They took a photo of the registered user’s face at a medium distance using a digital camera and then printed out a zoomed-in image of their eye (ironically, on a Samsung printer).
To make the image on the sheet of paper look like a real eye, the hackers carefully placed a contact lens over the iris of the printed eye picture which, in turn, stimulated the curvature of an eye.
The dummy eye was then held up to the front facing camera of the locked Galaxy S8 and was unlocked. Shockingly, the group even suggested that the dummy eye image could be taken from social media.
Clip via herr hieber
It would take a very good phone thief to pull off this trick and use it to their advantage. In order to successfully unlock a phone they had stolen, they would either need to take a picture of the victims face beforehand, or track down their identity on social media.
A spokesperson for the Chaos Computer Club, Dirk Engling, said on their website: “The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot. Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris.”
He added: “If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication.”