
Chaos Computer Clubs Breaks Iris Recognition System of the Samsung Galaxy S8 - morsch
http://www.ccc.de/en/updates/2017/iriden
======
tbihl
Based on the write-up, Samsung has lower quality Iris recognition than could
be written by an undergrad in a few hours. I say that, having done so.

Most obviously, the system should not tolerate a constant-size pupil, ever.
The pupil has micro-dilations around twice per second, and your system is
really terrible if you don't verify that changing diameter.

Also, multi-spectral is a pretty good test, though I don't know enough about
the capabilities of the S8 camera to know if that's feasible (shouldn't be
that hard.) Capturing the patterns of the iris at 500, 800, and 1200nm results
in three templates that are quite different from another.

CCC were able to do this for about the cost of a S8. I would say this is one
of the rare situations where defeating the attack would have been even
cheaper. It's that simple a programming exercise.

~~~
matt4077
Samsung always seems to me as if they race to match any iPhone feature–but
never more than skin-deep.

So when the iPhone gets a fingerprint sensor that saves only a hash of the
actual data in a special enclave of a custom chip, Samsung responds with an
iris scanner that saves an image of the iris as a world-readable jpeg in your
home directory.

Thus, their marketing material can claim feature-parity (or even exceed
Apple). But it never seems like they actually care.

It's not like Apple doesn't run into similar problems (not sure if the
fingerprint sensor has been defeated–it's a bad idea for 5th amendment reasons
in any case). But at least they do the minimum in trying.

~~~
mae9tvw5
>It's not like Apple doesn't run into similar problems (not sure if the
fingerprint sensor has been defeated–it's a bad idea for 5th amendment reasons
in any case). But at least they do the minimum in trying.

In 2013 a CCC member broke TouchID access within a few hours after release of
the IPhone. All needed was a photograph of the fingerprint on a glass surface.
[https://www.ccc.de/en/updates/2013/ccc-breaks-apple-
touchid](https://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid)

Same method worked on the Iphone 6, as Apple hasn't changed a thing. Biometry
is fundamentally broken.

~~~
chinathrow
> In 2013 a CCC member broke TouchID access within a few hours after release
> of the IPhone.

It's actually the same guy as with the S8, aka Starbug.

~~~
stiGGG
> It's actually the same guy as with the S8, aka Starbug.

Yes, hopefully he will give another talk at 34C3. Very entertaining guy too!

~~~
lorenzhs
No need to wait for 34c3, he's giving a 30 minute talk at
Gulaschprogrammiernacht in Karlsruhe on Thursday:
[https://entropia.de/GPN17:hacking_galaxy_S8_iris_recognition](https://entropia.de/GPN17:hacking_galaxy_S8_iris_recognition)

------
algesten
Biometric data is not a password, it's an identity. Fingerprints and iris
scans are equivalent to a username or email.

To secure a device you need a password.

Basics: something you are (iris scan, fingerprint), something you have (2fa
token, usb unlock key), something you know (password).

One out of 3 is probably not very secure.

~~~
jpalomaki
Phone must automatically lock quite quickly, otherwise somebody quick just
grab it after you have unlocked it. This means the password needs to be typed
in constantly if you are frequently picking up the phone. Also you often want
to grab the phone with one hand, so you need to be able to type the password
with one hand. Combine that with the frequent typing and you probably come to
conclusion that you can't have a proper, secure passphrase. Instead you resort
to pin code of some length. Now remember that you need to be typing the pin
code constantly to unlock the phone. With one hand operation there's little
you can do to protect yourself against shoulder surfing. This means you pin
code is not that private.

Iris scanning or fingerprints are easy for determined attacker, but I would
say they are hard for somebody who just grabs your phone. Vice versa for the
pin code.

I think a good balance between security and usability would be to allow
fingerprint or iris scan when the phone has been constantly in my proximity
but require a pin (password) if the phone is taken away. The proximity could
be determined for example by pairing the phone with smart watch.

~~~
jdironman
An encrypted NFC or Bluetooth bracelet, one sold with or separately to a phone
would be nice. Pings it every so often. If it can't find it, automatically
self locks. If it can't find for for X number of days and a password hasn't
been entered in that time then it wipes || locks the phone.

~~~
datenwolf
> n encrypted NFC or Bluetooth bracelet

Should be significantly more secure than Mifare though. Ideally something like
a contactless OpenGPG card or similar.

Recently I searched for passive NFC ICs that'd be suitable for implementing
that, but came up empty. Usecase was exactly that: A NFC device located at
about the wrist. My laptop has a NFC reader at just the right place of the
handrest to read it. And I'd probably transplant a NFC reader into my desktop
computer's keyboard for the same purpose.

But first I'd need that NFC thingy.

~~~
jdironman
Just had an idea, maybe not the wrist for mobile devices, maybe a ring that is
always on the hand that is on the back of the phone. I don't know, but I can't
help but think of how things can be more secure and that there is a market for
those with security in mind.

Just found this also in my search while typing this comment.

[http://nfcring.com/](http://nfcring.com/)

Looks like it might be open source as well?

[https://github.com/mclear/NFC_Ring_Control](https://github.com/mclear/NFC_Ring_Control)

Might be something to keep check on, it supposedly doesn't release until mid
2017.

EDIT: Just thought about if this is open source, anyone could possibly tie it
in with automation apps such as Tasker and really do neat stuff.

~~~
datenwolf
I don't like rings (you put on your fingers). But that's just a personal
preference. I'd be okay with wristbands though. Yes, the proximity to
smartphone NFC readers would be a benefit of a ring.

------
Asdfbla
>Iris recognition may be barely sufficient to protect a phone against complete
strangers unlocking it

I suppose that's the attack scenario those systems (at least in phones) are
supposed to protect against, to be fair. Suppose the alternative might be that
some users use a predictable pin or none at all. Fingerprints or the iris
sensor is an improvement for them because they are quick and easy to use.

Of course it's still good to deflate the hype around Iris scanners a bit and
demonstrate that it is currently a very limited technology after all.
Especially considering their remark that iris scanners spread to other devices
too.

~~~
freeflight
>Fingerprints or the iris sensor is an improvement for them because they are
quick and easy to use.

I'm not sure about it being an improvement, human laziness always finds a way
to make something less secure. Like buying "fingerprint stickers" because too
lazy to pull off a glove when wanting to unlock the phone [0].

The CCC always does interesting stuff like this, a couple of years they
reproduced a politicians fingerprint just using photos of her hands [1].

This kind of stuff turns biometrics from something "you are" (your
fingerprint, your iris) to something "you have" (a fingerprint on a glove, a
picture of an iris) making biometrics often very trivial to bypass.

[0] [http://gizmodo.com/these-fake-fingerprint-stickers-let-
you-a...](http://gizmodo.com/these-fake-fingerprint-stickers-let-you-access-a-
protec-1788710313)

[1] [https://arstechnica.com/security/2014/12/politicians-
fingerp...](https://arstechnica.com/security/2014/12/politicians-fingerprint-
reproduced-using-photos-of-her-hands/)

~~~
josefx
> a fingerprint on a glove

Fingerprints are even worse. They are all over your phone. So if someone
steals it the key is already included.

Fingerprints are something you leave all over the place right now and with the
increased camera placement and tracking done everywhere pictures of your iris
wont be much better for long. So both are not something you are or have, they
are something everyone you ever passed on the street has access to.

------
lnx01
Using a fingerprint for security is like writing your password on everything
you touch. Using your iris is like walking around with your password written
on your forehead.

~~~
lucb1e
> like writing your password on everything you touch.

> with your password written on your forehead.

... in invisible ink*, I'd say. But basically yeah.

------
Kipters
> The Samsung Galaxy S8 is the first flagship smartphone with iris
> recognition.

That's not quite true, Lumia 950, Lumia 950 XL and HP Elite x3 came out a lot
earlier than the Galaxy S8 and all of them use iris recognition (still
undefeated, by the way)

~~~
skocznymroczny
There could a bit of a bias, Lumias and HP Elite x3 aren't anywhere near as
popular as Samsung Galaxy S8, same as most malware targets Windows rather than
Linux/macOS.

~~~
Kipters
I agree the S8 is more widespread than those 3 combined, but those were
flagships anyway

------
sschueller
I am curios how much eye damage these system can cause. The S8 gives a warning
before you activate it that you should not place the phone too close to your
face.

How bright is this infrared light and can it cause eye damage although we
can't see it?

~~~
dmd
Have you ever been outside? It's dimmer than that.

~~~
adrianN
A nice campfire that noticeably warms your face when you look at it probably
gives off a couple orders of magnitude more IR than the phone. IR can damage
eyes [1], but the phone probably won't contribute significantly

[1]
[https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3116568/](https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3116568/)

~~~
Klathmon
To be fair a campfire also puts out visible light which can cause you to blink
or squint which a "pure IR" light won't.

But the IR from the S8 is still extremely small and safe.

------
morsch
_" The by far most expensive part of the iris biometry hack was the purchase
of the Galaxy S8 smartphone."_

~~~
demarq
and " Ironically, we got the best results with laser printers made by Samsung"

You can tell they really had fun with this!

~~~
flai
Well, it _is_ the CCC. These guys do this for fun, so having more fun while
doing it is just added bonus.

------
johansch
Gotta love these CCC takedowns. I find myself smiling in anticipation when
clicking these kinds of links....

------
alxhill
Whilst it's certainly valuable to make people aware of the limitations of the
security systems we use, this shouldn't really come as a surpre. If someone is
close enough and motivated enough to take a high-res photo of your face just
to access your mobile device, they're also probably close enough to film you
typing in your passcode - sure, you might do that less often, but for an
average user are either of those things a real concern? The security model
hasn't really been "broken" because if someone steals my phone they don't have
access to the device by default.

~~~
piyush_soni
> _If someone is close enough and motivated enough to take a high-res photo of
> your face just to access your mobile device, they 're also probably close
> enough to film you typing in your passcode_

Not sure about that. All of my friends, family and work colleagues are 'close
enough' to me to take a high res photo of my face (and I'd gladly let them do
it), but none of them can see my passwords when I'm typing or unlock my phone
without my permission. For me this revelation is of a big concern.

------
madez
To those who know german, I recommend watching the german video.

------
philfrasty
„But biometric authentication does not fulfill the advertised security
promises“

This is completely out of context. For the average smartphone user Iris-
Recognition on a phone (just like touch-ID) VS pin-disabled on the phone is a
huge step forward.

~~~
teamhappy
Here's some context:

    
    
        The patterns in your irises are unique to you and are
        virtually impossible to replicate, meaning iris
        authentication is one of the safest ways to keep your
        phone locked and the contents private.
    

Source:
[http://www.samsung.com/global/galaxy/galaxy-s8/security/](http://www.samsung.com/global/galaxy/galaxy-s8/security/)

I think the quote is fair.

Also your pin disabled argument doesn't make a lot of sense. That's like
saying 123456 is a good password because many people disable the password
prompt at login.

~~~
madeofpalk
A pin of 123456 _is_ more secure than no pin at all.

~~~
teamhappy
Yes, but that doesn't say anything about the security of passwords in general.
(The same way that bad iris recognition being better than no auth at all
doesn't say anything about the security of iris recognition in general.)

------
dreamcompiler
Retinal scans are somewhat more difficult to fool (it's hard to photograph a
retina from a distance), but the scanners are too unwieldy to fit in phones
and lay people are queasy about lasers scanning their retinas.

------
CyberTrekker
I realize that to some it may appear as obvious, but quite often the obvious
is overlooked as people respond to the hastily promoted propaganda relative to
a system and become emotionally entangled in it instead of holding to reason.

Having prefaced my response with the above clarification, such an outcome
should be expected rather than being unexpected. There's no such thing as a
totally secure and uncompromisable system. Any system can be compromised.
Where there's a system, there's a way to compromise it.

When all is said and done, what can reasonably be expected is a system that's
as secure as it can be reasonably made and a genuine effort to patch
vulnerabilities as quickly as humanly possible.

------
tmsldd
Sir. Daugman has left the job incomplete.. there still space for research.
"Liveness" checking is of course a challenge in such cheap and simplistic
setups.. Anyhow, for operator-attended application scenarios it is still ok.
On the other, I see biometrics as a convenience feature in physical or logical
access control scenarios (As long as the security level is at least equal or
higher than conventional methods).

------
jupp0r
Who would want to use an authentication token that they cannot change once
it's been compromised?

------
dingo_bat
The important thing is how much more/less difficult is this than spoofing a
fingerprint. If it is significantly harder, I still see it as a win for
samsung's security.

~~~
draugadrotten
Spoofing this eye is significantly easier than spoofing a fingerprint, because
modern fingerprint technology detect if a fingerprint is "alive" by looking at
sweat pores, pulse, veins under the skin and other features of a living
finger.

~~~
rennir
CCC reported that they managed to bypass Apple's Touch ID in 2013, so it
doesn't really seem like one is easier than the other.

~~~
draugadrotten
AppleID from 2013 may not have included all the features of AppleID in 2017.

------
geniium
Oh Samsung, nice try!

------
6d6b73
Wait. S8 has iris recognition system and people are dumb enough to scan their
eyes and give another biometric data point to god knows whom?

~~~
ry_ry
Given how easily they broke the iris recognition, that particular cat is
likely already out of the bag.

~~~
CyberTrekker
As it would to varying degrees with any system, knowing humans.

