Earlier this week, German security researchers part of CCC demonstrated how one might gain access to a Samsung Galaxy S8 with iris recognition enabled. The trick included taking an infrared photo of the subject at medium distance and using a contact lens over the eye portion of the photo to simulate the shape of an actual eye. The attacker was let in with nary a delay.
Despite it being a scary sight, Samsung is brushing this off as a non-issue. Their argument is that while yes, the camera can be tricked, it’s unrealistic for this to happen to someone.
They note the need to acquire an infrared camera, something that’s pretty hard to find, as well as the attacker needing the victim’s device in the first place. That’s not to mention that you’d need to have a spare contact lens on hand.
The original report suggested you could just as well use a high-res photo of someone from the internet, but only “under some circumstances,” which we now imagine translates to “that photo might have to be shot with an infrared camera.”
Indeed, CCC did use an infrared camera in their demonstration. Had it really been applicable to other types of photos, they likely would have shown it in the original video.
While Samsung’s take on the issue is understandable and borderline acceptable, we still have to call out the fact that it can happen, no matter how unlikely a scenario it may be.
Our stance on the matter was clear: if you’re that paranoid about it, you can ditch the iris scanner, enable a nice long password, and go on about your day feeling more secure.
[via The Investor]
Comments