Germany's Chaos Computer Club (CCC), a venerable group of white-hat hackers, claims to have figured out a relatively straightforward way to trick the iris-recognition system on Samsung's flagship Galaxy S8 smartphone.
The CCC has a long history of embarrassing tech firms by demonstrating vulnerabilities in their biometric authentication systems. A few years ago, CCC hackers showed how a photograph of an iPhone user's fingerprint could be used to create a fake finger that the Apple device would accept for unlocking.
Fingerprint scanners are of course common now, but Samsung's high-end handset is trying to bring iris-scanning to the masses. According to the CCC, that's a mistake as it's disturbingly simple to create a 'dummy eye'.
A CCC video (see below) shows how simple the trick is. In it, someone uses the night mode on a regular Sony digital camera to surreptitiously take an infrared shot of the phone user's eyes, from a moderate distance.
Chaos Computer Club has made a video to show how Samsung's iris scanner can be fooled.
The image is cropped and printed out on, cheekily, a Samsung printer at life size. A contact lens is placed on the printed iris, to give it the appropriate curvature, and the Galaxy S8 accepts this as authentication for unlocking the phone.
As the hacker collective noted, Samsung Pay, which launched in the UK just last week, gives users the option of using iris or fingerprint scans to authorize payments.
"If you value the data on your phone, and possibly want to even use it for payment, using the traditional PIN-protection is a safer approach than using body features for authentication," said CCC spokesman Dirk Engling.
"The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot. Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris."
Neither Samsung nor Princeton Identity, the company that makes the iris-recognition module for the Galaxy S8, had responded to a request for comment at the time of writing.
However, Samsung's Galaxy S8 security homepage says, "We care deeply about your privacy. So we made the Galaxy S8 and S8+ our securest phones yet. There's an iris scanner for peace of mind."
Princeton Identity is a recent spinoff from the US research outfit SRI international and is primarily funded by Samsung Ventures.
The CCC has been going for 35 years now, and has long been warning against the use of biometric authentication.
Almost a decade ago, it managed to get hold of the fingerprint of then-interior minister Wolfgang Schäuble, now Germany's finance minister, from a glass that the minister used at an event.
The group distributed dummies of Schäuble's fingerprint in an attempt to protest against the storage of Germans' fingerprints in the country's e-passports.