Samsung Galaxy S8 iris scanner tricked by photo, contact lens

Turns out the sophisticated tech can't tell the difference between your eye and a picture with a contact lens over the iris, a hacking club says.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read

Samsung has touted its iris scanner as one of the best ways to secure your phone.

Jason Cipriani/CNET

You won't believe your eyes. But maybe the Samsung Galaxy S8 will.

In the month since Samsung released its flagship device, hackers in Germany have figured how to break the phone's iris recognition lock. Samsung has touted the biometric technology as "one of the safest ways to keep your phone locked," claiming that a person's iris patterns are "virtually impossible to replicate."

But that's exactly what the hackers from the Chaos Computer Club say they did. The hackers used a photo shot in night mode and from a medium distance, about the same range that would pop up in a Facebook profile picture or a selfie. They then printed out a closeup of the person's eye and put a contact lens over the iris on the paper.

The lens is there to replicate the eye's curvature, the Chaos Computer Club said in a blog post this week. Someone then held up the piece of paper to the Samsung Galaxy S8's iris scanner, and it unlocked as if a real person had looked at it.

Chaos Computer Club

"The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot," CCC spokesman Dirk Engling said. "Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris."

Samsung did not immediately respond to requests for comment.

Biometrics are quickly becoming the new standard of security for devices as researchers predict that more than 770 million apps will use it by 2019. Apple is rumored to be working on an iris scanner for its next iPhone, as well.

The use of biometrics is growing in popularity for its convenience and its unique ties to a person, but researchers have shown that biometrics in general are not foolproof.

In January, a Japanese researcher found that fingerprints could be stolen from peace sign selfies online and be used to break into phones with biometric locks. Finger pads aren't in every photo we post online, but faces are everywhere.

Biometrics supporters hope the tech can one day replace the password. Engling recommends sticking with a PIN or password to protect your phone, for now.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.

Batteries Not Included: The CNET team reminds us why tech is cool.