The latest victim is Samsung’s new iris scanning technology, which has now been rolled out on their various smartphones.
In this case, the exploit was found by one of the good guys, a security researcher from the Chaos Computer Club (CCC) named Jan “Starbug” Krissler. He discovered that a photograph taken of the phone’s owner, using a 200mm lens could take a picture detailed enough to fool the iris scanner, even if the picture was taken from as far away as five meters.
Samsung has taken steps to make their scanner more robust and less likely to be fooled. One of the first things they did to get around the obvious weaknesses in the system was add facial recognition software to the equation, so that flat images like a printed picture would no longer work.
Unfortunately, that step proved to be insufficient. Krissler found that armed with a picture taken as described above, a contact lens, and a bit of glue, he could still fool the optical scanner. Cutting the eye out and pasting it onto the contact lens provided sufficient depth to still fool the scanner.
This is problematic on several levels, but the two biggest are the following Firstly, Samsung obviously devoted substantial time and resources to create this new security measure, which has now been demonstrated to be easy to get around.
Secondly, and perhaps even more problematic is that Samsung’s digital wallet technology is secured by means of the iris scanner, which puts its user base at risk. The caveat, of course, is that to make the hack work, the hacker would need physical access to the phone, but given that smartphone theft is the fastest growing crime on the planet, that isn’t a big hurdle to clear.