Samsung says iris scanner hack could “only have been made under a rare combination of circumstances”

Samsung Galaxy S8 iris recognition
HACK ATTACK: Samsung has responded to claims that its iris recognition system can be compromised

Samsung has responded to the group of hackers from the Chaos Computer Club (CCC) who managed to defeat the iris recognition system on the Samsung Galaxy S8 and S8+ smartphones, saying that the hackers’ claims could “only have been made under a rare combination of circumstances”.

The hackers were able to authenticate and unlock a device by showing the iris scanner a picture of the owner’s eye. “With a simple to make dummy-eye, the phone can be fooled into believing that it sees the eye of the legitimate owner,” the CCC said.

“We were aware of the report, but would like to assure our customers that the iris scanning technology in the Galaxy S8 has been developed through rigorous testing to provide a high level of accuracy and prevent against attempts to compromise its security, such as images of a person’s iris,” Samsung says in a statement sent to NFC World.

“The reporter’s claims could only have been made under a rare combination of circumstances. It would require the unlikely situation of having possession of the high-resolution image of the smartphone owner’s iris with IR camera, a contact lens and possession of the smartphone at the same time.

“We have conducted internal demonstrations under the same circumstances — however, it was extremely difficult to replicate such a result. Nevertheless, if there is a potential vulnerability or the advent of a new method that challenges our efforts to ensure security at any time, we will respond as quickly as possible to resolve the issue.”

Samsung unveiled its Galaxy S8 and S8+ flagship devices in March this year. The devices come with multi-biometrics options with support for iris and facial recognition technology as well as a fingerprint sensor.

  • Willam Hugh Murray, CISSP

    Biometrics are about convenience, not security. Most are vulnerable to replay attacks. They are a convenient form of evidence in a strong authentication scheme where possession of a device is another. While there are limitations to Samsung’s scheme, it will resist the fraudulent use of your lost or stolen Samsung 8.