lolloj - Fotolia

Samsung S8 iris scanner: How was it bypassed?

Hackers bypassed the Samsung S8 iris scanner, which could spell trouble for biometric authentication. Expert Nick Lewis explains how it happened and how to stay protected.

Hackers managed to bypass the authentication function of the Samsung S8 iris scanner, which Samsung claimed provided airtight security for the smartphone. How does the bypass work, and what can users do to mitigate the threat?

Saying a product has airtight security is often only a challenge to hackers to completely dismantle its security and embarrass the vendor. Samsung's boast about its flagship smartphone user authentication using the S8 iris scanner was no exception, as the company discovered after a recent vulnerability announcement.

Could Samsung have wanted its customers to perform free pen testing on the S8 iris scanner? Perhaps the company believed it would be a cost-effective and efficient way to protect their users by taunting hackers to get them to test the security of their system rather than offering a bug bounty program? On a more practical note, this only further demonstrates how enterprises and consumers should be skeptical of vendors' statements around security when there isn't sufficient evidence to support something being secure.

Members of the Chaos Computer Club, a European hacker association, were able to defeat authentication using the Samsung Galaxy S8 iris scanner with a photograph of the smartphone's owner. They were able to take a picture of the legitimate owner's eye from up to five meters away, and then use that image to unlock the phone.

This exploit is similar, but less sophisticated than, a previous attack on facial recognition systems where the systems were more securely designed and implemented, yet were still bypassed.

While Samsung has not directly acknowledged the vulnerability, after reports of the exploit surfaced, the security webpage about the Samsung S8 iris scanner was updated to say that "[f]ace recognition is less secure than pattern, PIN, or password," which at least lets people know the system is less secure than a PIN.

Samsung still advertises its "Government certification data up-to-date as of March 2017," which calls into question many other issues, and may prompt questions about other security claims from Samsung given the basic nature of this vulnerability. This iris scanner exploit is much less difficult to carry out than a gummy bear attack.

Most high-security iris recognition systems are implemented using significant checks to prevent hacks like this one, but perhaps Samsung was constrained by costs. To mitigate this threat, end users should avoid using the S8 iris scanner, and should instead use a secure PIN or password to log in to the smartphone. 

Next Steps

Find out if -- and how -- biometric authentication methods might replace passwords

Learn about the future of biometrics for mobile device authentication

Read how biometrics can help reduce risks for mobile, internet of things threats

Dig Deeper on Identity and access management

Enterprise Desktop
Cloud Computing