Most obviously, the system should not tolerate a constant-size pupil, ever. The pupil has micro-dilations around twice per second, and your system is really terrible if you don't verify that changing diameter.
Also, multi-spectral is a pretty good test, though I don't know enough about the capabilities of the S8 camera to know if that's feasible (shouldn't be that hard.) Capturing the patterns of the iris at 500, 800, and 1200nm results in three templates that are quite different from another.
CCC were able to do this for about the cost of a S8. I would say this is one of the rare situations where defeating the attack would have been even cheaper. It's that simple a programming exercise.
So when the iPhone gets a fingerprint sensor that saves only a hash of the actual data in a special enclave of a custom chip, Samsung responds with an iris scanner that saves an image of the iris as a world-readable jpeg in your home directory.
Thus, their marketing material can claim feature-parity (or even exceed Apple). But it never seems like they actually care.
It's not like Apple doesn't run into similar problems (not sure if the fingerprint sensor has been defeated–it's a bad idea for 5th amendment reasons in any case). But at least they do the minimum in trying.
In 2013 a CCC member broke TouchID access within a few hours after release of the IPhone. All needed was a photograph of the fingerprint on a glass surface. https://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid
Same method worked on the Iphone 6, as Apple hasn't changed a thing. Biometry is fundamentally broken.
And wood glue! Looks like that method proved unreliable, so they expanded it:
"To create the mold, the mask is then used to expose the fingerprint structure on photo-senistive PCB material. The PCB material is then developed, etched and cleaned. After this process, the mold is ready. A thin coat of graphite spray is applied to ensure an improved capacitive response. This also makes it easier to remove the fake fingerprint. Finally a thin film of white wood glue is smeared into the mold. After the glue cures the new fake fingerprint is ready for use."
People reported that pet's pawns work.
How is the iris scanner on Microsoft phones in comparison?
AFAIK CCC never had a proof of concept of a real world usage of this. They needed access the original finger.
That isn't to say it's not possible but it is a pretty major asterisk.
Can't find the reference right now, but somebody's gotta remember this, it was when the UK was considering using biometric data as IDs.
https://www.ccc.de/updates/2008/schaubles-finger (in German)
Which, imo, isn't much different conditions tbh (i.e. not representative of the real world)
There's no need to get a perfect copy.
"fingerprints are usernames, not passwords" is the standard advice I've read.
It's actually the same guy as with the S8, aka Starbug.
They also managed to get the fingerprint of a politician via a high resolution picture taken at a speech.
(Also a phone PIN via eye reflection captured by the front camera.)
Yes, hopefully he will give another talk at 34C3. Very entertaining guy too!
The use of biometrics on mobile devices somewhat mix this, with the assumption that if some user was authenticated within a certain time frame (via a pin or some other knowledge bound check), a simple id is enough to extend that authentication.
Authorization is the counterpart to Authentication: authentication proves who you are (with passwords/tokens/biometrics aka something you know/have/are), authorization controls what you can do (with permissions/ACLs/roles/etc.)
To put it another way, the bouncer at a club checks your photo ID to see that you match it (authentication via something you are), then uses it to see if you can enter (authorization by checking your birthdate against a cut-off/name against a guestlist).
Firstly, any biometric technique can be beaten. Against a known, committed foe, it is almost impossible to defend with surety. And for that matter, who can't obtain the pin code of any other user given a short amount of time and focused attention? The notion that "if someone takes an IR high resolution, close photo of your iris they can defeat your security" is asinine given that the same people could obtain your pin in a million and one ways.
These mechanisms are to induce users to use some security, and the primary defense is against lost or stolen phones, making it convenient enough that it isn't disabled.
Secondly, how did this somehow turn into yet another Royal Apple spiel? Aside from the easy beatability of the Apple fingerprint sensor, why wouldn't you compare the fingerprint sensor on a Samsung?
There are commercial security products that regularly perform "IR high resolution" iris scans from several meters away and require no cooperation from the target. Stanley CSS sold one that sat on top of a doorway over five years ago, their product literature says that you need to look at it - but having demoed it myself, I can say that is not true.
Until CCC approves your CSS I will consider it insecure.
On paper it looks awful, but everything this phone does works 100% of the time quickly and without stuttering or failing.
Before I had a Motorola. It was much better. I will not buy another Samsung.
But that should be expected, as it's from Google
But my point was more that on paper it doesn't look like much. It doesn't have waterproofing, it's not "best in class" in anything except the camera, it runs software which has less "on paper" features than other brands, it doesn't have an SD card or removable battery, etc...
But when you actually go to use it, it's a night and day difference between it and other devices.
I think you misunderstood this. The cost was buying the S8.
You only need a laser printer, a decent camera and a contact lens.
No, considering that the picture doesn't have to be that good, you need only a rogue picture from somewhere on the Internet (Facebook, Instagram, or whatever), the means to get it printed cheaply (most likely using a public printing service), and the contact lens. Oh, and the contact lens don't have to be new/hygienic. The total cost boils down to pennies.
While I agree that Samsung is at its core a hardware company and software engineers are still treated like second-class citizens, you can't just expect them to compete with Google or Microsoft overnight, IMO. I'm disinclined to believe that their military-like corporate hierarchy is to blame.
Also, the cellphone image resolution is far too low to recognize dilations. Looking at the video, I'm surprised that it works as well as it does, to be honest.
Then it's also fixable in software, no hardware update needed, right?
At least to make it better even if it isn't good yet.
It seems that there are reasonably large changes due to thinking about something, but not due to just looking unless your camera can detect 0.01 mm changes in diameter, which maybe tbihl's could be that seems unreasonable for a smartphone camera.
I would guess tbihl has never tried to get iris recognition working on a cost-constrained consumer device at a huge scale. They might not think it is so trivial then.
Saccades in general are just rapid, ballistic eye movements: they don't have to be small and they're often voluntary. You often make saccades without explicitly thinking about it, but you can countermand these and hold your eyes still when you want to.
What if one of the subject's eyes is a glass eye? What if they're wearing colored contact lenses? Wouldn't both of those situations complicate that?
Maybe the answer is to introduce a "weak mode" option where most users could have the scanner verify "yes, this is a real eyeball," and if someone with a glass eye still wanted to use iris scanning in a way that can be copied by a photo, they have the choice to disable the security measures.
Personally I think apple should allow you to turn the backlight for the screen off entirely for their use. Perfect over the shoulder privacy and better battery life to boot!
Might be that they did a bad job with the Iris recognition, but why not give them the benefit of the doubt and consider that they were aware of the trade-offs involved?
If they couldn't manage to get false negatives down to an sensible level without compromising security in such a blatant way, there's two courses of action: Live with it, or don't release it.
This is a marketing gimmick, not a security feature.
Just as with fingerprint readers the target audience is
people who otherwise wouldn't lock their phone at all.
If someone has physical access to the user they can probably get into most people's phones (that's just saying people aren't careful enough though).