Samsung’s Galaxy S8 is a fantastic Android phone by just about any measure, but if there’s one area where the new flagship could use some serious work it’s in the biometric department. We already knew that the phone’s facial unlock feature can be easily fooled with nothing more than a simple photograph of the owner, but a new video from the Chaos Computer Club demonstrates that the new iris scan security layer — which Samsung calls “one of the safest ways to keep your phone locked and the contents private” — is just as easily fooled.
The video from CCC makes the trick look ridiculously easy to pull off, using nothing more than a photo of the individual and a contact lens.
Since the iris scanner uses infrared light, a photo of the phone’s owner is shot with a simple digital camera, using “night mode.” Then, the photo is cropped and sized so that the iris is roughly the size of a real-life human eye. After that, a contact lens is placed on the printed photo, and the Galaxy S8 instantly recognizes it as being a “real” human eye and unlocks the phone.
What’s particularly interesting is that the photo itself doesn’t even have to be particularly high quality, and the image used in the demonstration was shot from several feet away. This suggests that the actual iris scan the phone is performing at a much shorter distance isn’t necessarily identifying as many details as it likely could.
All biometric unlock features, including fingerprints and the aforementioned facial recognition, have proved hackable in the past. If you were holding out hope that your iris held the one true key to keeping your smartphone safe, this test is proof that it’s just as vulnerable (if not more so) than all the rest.