Hackers Fool Samsung Galaxy S8 Iris Scanner with Photo

UPDATED 1:53 p.m. EDT Tuesday with statement from Samsung.

Samsung claims the iris scanner on its Galaxy S8 flagship phone provides "airtight security," but that may not be the case.

Credit: Chaos Computer Club/YouTube

(Image credit: Chaos Computer Club/YouTube)

A couple of members of the German Chaos Computer Club (CCC), already renowned for hacking biometric logins, show in a newly released video how to fool the Galaxy S8's iris scanner with a digital photograph, an office printer and a contact lens.

Tom's Guide hasn't had a chance to replicate this method, but it looks pretty straightforward. If it's true, this would be another notch on the CCC's belt; it was the first group to fool the iPhone's fingerprint sensor in 2013. 

MORE: Best Password Managers

"The patterns in your irises are unique to you and are virtually impossible to replicate," Samsung says on its website about the Galaxy S8's security, "meaning iris authentication is one of the safest ways to keep your phone locked and the contents private."

Yet in the video, a regular point-and-shoot digital camera is used to take a photograph of the face of German hacker Jan "Starbug" Krissler from about 10 feet away as he sits on a bench in a courtyard.

Subtitles on the video state that the photo is taken using night mode, even though it's daytime, because the Galaxy S8's iris scanner uses the same sort of infrared light that night mode often does.

Krissler then goes to his lab, brings up the photo on a MacBook and zooms in on the part of the photo showing his right eye. He uses an office-quality Samsung laser printer to print out a high-resolution life-size black-and-white image of his own eye.

He then sits down with a Samsung Galaxy S8 and registers his own irises to the phone, so that he can unlock the screen using his eyes.

Then Krissler carefully places a contact lens over the black-and-white photograph of his own eye, which is lying flat on the desk in front of him. He gently lifts up the photograph so that it's vertical and facing the Samsung Galaxy S8, which is resting propped up against the vertical screen of his MacBook.

Krissler guides the photograph so that the eye on the image lines up with iris-sensing guide circle on the screen of the Galaxy S8. The phone's screen unlocks.

"[It took] about a day of experimenting until the idea came up to use a contact lens," CCC hacker Linus Neumann told VICE Motherboard about the Galaxy S8 hack. "Then, a little charade of printers until it turned out that the Samsung printer provided the most reliable prints."

Foiling phone fingerprints

In early 2015, Krissler showed how a high-resolution infrared photograph of his own eyes fooled a Panasonic commercial iris reader, and surmised that color photos of someone with light-colored green or blue eyes — such as German Chancellor Angela Merkel — might also work.

A few months earlier, he showed that a high-resolution photo of the right thumb of German Defense Minister Ursula von der Leyen, taken at a press conference, was detailed enough to obtain a nearly complete fingerprint.

By that point, Krissler had already demonstrated how to unlock iPhones with laser-printed fingerprints taken from photographs and from beer mugs.

Tom's Guide has reached out to Samsung for comment, and we will update this story when we receive a reply.

UPDATE: Samsung has released a statement, which is below in full.

"We are aware of the issue, but we would like to assure our customers that the iris-scanning technology in the Galaxy S8 has been developed through rigorous testing to provide a high level of accuracy and prevent attempts to compromise its security, such as images of a person's iris. If there is a potential vulnerability or the advent of a new method that challenges our efforts to ensure security at any time, we will respond as quickly as possible to resolve the issue."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.