Update (5/25): Samsung sent Gizmodo the following statement:

We are aware of the issue, but we would like to assure our customers that the iris scanning technology in the Galaxy S8 has been developed through rigorous testing to provide a high level of accuracy and prevent attempts to compromise its security, such as images of a person’s iris. If there is a potential vulnerability or the advent of a new method that challenges our efforts to ensure security at any time, we will respond as quickly as possible to resolve the issue.

We’ll be sure to update you as this story develops.

Original post (5/23): Hackers from the Chaos Computer Club have demonstrated just how easy it is to trick the Galaxy S8’s iris scanner. In a perfectly controlled environment, that is.

Iris recognition is yet another form of biometric identification that looks at the patterns inside your irises. In theory, iris scanners are much more secure than fingerprint scanners since irises have complex and completely unique patterns whereas the uniqueness of fingerprints has been questioned in recent years. That’s why the iris scanner on Samsung’s Galaxy S8 and Galaxy S8 Plus is such a big deal, and that’s why the company even felt confident enough to let people use the technology to make payments.

Mark Clifton, CEO of the company behind the iris scanner found on Samsung’s flagships, once explained how his company’s technology can register up to 200 identifying features from a single iris or up to 400 with two irises, compared to 130 identifiers on the FBI’s fingerprint technology. However, it looks like in a perfectly controlled environment, Galaxy S8’s iris scanner is easier to fool than previously thought:

As you can see, security researchers and hackers from the Chaos Computer Club were able to trick the Galaxy S8’s iris scanner with a digital camera, a printer, and contact lenses. As they explain, a good digital camera with 200mm-lens at a distance of up to five meters is sufficient to capture the user’s irises in enough detail:

The easiest way for a thief to capture iris pictures is with a digital camera in night-shot mode or the infrared filter removed… Depending on the picture quality, brightness and contrast might need to be adjusted. If all structures are well visible, the iris picture is printed on a laser printer… To emulate the curvature of a real eye’s surface, a normal contact lens is placed on top of the print.

Of course, this means that in theory, someone could steal your Galaxy S8 and trick the iris scanner in order to make online payments using apps like Samsung Pay. The CCC consequently recommends that you use the traditional PIN protection.

So the bottom line is that in theory, any security protection is susceptible to malicious hacking.

However, it’s important to note that the CCC’s test was done in a perfectly controlled environment, meaning the likelihood of someone being able to capture your irises with a camera and stealing your Galaxy S8 device is quite low. On top of that, there have been other tests in which hackers were able to successfully steal users’ PIN or bypass fingerprint scanners, so the bottom line is that in theory, any security protection is susceptible to malicious hacking. We just need to be careful when using password or biometric protection and avoid storing sensitive information on our phones.

Have you been using the iris scanner on your Galaxy S8? How do you like it so far? Let us know in the comments below!

Comments
Read comments