In a video posted to YouTube, hacker Jan Krissler (aka Starbug) posted how to fool the iris scanner in three easy steps. The first step is to find a camera that supports night mode to take a picture of a person’s eyes. In this case, Starbug used an older Sony camera, which has night mode capabilities drop the IR filter to make it easier to pick up the finer details of a person’s iris.
The next step is to print out a life-size image of at least one eye on a printer. To keep it all in the family, Starbug used a Samsung printer, adding insult to injury.
The final step was to take the life-size print out and glue it to a contact lens to mimic the shape of the real thing. Shockingly enough, this home-brewed workaround was enough to fool the iris scanner to grant access to the locked Galaxy S8. Not only was the device completely accessible, but so was the ability to use Samsung Pay.
A Samsung representative presented the following statement to Forbes regarding the video:
We are aware of the issue, but we would like to assure our customers that the iris scanning technology in the Galaxy S8 has been developed through rigorous testing to provide a high level of accuracy and prevent attempts to compromise its security, such as images of a person’s iris. If there is a potential vulnerability or the advent of a new method that challenges our efforts to ensure security at any time, we will respond as quickly as possible to resolve the issue.
While alarming, it’s common knowledge that iris scanners and fingerprint sensors can be spoofed by people determined enough to get what they want. Starbug says that a nefarious individual only has to be 15 feet away to get a usable image of your eye. However, they would still need to gain physical access to your device to unlock it with the captured data.