starbug strikes again - Samsung S8 iris recognition hacked

Darat said:
The article is badly worded and you've grabbed the wrong end of the stick.
Click to expand...


The part behind the "or" means you open the camera and remove the infrared filter. Hackers, after all. The long version is in the presentation also linked in the article, footnote 2, where already in 2014 he hacked iris recognition systems. It's in German but you could try to take the subtitle file and auto-translate it if you're interested.

The news here is only that he got around the latest high-tech Samsung phone, not the concept. The contact lens trick is new, I think, and maybe needed after quality increase in 2014 to 2017. From the announcement linked in the OP:

CCC said:
In the infrared light spectrum – usually filtered in cameras – the fine, normally hard to distinguish details of the iris of dark eyes are well recognizable. Starbug was able to demonstrate that a good digital camera with 200mm-lens at a distance of up to five meters is sufficient to capture suitably good pictures to fool iris recognition systems.
Click to expand...


In the 2014 presentation he explains that he needed the infrared spectrum for recognition of dark eyes only - if you got blue eyes, a normal camera sufficed. Like Merkel, whose iris he got from campaign billboards... ;)
 
Last edited:
Childlike Empress said:
Why do you think he didn't? Around 15 min into the video (the video I linked in the previous post).
Click to expand...

Given that the Galaxy S8 came put like five weeks ago it is metaphyscally impossible that it was proven in 2014 that a regular photo could defeat its iris sensor provided the owner has blue eyes.
 
Tony Stark said:
Given that the Galaxy S8 came put like five weeks ago it is metaphyscally impossible that it was proven in 2014 that a regular photo could defeat its iris sensor provided the owner has blue eyes.
Click to expand...


Tony, read what I've written. And then stop bickering and start going to work. You know what you need now to hack into your precious status symbol. Try it. :thumbsup::cool:
 
Childlike Empress said:
Tony, read what I've written. And then stop bickering and start going to work. You know what you need now to hack into your precious status symbol. Try it. :thumbsup::cool:
Click to expand...

You wrote about what your precious hacker claimed in 2014. Perhaps you haven't noticed that it is 2017.

Also, while owning a device as expensive as the Galaxy S8 might be a huge deal to you, it isn't to me. Owning an S8 does not give me high status (anyone who has decent credit can get one for about $30/month). I got it because it is the best phone one can get.
 
Last edited:
Tony Stark said:
You wrote about what your precious hacker claimed in 2014. Perhaps you haven't noticed that it is 2017.
Click to expand...


I wrote that in 2014 the infrared spectrum was only needed for dark eyes, which you quoted and asked for prove, which is in the 2014 video (starbug happens to have blue eyes as well).

Tony Stark said:
Also, while owning a device as expensive as the Galaxy S8 might be a huge deal to you, it isn't to me. Owning an S8 does not give me high status (anyone who has decent credit can get one for about $30/month). I got it because it is the best phone one can get.
Click to expand...


LOL.
 
GodMark2 said:
To be fair, he was able to show that you could get a clear enough image from several meters away with off-the-shelf photographic equipment...


...under ideal lighting, with a stationary target, and generally ideal conditions...
Click to expand...

Actually no, I think he didn't show that, he just implied it. Perhaps he has genuinely made it work in this way, but the demonstration in the video wasn't the real event. The photo he used at the end to unlock the phone was not the snap he took from 2 metres away at the start.

The photo he places the contact lens on does not have the flattened perspective of a zoomed in shot taken from 2m. It looks more like closeup selfie distance to me. Also the detail is too fine to have been cropped from a head-and-shoulders shot on a 2003 compact camera and the lighting, infrared or not, is quite different.
 
Childlike Empress said:
I wrote that in 2014 the infrared spectrum was only needed for dark eyes, which you quoted and asked for prove, which is in the 2014 video (starbug happens to have blue eyes as well).
.
Click to expand...

Yeah and the S8 came out a little over a month ago. So what if he claimed in 2014 that a regular photo could defeat defeat an iris scanner then.

Him having blue eyes would only make it easier for him to prove that a regular photo could defeat the S8 iris scanner. If it could be done.
 
Childlike Empress said:
The part behind the "or" means you open the camera and remove the infrared filter. Hackers, after all. The long version is in the presentation also linked in the article, footnote 2, where already in 2014 he hacked iris recognition systems. It's in German but you could try to take the subtitle file and auto-translate it if you're interested.

The news here is only that he got around the latest high-tech Samsung phone, not the concept. The contact lens trick is new, I think, and maybe needed after quality increase in 2014 to 2017. From the announcement linked in the OP:




In the 2014 presentation he explains that he needed the infrared spectrum for recognition of dark eyes only - if you got blue eyes, a normal camera sufficed. Like Merkel, whose iris he got from campaign billboards... ;)
Click to expand...

I'm actually well aware of their past work. I think it is always good to have marketing nonsense countered by empirical evidence - it is good that they raise these weaknesses - people need to know how secure or not they are and we rely on groups like them to do that.

I suppose what irritates me is how the media misrepresents such things, it's a very serious matter but as ever most of the media is only concerned with delivering those eyeballs. Should be used to it by now!
 
Darat said:
I think it depends on what you are trying to secure, you pick the level of security that suits you. With the S8 I've swapped from using the iris unlock to the face unlock. Face unlock is apparently quite "insecure" but it stops someone picking up my phone and casually seeing what I've got on it which is what I want.
Click to expand...


Yes. That is where I was trying to go with the "convenient" part of my post.

Security has traditionally had to deal with a trade-off between convenience and effectiveness. The more you have of one, the less you are likely to have of the other.

This impacts the usefulness of some security systems just because if it is inconvenient then people will try to make it more convenient on their own, which leads to things like passwords on post-it notes stuck to the monitor.

But that isn't relevant to my point about biometric security. You still have a limited number of fingers and eyes. and once those are no longer secure, that's a wasted technique.

I agree that anyone who is willing to go to the trouble to try and duplicate them is more persistent and therefore a different kind of threat than someone who just casually picks up someone's phone, but that doesn't change the extremely limited number of possible solutions that are ultimately available.

Biometric locks on smartphones are all about convenience as well. They are, I guess, less trouble than tapping in a four digit pin. That's really the main thing they offer. I don't think they are that much more convenient.

I'm not sure how much overhead they add in hardware expense per unit and software processing overhead, but if it is enough to have tipped the scales when choosing whether or not to keep things like SD card slots, or 3.5 mm TRRS sockets, or bigger batteries then I'd rather have the pin pad and forego the gee-whiz stuff that doesn't add all that much more real functionality.
 
Last edited:
You must log in or register to reply here.

Back
Top Bottom