Samsung Galaxy S8 iris scanner already hacked

The Samsung Galaxy S8 is a stellar phone - as our review attests - but it has one rather major weakness: its eyeball scanner can be hacked.

German hackers the Chaos Computer Club have posted a video (via the Guardian) of them tricking the S8's iris scanner with a fake eye. In the video, the S8 unlocks as if it'd scanned the eyeball of its owner.

This raises concerns that biometric authentication isn't as secure as we've been led to believe.

Tricking the scanner is a relatively simple process. The hacking group used a photo of the user, a printer and a contact lens to mimic the curvature of the eye. Such a photo could be taken from social media, so you wouldn't even need to photograph the person in order to access their phone. A photo taken using a camera's night mode works best, though, according to the Chaos Computer Club.

Iris scanners are much more vulnerable than fingerprint sensors, say the CCC.

"The security risk to the user from iris recognition is even bigger than with fingerprints, as we expose our irises a lot," said the group's spokesperson, Dirk Engling. "If you value the data on your phone - and possibly even want to use it for payment - using the traditional PIN-protection is a safer approach than using body features for authentication."

MORE: Samsung Galaxy S8+ review

This isn't the first feature to be compromised on the S8 - its facial recognition feature was defeated before the phone went on sale.

Samsung insists the S8 is secure, and that it was compromised only under "a rare combination of circumstances".

Here's its statement in full.

"We are aware of the report, but would like to assure our customers that the iris scanning technology in the S8 has been developed through rigorous testing to provide a high level of accuracy and prevent against attempts to compromise its security, such as images of a person's iris.

"The reporter's claims could only have been made under a rare combination of circumstances. It would require the unlikely situation of having possession of the high-resolution image of the smartphone owner's iris with IR camera, a contact lens and possession of their smartphone at the same time. We have conducted internal demonstrations under the same circumstances however it was extremely difficult to replicate such a result.

"Nevertheless, if there is a potential vulnerability or the advent of a new method that challenges our efforts to ensure security at any time, we will respond as quickly as possible to resolve the issue."

MORE: 6 things the Samsung Galaxy S8 tells us about audio and video