News Chaos Computer Club demonstrates simple Galaxy S8 iris scanner hack

Discussion in 'Article Discussion' started by Gareth Halfacree, 24 May 2017.

  1. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    9,608
    Likes Received:
    358
  2. edzieba

    edzieba Virtual Realist

    Joined:
    14 Jan 2009
    Posts:
    2,072
    Likes Received:
    54
    It still boggles the mind that Android does not natively support multi-factor unlock: e.g. fingerprint + PIN, iris + PIN, fingerprint + iris + password, etc. The hell of it is, the functionality is already there and enabled for the first reboot - which requires a PIN/password/pattern to unlock before you can use a fingerprint again, there is just no option to enforce both at every unlock.
     
  3. GeorgeK

    GeorgeK Swinging the banhammer Super Moderator

    Joined:
    18 Sep 2010
    Posts:
    7,824
    Likes Received:
    300
    ^Are there apps which enable that?
     
  4. Guinevere

    Guinevere Mega Mom

    Joined:
    8 May 2010
    Posts:
    2,445
    Likes Received:
    151
    To be fooled by a flat photograph with a contact on top seems like such a basic hack. Obviously not enough testing was done to see what could be done to bypass the security. How about:

    * Doing a basic check to see if the image is 'mostly flat' not just convex over the iris.
    * Looking for edges of a photograph.
    * Checking if the image is monochrome.
    * Checking the image isn't running on an LCD

    And the really obvious one...

    * Checking to see if the eye is moving. Check for blinks, micro movements etc. Maybe ask for a number of blinks

    Any visible light/ir based scanning is going to be hackable, but better checks to ensure the scanned image is coming from something head shaped and ALIVE isn't hard.

    Add in some checks for eye movements and blinks, and add some basic photogrammetry to look at headshape while asking for a bit of head movements and blinking will tighten things up a bit and at least make it harder to hack.

    Until someone comes up with the idea of a back projection based head that live replaces an iris onto previously configured sequences of videos...
     
  5. sandys

    sandys Well-Known Member

    Joined:
    26 Mar 2006
    Posts:
    2,737
    Likes Received:
    47
    Really nice phone though, wish I had heard of this early I locked myself out of mine :rolleyes: and had to use remote wipe ....doh :D

    Actually, there are a number of cases where the S8 won't take biometrics and requires the pin, like first boost up/restart or first use of the day or something, that's how I end up locked out, forgot what pin I used and none of the biometrics would let me in....grrr, so perhaps the hack is not entirely useful.
     

Share This Page