CNET también está disponible en español.

Ir a español

Don't show this again

Phones

Samsung Galaxy S8 iris scanner tricked by photo, contact lens

Turns out the sophisticated tech can't tell the difference between your eye and a picture with a contact lens over the iris, a hacking club says.

samsung-note-7-iris-scanner-unlock.jpg

Samsung has touted its iris scanner as one of the best ways to secure your phone.

Jason Cipriani/CNET

You won't believe your eyes. But maybe the Samsung Galaxy S8 will.

In the month since Samsung released its flagship device, hackers in Germany have figured how to break the phone's iris recognition lock. Samsung has touted the biometric technology as "one of the safest ways to keep your phone locked," claiming that a person's iris patterns are "virtually impossible to replicate."

But that's exactly what the hackers from the Chaos Computer Club say they did. The hackers used a photo shot in night mode and from a medium distance, about the same range that would pop up in a Facebook profile picture or a selfie. They then printed out a closeup of the person's eye and put a contact lens over the iris on the paper.

The lens is there to replicate the eye's curvature, the Chaos Computer Club said in a blog post this week. Someone then held up the piece of paper to the Samsung Galaxy S8's iris scanner, and it unlocked as if a real person had looked at it.

animation-2.gif

Chaos Computer Club

"The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot," CCC spokesman Dirk Engling said. "Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris."

Samsung did not immediately respond to requests for comment.

Biometrics are quickly becoming the new standard of security for devices as researchers predict that more than 770 million apps will use it by 2019. Apple is rumored to be working on an iris scanner for its next iPhone, as well.

The use of biometrics is growing in popularity for its convenience and its unique ties to a person, but researchers have shown that biometrics in general are not foolproof.

In January, a Japanese researcher found that fingerprints could be stolen from peace sign selfies online and be used to break into phones with biometric locks. Finger pads aren't in every photo we post online, but faces are everywhere.

Biometrics supporters hope the tech can one day replace the password. Engling recommends sticking with a PIN or password to protect your phone, for now.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.

Batteries Not Included: The CNET team reminds us why tech is cool.