Most obviously, the system should not tolerate a constant-size pupil, ever. The pupil has micro-dilations around twice per second, and your system is really terrible if you don't verify that changing diameter.
Also, multi-spectral is a pretty good test, though I don't know enough about the capabilities of the S8 camera to know if that's feasible (shouldn't be that hard.) Capturing the patterns of the iris at 500, 800, and 1200nm results in three templates that are quite different from another.
CCC were able to do this for about the cost of a S8. I would say this is one of the rare situations where defeating the attack would have been even cheaper. It's that simple a programming exercise.
So when the iPhone gets a fingerprint sensor that saves only a hash of the actual data in a special enclave of a custom chip, Samsung responds with an iris scanner that saves an image of the iris as a world-readable jpeg in your home directory.
Thus, their marketing material can claim feature-parity (or even exceed Apple). But it never seems like they actually care.
It's not like Apple doesn't run into similar problems (not sure if the fingerprint sensor has been defeated–it's a bad idea for 5th amendment reasons in any case). But at least they do the minimum in trying.
In 2013 a CCC member broke TouchID access within a few hours after release of the IPhone. All needed was a photograph of the fingerprint on a glass surface. https://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid
Same method worked on the Iphone 6, as Apple hasn't changed a thing. Biometry is fundamentally broken.
And wood glue! Looks like that method proved unreliable, so they expanded it:
"To create the mold, the mask is then used to expose the fingerprint structure on photo-senistive PCB material. The PCB material is then developed, etched and cleaned. After this process, the mold is ready. A thin coat of graphite spray is applied to ensure an improved capacitive response. This also makes it easier to remove the fake fingerprint. Finally a thin film of white wood glue is smeared into the mold. After the glue cures the new fake fingerprint is ready for use."
People reported that pet's pawns work.
How is the iris scanner on Microsoft phones in comparison?
AFAIK CCC never had a proof of concept of a real world usage of this. They needed access the original finger.
That isn't to say it's not possible but it is a pretty major asterisk.
Can't find the reference right now, but somebody's gotta remember this, it was when the UK was considering using biometric data as IDs.
https://www.ccc.de/updates/2008/schaubles-finger (in German)
Which, imo, isn't much different conditions tbh (i.e. not representative of the real world)
There's no need to get a perfect copy.
"fingerprints are usernames, not passwords" is the standard advice I've read.
It's actually the same guy as with the S8, aka Starbug.
They also managed to get the fingerprint of a politician via a high resolution picture taken at a speech.
(Also a phone PIN via eye reflection captured by the front camera.)
Yes, hopefully he will give another talk at 34C3. Very entertaining guy too!
The use of biometrics on mobile devices somewhat mix this, with the assumption that if some user was authenticated within a certain time frame (via a pin or some other knowledge bound check), a simple id is enough to extend that authentication.
Authorization is the counterpart to Authentication: authentication proves who you are (with passwords/tokens/biometrics aka something you know/have/are), authorization controls what you can do (with permissions/ACLs/roles/etc.)
To put it another way, the bouncer at a club checks your photo ID to see that you match it (authentication via something you are), then uses it to see if you can enter (authorization by checking your birthdate against a cut-off/name against a guestlist).
Firstly, any biometric technique can be beaten. Against a known, committed foe, it is almost impossible to defend with surety. And for that matter, who can't obtain the pin code of any other user given a short amount of time and focused attention? The notion that "if someone takes an IR high resolution, close photo of your iris they can defeat your security" is asinine given that the same people could obtain your pin in a million and one ways.
These mechanisms are to induce users to use some security, and the primary defense is against lost or stolen phones, making it convenient enough that it isn't disabled.
Secondly, how did this somehow turn into yet another Royal Apple spiel? Aside from the easy beatability of the Apple fingerprint sensor, why wouldn't you compare the fingerprint sensor on a Samsung?
There are commercial security products that regularly perform "IR high resolution" iris scans from several meters away and require no cooperation from the target. Stanley CSS sold one that sat on top of a doorway over five years ago, their product literature says that you need to look at it - but having demoed it myself, I can say that is not true.
Until CCC approves your CSS I will consider it insecure.
On paper it looks awful, but everything this phone does works 100% of the time quickly and without stuttering or failing.
Before I had a Motorola. It was much better. I will not buy another Samsung.
But that should be expected, as it's from Google
But my point was more that on paper it doesn't look like much. It doesn't have waterproofing, it's not "best in class" in anything except the camera, it runs software which has less "on paper" features than other brands, it doesn't have an SD card or removable battery, etc...
But when you actually go to use it, it's a night and day difference between it and other devices.
I think you misunderstood this. The cost was buying the S8.
You only need a laser printer, a decent camera and a contact lens.
No, considering that the picture doesn't have to be that good, you need only a rogue picture from somewhere on the Internet (Facebook, Instagram, or whatever), the means to get it printed cheaply (most likely using a public printing service), and the contact lens. Oh, and the contact lens don't have to be new/hygienic. The total cost boils down to pennies.
While I agree that Samsung is at its core a hardware company and software engineers are still treated like second-class citizens, you can't just expect them to compete with Google or Microsoft overnight, IMO. I'm disinclined to believe that their military-like corporate hierarchy is to blame.
Also, the cellphone image resolution is far too low to recognize dilations. Looking at the video, I'm surprised that it works as well as it does, to be honest.
Then it's also fixable in software, no hardware update needed, right?
At least to make it better even if it isn't good yet.
It seems that there are reasonably large changes due to thinking about something, but not due to just looking unless your camera can detect 0.01 mm changes in diameter, which maybe tbihl's could be that seems unreasonable for a smartphone camera.
I would guess tbihl has never tried to get iris recognition working on a cost-constrained consumer device at a huge scale. They might not think it is so trivial then.
Saccades in general are just rapid, ballistic eye movements: they don't have to be small and they're often voluntary. You often make saccades without explicitly thinking about it, but you can countermand these and hold your eyes still when you want to.
What if one of the subject's eyes is a glass eye? What if they're wearing colored contact lenses? Wouldn't both of those situations complicate that?
Maybe the answer is to introduce a "weak mode" option where most users could have the scanner verify "yes, this is a real eyeball," and if someone with a glass eye still wanted to use iris scanning in a way that can be copied by a photo, they have the choice to disable the security measures.
Personally I think apple should allow you to turn the backlight for the screen off entirely for their use. Perfect over the shoulder privacy and better battery life to boot!
Might be that they did a bad job with the Iris recognition, but why not give them the benefit of the doubt and consider that they were aware of the trade-offs involved?
If they couldn't manage to get false negatives down to an sensible level without compromising security in such a blatant way, there's two courses of action: Live with it, or don't release it.
This is a marketing gimmick, not a security feature.
Just as with fingerprint readers the target audience is
people who otherwise wouldn't lock their phone at all.
If someone has physical access to the user they can probably get into most people's phones (that's just saying people aren't careful enough though).
To secure a device you need a password.
Basics: something you are (iris scan, fingerprint), something you have (2fa token, usb unlock key), something you know (password).
One out of 3 is probably not very secure.
Iris scanning or fingerprints are easy for determined attacker, but I would say they are hard for somebody who just grabs your phone. Vice versa for the pin code.
I think a good balance between security and usability would be to allow fingerprint or iris scan when the phone has been constantly in my proximity but require a pin (password) if the phone is taken away. The proximity could be determined for example by pairing the phone with smart watch.
Should be significantly more secure than Mifare though. Ideally something like a contactless OpenGPG card or similar.
Recently I searched for passive NFC ICs that'd be suitable for implementing that, but came up empty. Usecase was exactly that: A NFC device located at about the wrist. My laptop has a NFC reader at just the right place of the handrest to read it. And I'd probably transplant a NFC reader into my desktop computer's keyboard for the same purpose.
But first I'd need that NFC thingy.
Just found this also in my search while typing this comment.
Looks like it might be open source as well?
Might be something to keep check on, it supposedly doesn't release until mid 2017.
EDIT: Just thought about if this is open source, anyone could possibly tie it in with automation apps such as Tasker and really do neat stuff.
Quoting GP: I think a good balance between security and usability would be to allow fingerprint or iris scan when the phone has been constantly in my proximity but require a pin (password) if the phone is taken away. The proximity could be determined for example by pairing the phone with smart watch.
When combined with a fingerprint sensor, smart lock keeps the device completely unlocked while "triggered" (by being on-body, or close to a trusted BT device, etc), and the fingerprint unlocks it while not triggered. It doesn't ever escalate to requiring the pin/password/pattern. Please correct me if I'm wrong, because I'd like to be.
Definitely not a perfect system. I wish that I could set timeouts and map the power button to do an admin lock. Also, having to use a 3rd party app for this is quite likely its own threat vector.
I'd love to have features where the fingerprint is only good enough under certain circumstances, such when the phone hasn't been idle for too long, or when combined with an RFID tag.
I'm glad it's not every few hours because my iPhone password is quite long.
Why complicate things with 2fa tokens. Something you have: the phone!
However I agree with something you know being missing.
And unless you regularly leave you phone lying around, you'll realize this is pretty much a requirement for breaking into your phone anyway.
Something you have: phone
You can't log in remotely with an iris or fingerprint.
I suppose that's the attack scenario those systems (at least in phones) are supposed to protect against, to be fair. Suppose the alternative might be that some users use a predictable pin or none at all. Fingerprints or the iris sensor is an improvement for them because they are quick and easy to use.
Of course it's still good to deflate the hype around Iris scanners a bit and demonstrate that it is currently a very limited technology after all. Especially considering their remark that iris scanners spread to other devices too.
I'm not sure about it being an improvement, human laziness always finds a way to make something less secure. Like buying "fingerprint stickers" because too lazy to pull off a glove when wanting to unlock the phone .
The CCC always does interesting stuff like this, a couple of years they reproduced a politicians fingerprint just using photos of her hands .
This kind of stuff turns biometrics from something "you are" (your fingerprint, your iris) to something "you have" (a fingerprint on a glove, a picture of an iris) making biometrics often very trivial to bypass.
Fingerprints are even worse. They are all over your phone. So if someone steals it the key is already included.
Fingerprints are something you leave all over the place right now and with the increased camera placement and tracking done everywhere pictures of your iris wont be much better for long. So both are not something you are or have, they are something everyone you ever passed on the street has access to.
That was actually the same guy.
> with your password written on your forehead.
... in invisible ink*, I'd say. But basically yeah.
That's not quite true, Lumia 950, Lumia 950 XL and HP Elite x3 came out a lot earlier than the Galaxy S8 and all of them use iris recognition (still undefeated, by the way)
How bright is this infrared light and can it cause eye damage although we can't see it?
But the IR from the S8 is still extremely small and safe.
You can tell they really had fun with this!
Not sure about that. All of my friends, family and work colleagues are 'close enough' to me to take a high res photo of my face (and I'd gladly let them do it), but none of them can see my passwords when I'm typing or unlock my phone without my permission. For me this revelation is of a big concern.
It shows again that for people with very valuable data (where others would spend significant amounts of money to get data), passwords remain the only secure way.
We know that it's certainly less hard than knowing someone's password given a semi sane password policy, but more difficult than scraping fb selfies and printing them.
Thinking out loud, I certainly don't share my phone password with my eye doctor, so there's one example of disclosure.
This is completely out of context. For the average smartphone user Iris-Recognition on a phone (just like touch-ID) VS pin-disabled on the phone is a huge step forward.
The patterns in your irises are unique to you and are
virtually impossible to replicate, meaning iris
authentication is one of the safest ways to keep your
phone locked and the contents private.
I think the quote is fair.
Also your pin disabled argument doesn't make a lot of sense. That's like saying 123456 is a good password because many people disable the password prompt at login.
Additionally, you cannot change your iris once it's compromised. This is an absolute no-no for secure systems! Changing your pin is easy.
This is definitely not a huge step forward. And, as already mentioned, the average user gets misguided by exaggerated marketing promises.
Side note: The CCC even recovered the fingerprint of the Germany's defense minister from a photo: https://www.theguardian.com/technology/2014/dec/30/hacker-fa...
1. 50% of your users won't have their needs met - that's a large proportion assuming a uniform distribution
2. We can't be sure a uniform distribution in the first place is appropriate
3. If we're going to assume an average user then why don't we assume an average phone too: If the average user gets by without something today then why bother building it as a new feature?
In the end a product should not be designed for an average user. It should be designed for a well defined audience who's needs will met well by the product. If you're going to bother with fancy biometric tech as a feature and selling point then you're clearly NOT aiming at the average user who couldn't care less...
Oh come on. You know what's meant: no nerds. That's 99% of users who'll have their needs met, not 50%.
Having prefaced my response with the above clarification, such an outcome should be expected rather than being unexpected. There's no such thing as a totally secure and uncompromisable system. Any system can be compromised. Where there's a system, there's a way to compromise it.
When all is said and done, what can reasonably be expected is a system that's as secure as it can be reasonably made and a genuine effort to patch vulnerabilities as quickly as humanly possible.
It depends on which fingerprint hw/sw the phone is using. There are about 4 large players in the phone fingerprint chip space that have 90 percent of the market.
Fingerprinting is heavily patented so all four vendors have their pros and cons.
A few dozen small players competing about 10 percent of the market. They probably don't do much of it.
Sounds pretty fascinating.