Biometrics are becoming our next de facto security measure, and they're supposed to be a vast improvement on easily-forgotten and hackable passwords. Yet a point-and-shoot camera, laser printer and contact lens is all it took for German hacking group Chaos Computer Club to crack the Samsung Galaxy S8's iris scanner. "By far [the] most expensive part of the iris biometry hack was the purchase of the Galaxy S8," the group wrote on its website.
They pulled it off by taking a photo of the target from about five meters away, and printing a close-up of the eye on a laser printer — made by Samsung, no less. A regular contact lens was placed on top of the print to replicate the curve of an eyeball. When the print was held up to the smartphone, the S8 unlocked.
"The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot," said Dirk Engling, spokesperson for the group, which previously hacked the iPhone 5S fingerprint sensor using photos of a glass surface. "Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris."
Biometric security is taking off, particularly with the rise of mobile payments. Mastercard has rolled out "selfie pay" in Europe, while Australia has introduced facial recognition to replace passports in airports, and Chinese ride-share company Didi helps passengers verify their driver's identity using face scanning.
Sci-fi has told us that iris scans are so accurate you'd need to cut out someone's eyes to fool them. But the disappointing reality so far is that stuff a hacker could rummage for on Craigslist is probably good enough.