Don’t PIN your hopes on biometric security
If you thought the latest, most modern biometric tricks like fingerprints and iris recognition would save you from having to remember that stupid PIN number – guess again. The Chaos Computer Club (CCC) has some interesting news for you: You’re out of luck.
Eyes and finger-fueled biometric security features can be hacked – and the Chaos Computer Club can show you how.
The Chaos Computer Club is a European association of hackers. They have a reputation of taking IT things apart, seeing what makes them tick, and then explaining the problem. Don’t worry, they have a code of ethics and are really active on highlighting privacy and security issues.
The eyes don’t have it
The Samsung Galaxy S8 has been a frontrunner in using the unique pattern of each human iris as a security key. Very high tech. Very cool. And the CCC has fooled it. Bigly.
Even better, they fooled it by using a high-resolution picture of the individual’s eyes, a Samsung laser printer, and a contact lens. As shown in their video, the contact lens fools the smartphone into thinking it is looking at a curved surface – like an eyeball. All it takes is a decent digital camera with 200mm-lens, a distance of less than five meters, and an extra contact lens suitably good pictures to fool iris recognition systems.
Their video of this process shows that eyeball hacking can be done, but probably not by your pre-teenager children. However, a teenager might think this was a cool challenge.
Give your device the finger
The iris scanner is a partial response to another security feature – the fingerprint sensor. While we know that fingerprints are a critical element in murder investigations, they have issues when it comes to online security. The CCC has previously shown how a fingerprint on glass can be manipulated to hack the “Touch ID“ on an Apple’s iPhone. Interestingly enough, the iris scanner on the Samsung — arguably the more hi-tech of the two methods — looks easier to hack.
On biometric PINs and needles
Both exploits show that there is no current biometric “solution” that is hacker proof. Neither eyes or fingers are enough for bullet-proof security. However, most people need easy-to-use security that blocks out the fast moving threats such as children, or even pickpockets, neither of which are likely to use sophisticated password decryption techniques to get into a phone. Some kids, that will not be identified by name, are smart enough to watch finger movements to get at the underlying PIN to open up a smartphone and play games. Other cybercriminals do the same at the ATM machines. So just remember, people can watch your fingers and don’t recycle PIN codes between devices.