Galaxy S8 iris scanner unsurprisingly bypassed with picture of an eye and a little time

By Andrew Martonik
published

Galaxy S8 Iris scanner
Galaxy S8 Iris scanner (Image credit: Android Central)

The Galaxy S8's iris scanning is quicker and more accurate than when it debuted (for a short period) on the Galaxy Note 7, saving us from using the fingerprint sensor every time we want to unlock the phone. But it doesn't guarantee your phone can't be accessed by an unwanted person, as the Chaos Computer Club has easily demonstrated.

The CCC shows how it could simply take a photo of a person's eye — with up to a 200 mm lens from 15 feet away, it says — and then print it out on typical paper, cover the paper with a wet contact lens to mimic an eye and instantly gain access to the phone. With a sufficient amount of time and complete access to the phone, you could theoretically unlock any Galaxy S8 with iris scanning enabled.

Despite Samsung's claims that iris scanning is nearly on-par with a fingerprint sensor's security and far stronger than face recognition, this shouldn't come as any surprise. But in the CCC's own article on the iris scanner bypass, it links to its defeating of Apple's TouchID fingerprint sensor years ago. It has been demonstrated numerous times that other fingerprint sensors can be bypassed with a certain level of trickery and time — so how worried should you be?

Each option you have for unlocking your phone comes with trade-offs and potential risks. For most of us out there who simply want to keep our private information locked up should our phone be lost or stolen, a fingerprint sensor or iris scanner is sufficient. It's easy enough to use that we'll actually keep it enabled 100% of the time, while being difficult enough to deter the most-common threats to the physical security of the device.

The average criminal looking to steal a phone isn't printing a high-resolution image of your eye.

The average criminal or sleuth looking to steal a phone and unlock it for a quick factory reset and sale isn't taking a high-resolution photo of our eyes and printing it out. Not only would they be far better off looking over your shoulder in public to see what your backup PIN or pattern is instead, they'd just as easily throw your stolen phone in the trash when they realize it couldn't be unlocked and quickly resold. But the most important thing at that point is that all of your data is safe, because they weren't going to be willing to go through the process to get a scan of your irises or fingers to unlock it.

Yes, your Galaxy S8's iris scanner can be defeated in the right circumstances — those circumstances include a targeted attack that requires time and complete physical access to the phone. But that doesn't mean you need to move away from iris scanning or be unnecessarily worried about the security of your data when using it.

Only roughly two-thirds of modern Android phones are using lock screen security at all — we need to get that number a lot closer to 100 percent before we start nitpicking about which security form we're using and how easy it is to defeat.

Andrew Martonik
Andrew Martonik

Andrew was an Executive Editor, U.S. at Android Central between 2012 and 2020.

21 Comments
  • i can see a concern for this however if your phone is lost and someone finds or someone that you don't know stole it from you how can they access your photo or know what you look like? The only way this would be a concern if someone closed to you friends or family stole your phone and knows how you look like. Otherwise I don't see this as a major problem. This would be the same problem with Finger scan nothing is perfect compared to pin security assuming you put more then just 4 pin numbers.
  • I think this is more of an issue for high-ranking corporate or government officials, or people who otherwise have clearance to secure information.
  • How about some deadbeat hanging out at the mall food court taking a picture of you from within a few tables (15 feet was what it took by this club) and then stealing your purse or mugging you a bit later? Picture in hand could it be unlocked? I think so. I've basically moved to Smart Unlock with my smartwatch. The FPS location was too awkward and the face unlock and iris detection was not consistent enough to be effortless. With Smart Unlock if my phone leaves my person then it can only be unlocked by password.
  • lol it's funny that you say that i had that set up with my smart watch and quickly removed that if i left my watch and my phone together that's like a double whammy. So i rather do the finger scan to unlock :)
  • My watch is only off my wrist while I shower (charging on it's cradle) so the thief would have to be in my family or would have to steal the watch off my wrist together with my phone. :)
  • "How about some deadbeat hanging out at the mall food court taking a picture of you from within a few tables (15 feet was what it took by this club) and then stealing your purse or mugging you a bit later? Picture in hand could it be unlocked? I think so."   Anything is possible. Is this going to actual be a common occurrence for thieves to take pictures of their potential victims eye? .. Doubt it. Lol..
  • Probably not common but in my neck of the woods, entirely possible. Gotta move quick lol.
  • Who actually still shops at the mall anymore? I sure as hell don't.
  • What's a mall?
  • You mention mugging... I doubt anyone mugging you for your phone will let you hang onto your watch. In the case of a mugging, using smart unlock tied to a smartwatch is much less secure than iris scanning.
  • This is true then again when I mentioned purse snatching and muggings I was mainly thinking about how this could affect women and not necessarily myself (not saying it can't but it's less likely....if you'd see me you'd probably think it was more likely I'd be the mugger haha). My main security concern/ scenario is as mentioned by another post, leaving my phone behind and having someone try to hack it open. As far as that, most locking methods available today are fairly decent but my use of Smart Lock is most convenient for me.
  • You could possibly find out who they were by the notifications or something and then look them up on Facebook or linkedin. Lots of people don't bother to make their Facebook private. Now I'm pretty sure Microsoft iris implementation is much more secure on devices like the HP elite x3. Would be neat to see a comparison.
  • If someone plans ahead and first takes a steady full head on open eye shot of you and carries around a printer and contacts, to open your phone they would probably be the same kind of person who would force you to open your phone with what ever pin/pattern or finger prints you use. None of the lock methods are too secure for armed theft. Two step is best for a deterent. The vast majority of people lose phones not get them stolen. So unless the person who finds your phone in the taxi or concert/sport venue/pub you left it in has your pin/ high rez eye photo, it almost doesn't matter what method you use.
  • Too bad windows phone hasn't taken off cos their iris scanner back in 2014 in the phone never had this issue. Samsungs lack of security is ridiculous. Then again i have their smart Watch lol
  • This fails to mention the picture must be a high quality INFRARED photo of your eye. This makes it much harder than just taking a picture of your eye.
  • Just as much possibility of this as someone waiting for you to open your phone with the FPS, and then grabbing it from you.
  • Someone try this with a Windows 950XL and let me know if it works.
  • I'm interested to know too. I have both S8+ and 950XL but don't have the gear to test it. I know they've tested Hello with twins and high-res photos before and didn't work.
  • Good luck finding a suitable camera for the job, though. Good ones do not come cheap at all, let alone a tack-sharp 200mm telephoto lens.
  • I think people are overlooking the likely possibility of someone choking you out, tearing your eyes out of your head and using them to unlock your device, not unlike someone shaving of your fingertips to perform a fingerprint scan. Give me a break.
  • Not to say iris scanners are infallible, but this bypass is way too convoluted to be practical. I suppose it is something to make as "big news". Remember when fingerprint scanners were new? The big news was it can be "fooled by a wax or paper imprint". This is still impractical, but simpler do to, but we don't hear about these things anymore.