“Although the one-minute video (that shows the sensor being fooled with a dummy eye) appears simple, it is hard to see that happening in real life,” a Samsung spokesperson told The Korea Herald.
“You need a camera that can capture infrared light (used in the video), which is no longer available in the market. Also, you need to take a photo of the owner’s iris and steal his smartphone. It is difficult for the whole scenario to happen in reality.”
Samsung’s explanation came after a German hacking collective, Chaos Computer Club, posted Tuesday a video on YouTube showing that it could break the Galaxy S8’s iris recognition lock with a printer, a picture of an iris photo taken with a camera and contact lenses.
In the video clip, members of the collective take a photo of the phone owner’s eye with the camera that can capture infrared light and print it out with a Samsung leisure printer. They then placed contact lenses on top of the picture to mimic the curvature of the eye.
CCC spokesman Dirk Engling said, “Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris.”
“If you value the data on your phone -- and possibly want to even use it for payment -- using the traditional pin protection is a safer approach than using body features for authentication,” he said.
Samsung has been using its iris scanner for the mobile payment service Samsung Pay, saying the biometric technology is “one of the safest ways to keep your phone locked” and that a person’s iris patterns are “virtually impossible to replicate.”
CCC, a long-running hacker collective formed in Berlin in 1981, is the same group that fooled the fingerprint sensor of Apple’s iPhone 5S, just two days after the device went on sale worldwide. The hacking team had taken the fingerprint of an iPhone user, printed it onto a transparent sheet and created a fake fingerprint to unlock the phone.
By Shin Ji-hye (firstname.lastname@example.org)