Latest research by Bkav Internet Security Corporation shows that Samsung Galaxy S8's Iris scanner can be easily bypassed with a camera and a little of wet glue. This bypass is much simpler than the one that cultivates contact lens before. Even, anyone can do bypass.
Mr. Ngo Tuan Anh, Vice President of Internet Security of Bkav said: "Basically, iris scanner in Galaxy S8 is a camera. However it's diffirent from normal cameras in that it captures infrared light with the aim to have a clearer image of user's iris. Our research affirms that iris-based authentication is like face recognition; the only difference lies in that it has more indentification points. Therefore, it cannot assure security and can be bypassed."
To test the bypass, Bkav's experts use an IR camera (similar to the iris camera in Galaxy S8) to capture the phone's user's eyes. The picture is then printed out with a normal printer before getting covered with a thin layer of glue. When the image is showed to a Galaxy S8, the phone immediately unlocks (Demo clip is availabe at the end). Before, in another experiment published worldwide, a group of German researchers told that they used contact lens to emulate human eyes' curvature. However, as Mr. Ngo Tuan Anh stated, Bkav's experiment does not need such curvature, but simply covers a thin layer of wet glue (the one that is very popular in workplaces) on the image.
The camera used in Bkav's experiment is a Sony DSC-V3 dated back to 2004. If you do not have an IR camera, Galaxy S8 users can carry out a simple experiment as follow: Download the image at bkav.com/IrisDemo, print it out and stick a glue layer onto the printout so that the Galaxy S8 "learns" and gets unlocked before the image.
Bkav recommends that users take caution when using iris scanner, and should not use this technology for transactions that require high security like banking, financing, etc.
Stating further about the research process, Mr. Ngo Tuan Anh told: "Right from the time Samsung introduced iris scanning technology in Galaxy S8, we judged that it is similar to face recognition technology of 2008 and surely can be bypassed. The reality has proved us to be right. The research, experiment take us more than one month."
Samsung Galaxy S8 bypass demo clip here.
Bkav