Back when the Galaxy S8 and Galaxy S8 Plus were first released, there was some concern that people who chose to utilize the phones’ iris scanners for security might be at risk. While the S8 line also includes a more conventional fingerprint scanner, Samsung gives users the option to unlock their phones using a quick iris scan as well. Some people were concerned that the technology Samsung used might be open to being tricked by a photo of a user’s eyes, and those worries ended up being completely justified. On Tuesday, we learned that a group of security experts had indeed “hacked” the Galaxy S8’s iris scanner using nothing more than a photograph and a contact lens.
Now, Samsung has finally issued a statement in response to what appears to be a gaping security hole in its new flagship smartphones.
“Iris recognition may protect a phone against complete strangers unlocking it, but whoever has a photo of the legitimate owner can trivially unlock the phone,” said Chaos Computer Club (CCC) spokesperson Dirk Engling on Tuesday. “If you value the data on your phone – and possibly want to even use it for payment – using a traditional PIN is a safer approach.”
CCC also released the following video, which shows the group using nothing more than a photo and a contact to circumvent the Galaxy S8’s security.
After the video began spreading, Samsung on Tuesday afternoon issued a statement to Gizmodo. Unfortunately, the statement essentially boils down to we’ll look into it.
We are aware of the issue, but we would like to assure our customers that the iris scanning technology in the Galaxy S8 has been developed through rigorous testing to provide a high level of accuracy and prevent attempts to compromise its security, such as images of a person’s iris. If there is a potential vulnerability or the advent of a new method that challenges our efforts to ensure security at any time, we will respond as quickly as possible to resolve the issue.
While it’s obviously good news that Samsung is investigating the matter, this is the kind of issue that clearly should have been discovered during testing when the Galaxy S8 was in development. It’s sort of like Samsung implementing a bunch of new battery testing procedures following the Note 7 debacle, despite the fact that they should have already been in place.