The Galaxy S8 offers a range of security access protocols from face recognition to fingerprint activation, pattern and password protection to pin number verification… and of course, iris scanner.
The iris scanner is billed by Samsung as one of the most secure access methods and is used to authorise payments.
However, it was not long after the release of the S8 that a group of German hackers called the Chaos Computer Club released a video demonstrating how they had fooled the device’s iris scanner using a night vision Sony camera and a photograph of a user’s iris which they printed out and covered with a contact lens to mimic the curvature of the human eye.
Joining the biometric bandwagon
Biometric security is the new frontier of device security. It’s part of a wider trend of take-up. A high profile recent example is HSBC’s introduction of voice ID and fingerprint authentication to 15 million UK customers, the biggest biometric security rollout to date.
There are already 600 million biometric smartphones in use today, in what’s emerging as an increasingly standard option.
How does the S8 iris scanner work?
The coloured ring around your pupil is your iris. And like fingerprints, each person’s iris is unique.
Iris scanners use digital cameras which use a combination of near infrared light and visible light to take a high contrast picture of your iris. The use of infrared light increases the contrast between the pupil and iris, making it easier to distinguish its unique characteristics.
With the photo taken a computer then locates the centre and edge of the pupil and the edges of the iris and analyses its distinctive patterns which it translates into code.
Iris scanners are considered to be more accurate than fingerprint scanners because they reference over 200 points of information in contrast to around 70 points of reference for fingerprints.
An obvious downside of fingerprint access is that people leave their fingerprints pretty much everywhere they go. They can be lifted and replicated (we’ve all seen the films) however this takes time and effort so there’s a barrier to entry for your everyday phone thief.
Another downside to fingerprint access is that you have to use both hands to access your phone (#FirstWorldProblems) and not everybody is a fan of rear mounted fingerprint sensors such as on the Galaxy S8.
Fingerprint sensors are not invulnerable to hacking either.
Researchers at Michigan State University demonstrated it is also possible to hack some fingerprint scanners using a photo of a fingerprint printed on conductive paper and ink.
To make things worse, in 2014 a hacker managed to recreate the fingerprint of a German politician simply by taking a long distance photo of her hand at a press conference.
The S8’s facial recognition can also be hacked by using a printed photo of the user’s face. Samsung are aware of this issue and that’s why it can’t be used to authorise payments.
Is there a security risk to using Iris scanners?
However, the iris scanner can be used to authenticate payments. The function is billed as “one of the safest ways to keep your phone locked. Samsung have said that it’s very hard to hack the phone in practice because it requires a photo to be taken on a camera that can capture infrared light. They also pointed out the photo would have to capture a clear shot of the eye and the user’s phone would also have to be stolen; a series of events that are unlikely to all coincide.
It is of course worrying that biometric security systems can be hacked. But should it be so surprising?
The reality is that no system is 100% secure. In an era when not even government and military can prevent hacks, there’s not going to be a totally secure system for consumers any time soon.
For most ordinary users the hackability of the iris scanner is not going to present too big a problem. The process hackers would need to go through is quite hard to pull off and doesn’t really lend itself to a crime of opportunity.
The most important thing is that people are aware of the limitation of security features and are vigilant about personal security, taking standard measures such as making sure their phones are not left unsupervised. And people who use smartphones at work need to be extra vigilant about security, following any company protocols that are in place.
One of the benefits of the iris scanner is that it is quick and convenient and allows you to unlock your phone whilst freeing up your hands. However, it would seem that a password is actually more secure than an iris scanner. But that’s only if it’s not an obvious code or you don’t leave it lying around.
Is the Samsung iris scanner less secure than others?
An obvious question is, ‘Is Samsung providing more lax security than other providers?’
The answer appears to be no. Most big corporations seem to all have their 15 minutes of shame. Shortly after Apple released their Touch ID in 2013 the Chaos Computer Club managed to hack it using a fingerprint they had lifted from a glass. Huwai have also had their Honor 7 phone’s fingerprint sensor hacked.
Security is a relative concept
It looks like a complex password is still the most secure way to lock your phone. A range of password managers to create and store hard-to-hack passwords are available for Android phones and you’d do well to check them out.
At the end of the day you need to make an assessment of your security needs and preferred security method.
Unfortunately, in the digital age, hacking is a growing problem and there’s no corporation that’s immune to it, whether it be the NHS who were recently hit by a disastrous Ransomware attack or the CIA who had classified documents leaked.
It remains to be seen whether biometric detection is the most secure way to protect phones. Maybe we’ll see a move away from it in the future, but for now it’s here to stay.
With the Galaxy S8 Samsung have given us a very diverse range of security access protocols at our disposal. It’s up to us to choose what’s right for us, and to be aware of the risks entailed.