Incident: Security Vulnerability in Samsung Galaxy S8 Iris Recognition System

Published Date: 2017-05-24

Postmortem Analysis
Timeline 1. The software failure incident where the iris-recognition feature in Samsung’s Galaxy S8 smartphone was defeated by German hackers happened in May 2017 [Article 59077].
System 1. Iris-recognition feature in Samsung's Galaxy S8 smartphone [59077] 2. Facial recognition feature in Samsung's Galaxy S8 smartphone [59077] 3. Infrared iris scanner in Samsung's ill-fated Note 7 [59077]
Responsible Organization 1. German hackers from the Chaos Computer Club (CCC) were responsible for causing the software failure incident with the iris-recognition feature in Samsung's Galaxy S8 smartphone [59077].
Impacted Organization 1. Samsung's iris-recognition feature in the Galaxy S8 smartphone was impacted by the software failure incident [59077].
Software Causes 1. The software cause of the failure incident was the vulnerability in the iris-recognition feature of Samsung's Galaxy S8 smartphone, which allowed German hackers to defeat the security feature [59077].
Non-software Causes 1. The iris-recognition feature in Samsung's Galaxy S8 smartphone was defeated by German hackers using a dummy eye made with a printer and a contact lens [59077]. 2. The facial recognition feature in the Galaxy S8 was also easily tricked with a printed-out picture of the owner [59077]. 3. The hack on the iris-recognition feature could be carried out with just a photo lifted from Facebook, a conventional laser printer, and a contact lens [59077]. 4. Samsung claimed in its marketing materials that iris authentication is one of the safest ways to keep a phone locked and the contents private, but this incident showed otherwise [59077].
Impacts 1. The iris-recognition feature in Samsung's Galaxy S8 smartphone was defeated by German hackers, showcasing a significant security vulnerability [59077]. 2. The security risk posed by iris recognition was highlighted, with hackers being able to fool the feature with a dummy eye created using a printer and a contact lens [59077]. 3. The incident raised concerns about the security of biometric features as authentication methods, emphasizing the trade-off between convenience and the inability to change biometric data if compromised [59077]. 4. Samsung's claim of iris authentication being one of the safest ways to keep a phone locked and contents private was challenged by the successful hack, potentially impacting consumer trust in the technology [59077].
Preventions 1. Implementing multi-factor authentication: By combining iris recognition with another form of authentication such as a PIN or password, the security of the device could have been enhanced [59077]. 2. Conducting thorough security testing: Performing rigorous testing, including penetration testing and vulnerability assessments, could have potentially identified the vulnerability in the iris recognition feature before the product was released to the market [59077]. 3. Continuous monitoring and updates: Regularly monitoring for security threats and promptly issuing software updates to patch any identified vulnerabilities could have mitigated the risk of the iris recognition feature being compromised [59077].
Fixes 1. Implementing additional layers of authentication alongside iris recognition, such as a traditional pin-protection, to enhance security [59077]. 2. Enhancing the iris recognition technology to better differentiate between real irises and artificial ones created using dummy eyes [59077]. 3. Conducting further research and development to improve the accuracy and reliability of biometric features like iris authentication to prevent easy spoofing [59077].
References 1. Chaos Computer Club (CCC) [Article 59077] 2. Samsung spokesperson [Article 59077]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to the iris-recognition feature being defeated by German hackers in Samsung's Galaxy S8 smartphone is not the first time such an incident has happened with Samsung's products. The article mentions that the ill-fated Note 7 also had the same infrared iris scanner as the Galaxy S8, indicating a similar incident within the same organization [59077]. (b) The article also mentions that the Chaos Computer Club (CCC) previously fooled Apple's TouchID fingerprint sensors shortly after the first iPhone 5s hit the market. This indicates that similar incidents have happened with other organizations' products as well, in this case, Apple's [59077].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be seen in the article where the iris-recognition feature in Samsung's Galaxy S8 smartphone was defeated by German hackers. The security feature was fooled by a dummy eye created using a printer and a contact lens to match the curvature of the eye, based on pictures of the iris taken with a digital camera in night mode. This indicates a failure in the design of the iris-recognition feature, as it was vulnerable to being tricked by a dummy eye, highlighting a flaw in the system development of the security feature [59077]. (b) The software failure incident related to the operation phase can be observed in the article where the facial recognition feature of the Galaxy S8 was defeated even before the phone was on sale. The facial recognition feature could be tricked with something as simple as a printed-out picture of the owner, showcasing a failure in the operation or misuse of the system. Additionally, the article mentions that the iris-recognition feature could potentially be fooled with just a photo lifted from Facebook, a conventional laser printer, and a contact lens, further emphasizing the operational vulnerabilities of the biometric security features [59077].
Boundary (Internal/External) within_system (a) within_system: The software failure incident related to the iris-recognition feature in Samsung's Galaxy S8 smartphone being defeated by German hackers is primarily within the system. The failure occurred due to vulnerabilities within the iris-recognition feature itself, allowing hackers to trick the system with a dummy eye and high-resolution images of irises [59077]. The failure was not caused by external factors but rather by flaws or weaknesses in the design and implementation of the security feature within the smartphone's software.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident related to non-human actions in this case is the defeat of the iris-recognition feature in Samsung's Galaxy S8 smartphone by German hackers using a dummy eye created with a printer and a contact lens [59077]. This incident highlights a vulnerability in the iris-recognition technology that allowed for the security feature to be fooled without direct human involvement in the authentication process. (b) The software failure incident related to human actions in this case involves the actions of the hackers from the Chaos Computer Club who exploited the vulnerability in the iris-recognition feature of the Galaxy S8 smartphone. The hackers used human ingenuity and technical skills to create a dummy eye and manipulate the security system, demonstrating the potential risks associated with relying on biometric features for authentication [59077].
Dimension (Hardware/Software) hardware, software (a) The software failure incident related to hardware: The article mentions that the iris-recognition feature in Samsung's Galaxy S8 smartphone was defeated by German hackers using a dummy eye made with a printer and a contact lens to match the curvature of the eye [59077]. This indicates a hardware-related failure as the hackers were able to manipulate the hardware components of the smartphone to bypass the security feature. (b) The software failure incident related to software: The article also mentions that the facial recognition feature in the Galaxy S8 was defeated before the phone was even on sale by tricking it with a printed-out picture of the owner [59077]. This highlights a software-related failure as the facial recognition software was vulnerable to being tricked by a simple printed image, indicating a flaw or vulnerability in the software itself.
Objective (Malicious/Non-malicious) non-malicious (a) The software failure incident described in the articles is non-malicious. The failure of the iris-recognition feature in Samsung's Galaxy S8 smartphone was demonstrated by German hackers from the Chaos Computer Club (CCC) who were able to fool the security feature using a dummy eye created with a printer and a contact lens [Article 59077]. The hackers highlighted the security risk posed by using body features for authentication and emphasized the ease with which the iris recognition feature could be bypassed, indicating a non-malicious intent to expose vulnerabilities rather than harm the system.
Intent (Poor/Accidental Decisions) poor_decisions [a59077] The software failure incident related to the iris-recognition feature in Samsung's Galaxy S8 smartphone can be attributed to poor_decisions. The incident occurred because the security feature was defeated by German hackers using a dummy eye and a high-resolution image of the smartphone owner's iris. Despite Samsung's claims about the uniqueness and security of iris authentication, the hackers were able to bypass the system with relatively simple tools like a printer and a contact lens. This highlights a poor decision in implementing the iris-recognition feature without considering the potential vulnerabilities and risks associated with it.
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident related to development incompetence is evident in the article where German hackers were able to defeat the iris-recognition feature in Samsung's Galaxy S8 smartphone. The hackers from the Chaos Computer Club were able to fool the security feature using a dummy eye created with a printer and a contact lens to match the curvature of the eye. This exploit highlights a lack of professional competence in the development of the iris-recognition feature, as it was easily bypassed by a relatively simple method [59077]. (b) The accidental software failure incident is demonstrated in the article where Samsung's facial recognition feature, which was supposed to provide additional security, was easily tricked with a printed-out picture of the owner. This accidental vulnerability in the facial recognition feature shows that contributing factors were introduced accidentally, leading to a significant security flaw in the smartphone [59077].
Duration temporary The software failure incident related to the iris-recognition feature in Samsung's Galaxy S8 smartphone can be considered as a temporary failure. The incident occurred when German hackers were able to defeat the security feature using a dummy eye and a high-resolution image of the smartphone owner's iris [59077]. Samsung mentioned that the attack requires "a rare combination of circumstances" to pull off, including possession of the high-resolution image of the iris, an IR camera, a contact lens, and possession of the smartphone at the same time. The company conducted internal demonstrations under the same circumstances and found it extremely difficult to replicate such a result [59077]. This indicates that the failure was not permanent but rather temporary, as it required specific conditions to be met for the security feature to be bypassed.
Behaviour omission, other (a) crash: The software failure incident described in the articles does not involve a crash where the system loses state and stops performing its intended functions. (b) omission: The incident involves an omission where the system omits to perform its intended functions at an instance(s). Specifically, the iris-recognition feature in Samsung's Galaxy S8 smartphone was defeated by German hackers using a dummy eye, fooling the security feature into thinking it was being unlocked by a legitimate owner [Article 59077]. (c) timing: The incident does not involve a timing failure where the system performs its intended functions correctly but too late or too early. (d) value: The incident does not involve a value failure where the system performs its intended functions incorrectly. (e) byzantine: The incident does not involve a byzantine failure where the system behaves erroneously with inconsistent responses and interactions. (f) other: The behavior of the software failure incident is related to a security vulnerability in the iris-recognition feature of the Galaxy S8 smartphone, allowing it to be fooled by a dummy eye created using a printer and a contact lens. This behavior falls under the category of a security flaw or vulnerability in the system's authentication mechanism [Article 59077].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence theoretical_consequence (a) death: People lost their lives due to the software failure (b) harm: People were physically harmed due to the software failure (c) basic: People's access to food or shelter was impacted because of the software failure (d) property: People's material goods, money, or data was impacted due to the software failure (e) delay: People had to postpone an activity due to the software failure (f) non-human: Non-human entities were impacted due to the software failure (g) no_consequence: There were no real observed consequences of the software failure (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? The articles do not mention any direct consequences such as death, harm, impact on basic needs, property loss, or non-human entities being affected due to the software failure incident. The incident primarily focuses on the security vulnerabilities of the iris-recognition feature in Samsung's Galaxy S8 smartphone and the potential risks associated with biometric authentication methods. Therefore, the most relevant option based on the information provided is (h) theoretical_consequence, as the articles discuss the theoretical risks and potential consequences of the software failure rather than actual observed impacts.
Domain information, government (a) The failed system in the article is related to the information industry as it involves the security features of Samsung's Galaxy S8 smartphone, specifically the iris-recognition feature being defeated by hackers [59077]. (b) There is no direct mention of the transportation industry in the articles. (c) There is no direct mention of the natural resources industry in the articles. (d) There is no direct mention of the sales industry in the articles. (e) There is no direct mention of the construction industry in the articles. (f) There is no direct mention of the manufacturing industry in the articles. (g) There is no direct mention of the utilities industry in the articles. (h) There is no direct mention of the finance industry in the articles. (i) There is no direct mention of the knowledge industry in the articles. (j) There is no direct mention of the health industry in the articles. (k) There is no direct mention of the entertainment industry in the articles. (l) The failed system in the article is related to the government industry as it involves security features of smartphones that are used by individuals for various purposes, including potentially for government-related activities [59077]. (m) There is no direct mention of any other industry in the articles.

Sources

Back to List