Manage Learn to apply best practices and optimize your operations.

Samsung S8 iris scanner: How was it bypassed?

Hackers bypassed the Samsung S8 iris scanner, which could spell trouble for biometric authentication. Expert Nick Lewis explains how it happened and how to stay protected.

Hackers managed to bypass the authentication function of the Samsung S8 iris scanner, which Samsung claimed provided...

airtight security for the smartphone. How does the bypass work, and what can users do to mitigate the threat?

Saying a product has airtight security is often only a challenge to hackers to completely dismantle its security and embarrass the vendor. Samsung's boast about its flagship smartphone user authentication using the S8 iris scanner was no exception, as the company discovered after a recent vulnerability announcement.

Could Samsung have wanted its customers to perform free pen testing on the S8 iris scanner? Perhaps the company believed it would be a cost-effective and efficient way to protect their users by taunting hackers to get them to test the security of their system rather than offering a bug bounty program? On a more practical note, this only further demonstrates how enterprises and consumers should be skeptical of vendors' statements around security when there isn't sufficient evidence to support something being secure.

Members of the Chaos Computer Club, a European hacker association, were able to defeat authentication using the Samsung Galaxy S8 iris scanner with a photograph of the smartphone's owner. They were able to take a picture of the legitimate owner's eye from up to five meters away, and then use that image to unlock the phone.

This exploit is similar, but less sophisticated than, a previous attack on facial recognition systems where the systems were more securely designed and implemented, yet were still bypassed.

While Samsung has not directly acknowledged the vulnerability, after reports of the exploit surfaced, the security webpage about the Samsung S8 iris scanner was updated to say that "[f]ace recognition is less secure than pattern, PIN, or password," which at least lets people know the system is less secure than a PIN.

Samsung still advertises its "Government certification data up-to-date as of March 2017," which calls into question many other issues, and may prompt questions about other security claims from Samsung given the basic nature of this vulnerability. This iris scanner exploit is much less difficult to carry out than a gummy bear attack.

Most high-security iris recognition systems are implemented using significant checks to prevent hacks like this one, but perhaps Samsung was constrained by costs. To mitigate this threat, end users should avoid using the S8 iris scanner, and should instead use a secure PIN or password to log in to the smartphone. 

Next Steps

Find out if -- and how -- biometric authentication methods might replace passwords

Learn about the future of biometrics for mobile device authentication

Read how biometrics can help reduce risks for mobile, internet of things threats

This was last published in October 2017

Dig Deeper on Biometric technology

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Is biometric authentication like that used by the Samsung S8 iris scanner safe enough for enterprises?

You have a choice when implementing a biometric authentication scheme: Make the authentication a simple lock, unlock mechanism, or use the data gathered to encrypt the data, or at least provide missing information for the device driver. Encryption/Decryption will slow down the system and with the device driver scheme and/or encryption you need a method of recovering data in the event of biometric reader failure.  Using a basic locked door scheme customer security may come down to a simple conditional branch/or unconditional branch instruction. But even with the lock scheme, if you open up the API to application builders they can use the data to encrypt any personal information in any manner they choose, since they only need to encrypt small amounts of data the time required is minimal.