Samsung's 'Airtight' Iris Scanning Technology For The S8 Defeated With A Camera, Printer, And Contact Lens
from the a-new-theatre-for-security dept
The thing about biometric scanning as a security practice is it is one of those things that sounds great. "Lock your phone with your fingerprint or facial scan", shout the manufacturers and security companies that came up with the scans. Well, shit, thinks the average person, if nobody else has my face I'm in the clear. Even when movies and television tackle the subject, the methods for breaking the biometric security typically involve convoluted plans and insane stunts so brazen they would make Danny Ocean's jaw drop.
The problem is that the hype around this tech is typically more effective than the tech itself. Fingerprint scanners are easily fooled and facial recognition software has been shown to be defeatable by, and I swear this is true, printouts of a person's face. That isn't security, it's a punchline. So, when Samsung and its security partner decide to pimp the iris-scanning security feature of the Galaxy S8 with language like "airtight" and suggestions that owners of the phone can "finally trust that their phones are protected", one would expect those claims to be backed up by strong technology.
It isn't.
Hackers have broken the iris-based authentication in Samsung's Galaxy S8 smartphone in an easy-to-execute attack that's at odds with the manufacturer's claim that the mechanism is "one of the safest ways to keep your phone locked."
The cost of the hack is less than the $725 price for an unlocked Galaxy S8 phone, hackers with the Chaos Computer Club in Germany said Tuesday. All that was required was a digital camera, a laser printer (ironically, models made by Samsung provided the best results), and a contact lens. The hack required taking a picture of the subject's face, printing it on paper, superimposing the contact lens, and holding the image in front of the locked Galaxy S8. The photo need not be a close up, although using night-shot mode or removing the infrared filter helps. The hackers provided a video demonstration of the bypass.
As they did in the previous facial recognition flaw post referenced above, some will, at this point, be diving for their keyboards to point out that this type of security isn't really designed to make a device impermeable. Rather, it's to keep easy break-ins from occurring. And, hey, that's true! Good job, you guys! The problem here isn't that Samsung's security tech failed to be 100% effective. It's that it's barely effective, yet at the same time Samsung is pitching it as the end of phone break-ins. I'm not the one making wild claims here; they are.
And this tech is going to be rolled out in a big way, likely pitched to the public in the same manner.
"Iris recognition is the next big thing with mobile devices," Starbug wrote in an e-mail. "The technology, especially with the packed space and low computing power of mobile devices, is hard to make hack proof. You can't hide your iris, and it's even worse than fingerprints." At the same time, "mobile devices are holding more and more sensitive data."
Advertising this iris security as "airtight" is actively misleading the public on the security of a device becoming all the more important and one on which the public is more often storing sensitive information. For a company like Samsung to be so vociferous in its claims in light of this easy workaround ought to result in a ding to its credibility.
For biometrics generally, a good pin number is probably still your best bet. The tech may improve to the point of being the most effective option some day, but we're not there yet.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: iris scan, privacy, s8, security
Companies: samsung
Reader Comments
Subscribe: RSS
View by: Time | Thread
Bio-metrics
As many others have said, bio-metrics make sense as an ID or user name, not for a password. Even then, someone else spoofing my 'digits' to impersonate me is not a good thing.
[ link to this | view in chronology ]
Re: Bio-metrics
Passwords however can't be stolen so easily.
[ link to this | view in chronology ]
Eyes open
[ link to this | view in chronology ]
Yet as always the hype will continue, as every new development (in a never ending chain) in "security" gets touted as the absolute final solution ... until it's obviously not.
[ link to this | view in chronology ]
Technical question about phone security
[ link to this | view in chronology ]
Re: Technical question about phone security
I'd say not hard enough, considering they're being dishonest.
Not true. Are you dishonest, like Samsung, or just ignorant?
[ link to this | view in chronology ]
Re: Re: Technical question about phone security
Regarding Samsung, how are they different from every other company that is trying to peddle their product? Look at your own TechDirt products that you peddle. Likely their benefits are overblown a little, right? I have no idea why your expectation of Samsung would be higher than everyone else, is yours a paid opinion? Or do you have a particular ax to grind?
[ link to this | view in chronology ]
Re: Re: Re: Technical question about phone security
[ link to this | view in chronology ]
Re: Re: Re: Re: Technical question about phone security
[ link to this | view in chronology ]
deleting the old one. New data is encrypted to the new key
and old data is slowly converted in the background.
Once all the data is updated the old key is deleted.
The whole process is not so slow or inefficient that it
drains your battery before completion.
[ link to this | view in chronology ]
removed from your password. The encryption key for that is
preserved but re-encrypted along with other sensitive data
when you change your password.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
What most OSes do when encrypting is that it generates a key. This key does not normally change and is transparent to the user. The password you use encrypts this key and only this key. This way, you can grant other users access to your files (and the system / root user) in a multiuser system without giving or remembering your password.
When you change a password, it simply decrypts the key, and re-encrpyts it. Only the new encrypted key is written to the hard drive - nothing else needs to be changed.
With your method, you need to write the old password/key down somewhere should the system be restarted during the rewrite -- this leaves a MASSIVE security issue as a full drive rewrite of 100s of GB will take at least 30-60 minutes.
[ link to this | view in chronology ]
Keep reading.
[ link to this | view in chronology ]
Re: Re: Re: Technical question about phone security
Well, gosh, you made a false statement of fact when you wrote "If they did, then you could not easily and rapidly change the password, because the encrypted data would have to be rewritten." Considering your defense of Samsung's dishonesty, I'm guessing you were possibly being both dishonest and ignorant.
[ link to this | view in chronology ]
Re: Re: Re: Re: Technical question about phone security
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Technical question about phone security
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Technical question about phone security
Ignorant should not be an insult, and someone asking questions is not being WILLFULLY ignorant. Being polite and respectful in correcting them goes a long way.
Also, opinions are opinions. You can disagree with them without calling the other person a liar. Yes, he was mistaken on this; insulting people when they ask for clarification is only going to make them mistaken *and* stubborn about it.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Technical question about phone security
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Technical question about phone security
This would also have the added bonus of making you look less like:
a) a person who is also ignorant, but wants to appear not to be so.
b) a person who wants others to remain ignorant, so that they can be smugly superior to others who have a perceived lesser knowledge of the subject.
c) an inflammatory trolling asshole.
d) any or all of the above.
[ link to this | view in chronology ]
Re: Re: Technical question about phone security
You better not have an idevice, as their lawyers literally say that their advertising is bullshit and you shouldn't believe anything they say.
Google "No reasonable person would believe our advertisements". It'll autocomplete with the full sentence about halfway typing that.
[ link to this | view in chronology ]
Re: Technical question about phone security
Yes, there is.
Android devices have offered full-disk encryption since Android 4.2 or thereabouts, though the implementation prior to Android 5.0 sucked. Full-disk encryption is opt-out starting with Android 7.0, meaning that Android devices are encrypted unless the user takes steps to disable that.
I forget the state of iOS, as that's not my area of expertise, but I am under the impression that full-disk encryption is the norm on newer versions of iOS.
[ link to this | view in chronology ]
Re: Re: Technical question about phone security
[ link to this | view in chronology ]
Re: Re: Re: Technical question about phone security
Dunno if that made sense, but I tried XD
[ link to this | view in chronology ]
Curse my fat fingers yet again.
[ link to this | view in chronology ]
Re: Re: Re: Re: Technical question about phone security
You're replying to the village idiot. Nonsense is his specialty.
[ link to this | view in chronology ]
facial recognition flaws
You know why I stopped? It's because my daughter unlocked it.
Sure, people say 'looks like you just spit her out', but I'm a man in my mid-30s with a beard, she was a pre-pubescent girl of 9 with long hair.
It's like samsung wasn't even trying.
[ link to this | view in chronology ]
Re: facial recognition flaws
[ link to this | view in chronology ]
Re: Re: facial recognition flaws
And, depending on how 'into' phones you are, setting up a new phone - especially if changing manufacturer as well - can be a large effort. So if you discover these flaws in a $700+ phone after you've spent a couple weeks faffing about with it to set it up just right, well, I can understand not wanting to replace it (assuming you can get some sort of decent warranty/exchange) outside a normal (1-3 years depending on the person) upgrade cycle.
[ link to this | view in chronology ]
Re: Re: Re: facial recognition flaws
This renders all fingerprint scanners vulnerable and I don't even have to pay a cent!
Tell me which company has a disclaimer on their website that it's not secure.
Also, Samsung never said Facial Recognition was secure -- setting it up actually warns you that it isn't.
The warning is somewhat overblown and it's actually safer than fingerprints. Fingers prints you leave everywhere, especially on the surface of the phone. As a malicious attacker, I have everything I need just by stealing the phone.
Iris scanner? Requires a good picture with a decent camera. If they don't take a good picture, they're screwed as you're gone.
Airtight? Maybe not, and should be correected. However, other companies seem to get a free pass for their marketing...
[ link to this | view in chronology ]
Re: Re: Re: Re: facial recognition flaws
[ link to this | view in chronology ]
Re: Re: facial recognition flaws
I don't (I have teenagers)
I never expected it to be the most reliable, but when a completely different person can unlock it, the facial recognition was not fit for purpose.
I still use the tablet, but only with the passcode (which unlike my face, fingerprint or iris, requires the product of my mind, and not my body ('the coma standard')
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Big helping of "Nope!"
There's a fundamental flaw in using biometrics for security that doesn't seem to get talked about as much as the breakability, and I can't see how it would ever be overcome (Except in part by the sensible current practice of using the biometric as part of security not the whole):
The flaw is in the "trusted ID". E.g. for a credit card, the "trusted" part of the ID - the thing that makes it worth your money - is the 16-digit number on the front. If the number is compromised by fraud, it's rendered invalid, they issue you a new one and, "hey, presto!", trusted again.
If your biometric is your security and it's compromised, how can it (i.e. you) ever be re-trusted? And if an "unbreakable" biometric security method is developed that seems to stand up comes along, well that just means it will be used for more and more secure and valuable things making it worth putting more money into trying to crack it until it inevitably is.
Nope, think I'll stick with the PIN.
[ link to this | view in chronology ]
Re: Big helping of "Nope!"
> that doesn't seem to get talked about as much as the
> breakability
Right, and that's the fact that you can change your password but can't change your fingerprint or Iris.
[ link to this | view in chronology ]
Re: Re: Big helping of "Nope!"
Thanks for the TL;DR version :-)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Maharashtra Land Records
[ link to this | view in chronology ]
facial recognition flaws
You know why I stopped? It's because my daughter unlocked it.
Sure, people say 'looks like you just spit her out', but I'm a man in my mid-30s with a beard, she was a pre-pubescent girl of 9 with long hair.
It's like samsung wasn't even trying.
[ link to this | view in chronology ]
Re: facial recognition flaws
[ link to this | view in chronology ]