Not even slightly worried. It works really well.
Click to expand...

To be fair, he was able to show that you could get a clear enough image from several meters away with off-the-shelf photographic equipment...




...under ideal lighting, with a stationary target, and generally ideal conditions. Yeah, not worried much. But, given this was done off-the-shelf, it does make the possibility of some hacker using a more cleverly modified and clandestine gathering technique a possibility.
 
GodMark2 said:
To be fair, he was able to show that you could get a clear enough image from several meters away with off-the-shelf photographic equipment...




...under ideal lighting, with a stationary target, and generally ideal conditions. Yeah, not worried much. But, given this was done off-the-shelf, it does make the possibility of some hacker using a more cleverly modified and clandestine gathering technique a possibility.
Click to expand...

Needs a hi-res infrared photo which is going to be the stumbling point for most folk.
 
The article is also incorrect as it says "...But whoever has a photo of the legitimate owner can trivially unlock the phone. „..." That should have said "But whoever has a hires infrared photo of the legitimate owner can trivially unlock the phone. „
 
Darat said:
The article is also incorrect as it says "...But whoever has a photo of the legitimate owner can trivially unlock the phone. „..." That should have said "But whoever has a hires infrared photo of the legitimate owner can trivially unlock the phone. „
Click to expand...


As seen in the video, it's a conventional camera in night mode from meters away, and a conventional (SAMSUNG ;)) office printer. No high tech (define "hires") involved.
 
These hackers had to find some old camera with a mode that takes infrared photos. Most digital cameras do not have such a mode.
 
I've never felt comfortable with this effort toward biometric security for smartphones, largely because of the inevitability that someone will find a way to hack them sooner or later combined with the inability to change that security when it is.

With fingerprints you only get ten choices. Hard to change your fingers once you use those up.

With eyeballs you only get two. Even harder to change.

I see it as great for trivial security purposes. Convenient to unlock your phone quickly, although a PIN lock doesn't seem to be all that slow to me. But if you have stuff on there that you really, really want to keep people out of, I suspect other methods are better.

It's gee-whiz, flash-bang gimmickry for boosting phone sales, mostly.
 
Last edited:
quadraginta said:
I've never felt comfortable with this effort toward biometric security for smartphones, largely because of the inevitability that someone will find a way to hack them sooner or later combined with the inability to change that security when it is.

With fingerprints you only get ten choices. Hard to change your fingers once you use those up.

With eyeballs you only get two. Even harder to change.

I see it as great for trivial security purposes. Convenient to unlock your phone quickly, although a PIN lock doesn't seem to be all that slow to me. But if you have stuff on there that you really, really want to keep people out of, I suspect other methods are better.

It's gee-whiz, flash-bang gimmickry for boosting phone sales, mostly.
Click to expand...

If someone wants the info on your phone badly enough that they are willing to find a camera that can take infrared photos, stalk you until they are able to get a good shot of your eyes, and then steal your phone, they could just as easily record you unlocking your phone with the PIN/password/pattern. Or just wait until the phone is unlocked and then steal it.
 
Tony Stark said:
If someone wants the info on your phone badly enough that they are willing to find a camera that can take infrared photos, stalk you until they are able to get a good shot of your eyes, and then steal your phone, they could just as easily record you unlocking your phone with the PIN/password/pattern. Or just wait until the phone is unlocked and then steal it.
Click to expand...


Yeah. There's that, too.
 
Tony Stark said:
If someone wants the info on your phone badly enough that they are willing to find a camera that can take infrared photos, stalk you until they are able to get a good shot of your eyes, and then steal your phone, they could just as easily record you unlocking your phone with the PIN/password/pattern. Or just wait until the phone is unlocked and then steal it.
Click to expand...

Or just look at the fingermarks on your screen that show the pattern or PIN digits (assumes you don't wipe your screen after each unlock). :)
 
Darat said:
Nightmode is infrared....
Click to expand...

No. It is just a long exposure time. You can get such modes easily. Even buy software with an iPad or Apple phone. I just looked it up.

From the link in the OP. Note the word or in the quote.
The easiest way for a thief to capture iris pictures is with a digital camera in night-shot mode or the infrared filter removed.
Click to expand...

Edit. Link http://www.webopedia.com/TERM/N/night_mode.html. Please read before saying that nightmode is infrared.
 
Last edited:
rjh01 said:
No. It is just a long exposure time. You can get such modes easily. Even buy software with an iPad or Apple phone. I just looked it up.

From the link in the OP. Note the word or in the quote.


Edit. Link http://www.webopedia.com/TERM/N/night_mode.html. Please read before saying that nightmode is infrared.
Click to expand...

Night mode in this 2003 Sony camera is very clearly infrared. You can tell just by looking at the image.

ETA: Also infrared is how the iris scanner works. There is even an infrared LED on the S8 for this purpose.
 
Last edited:
Tony Stark said:
Night mode in this 2003 Sony camera is very clearly infrared. You can tell just by looking at the image.

ETA: Also infrared is how the iris scanner works. There is even an infrared LED on the S8 for this purpose.
Click to expand...

I think to be sure someone would need to duplicate these results. Should not be too hard. If it is easy then watch out for the huge stack of Youtube videos showing how it is done.

Edit. Though at the moment all I can find are people reporting on that group and taking it as gospel.
 
Last edited:
quadraginta said:
I've never felt comfortable with this effort toward biometric security for smartphones, largely because of the inevitability that someone will find a way to hack them sooner or later combined with the inability to change that security when it is.

With fingerprints you only get ten choices. Hard to change your fingers once you use those up.

With eyeballs you only get two. Even harder to change.

I see it as great for trivial security purposes. Convenient to unlock your phone quickly, although a PIN lock doesn't seem to be all that slow to me. But if you have stuff on there that you really, really want to keep people out of, I suspect other methods are better.

It's gee-whiz, flash-bang gimmickry for boosting phone sales, mostly.
Click to expand...

I think it depends on what you are trying to secure, you pick the level of security that suits you. With the S8 I've swapped from using the iris unlock to the face unlock. Face unlock is apparently quite "insecure" but it stops someone picking up my phone and casually seeing what I've got on it which is what I want.
 
rjh01 said:
No. It is just a long exposure time. You can get such modes easily. Even buy software with an iPad or Apple phone. I just looked it up.

From the link in the OP. Note the word or in the quote.


Edit. Link http://www.webopedia.com/TERM/N/night_mode.html. Please read before saying that nightmode is infrared.
Click to expand...

The article is badly worded and you've grabbed the wrong end of the stick.

It is not a long exposure it requires an infrared photo of the iris - which is why the sensor itself works in conjunction with an infra-red emitter. Such cameras are rare, especially those that are of a significant resolution to capture the detail the sensor uses.

If you have an "infrared" remote control you can see if your camera will photograph in the infrared, focus your camera on your remote control and keep one of the buttons pressed, take a photo. I would be very, very surprised if you have an off-shelf camera that captures the beams.
 
Darat said:
I think it depends on what you are trying to secure, you pick the level of security that suits you. With the S8 I've swapped from using the iris unlock to the face unlock. Face unlock is apparently quite "insecure" but it stops someone picking up my phone and casually seeing what I've got on it which is what I want.
Click to expand...

I don't really have a problem with the security of face unlock but I don't find it to really be faster than the iris unlock which is much more secure. Plus you have to use the iris scanner (or finger print or PIN) for Samsung Pay which I always use.
 
You must log in or register to reply here.

Back
Top Bottom