News Chaos Computer Club demonstrates simple Galaxy S8 iris scanner hack

It still boggles the mind that Android does not natively support multi-factor unlock: e.g. fingerprint + PIN, iris + PIN, fingerprint + iris + password, etc. The hell of it is, the functionality is already there and enabled for the first reboot - which requires a PIN/password/pattern to unlock before you can use a fingerprint again, there is just no option to enforce both at every unlock.

 

^Are there apps which enable that?

 

To be fooled by a flat photograph with a contact on top seems like such a basic hack. Obviously not enough testing was done to see what could be done to bypass the security. How about:

* Doing a basic check to see if the image is 'mostly flat' not just convex over the iris.
* Looking for edges of a photograph.
* Checking if the image is monochrome.
* Checking the image isn't running on an LCD

And the really obvious one...

* Checking to see if the eye is moving. Check for blinks, micro movements etc. Maybe ask for a number of blinks

Any visible light/ir based scanning is going to be hackable, but better checks to ensure the scanned image is coming from something head shaped and ALIVE isn't hard.

Add in some checks for eye movements and blinks, and add some basic photogrammetry to look at headshape while asking for a bit of head movements and blinking will tighten things up a bit and at least make it harder to hack.

Until someone comes up with the idea of a back projection based head that live replaces an iris onto previously configured sequences of videos...

 

Really nice phone though, wish I had heard of this early I locked myself out of mine and had to use remote wipe ....doh

Actually, there are a number of cases where the S8 won't take biometrics and requires the pin, like first boost up/restart or first use of the day or something, that's how I end up locked out, forgot what pin I used and none of the biometrics would let me in....grrr, so perhaps the hack is not entirely useful.