Enlarge / The Samsung Galaxy S8. (credit: Ron Amadeo)
Samsung just recently took the wraps off its latest flagship, the Galaxy S8. In addition to the super-slim bezels, tall screen, and speedy new Snapdragon 835 (or Exynos 9) processor, the device is also coming with a ton of biometric authentication options. You get a fingerprint reader, iris recognition, and face recognition. With the public’s first exposure to the Galaxy S8 happening a few days ago, it was only a matter of time until one of these biometric solutions had some holes poked in it.
One of those holes is that Galaxy S8’s face recognition can be tricked with a photo.

At least this is what a video from Spanish Periscope user Marcianophone purports.

About 6 minutes into the 40-minute Spanish-language video, you can see the attendee take a selfie with his personal phone, then point it at the Galaxy S8, which is trained to unlock with his face.
It only takes a few minutes of fiddling before the Galaxy S8 gives in and unlocks with just a picture, moving from the “secure” lock screen right to the home screen. Once the user dials in his technique, he shows the trick is easily repeatable.
Google added a “Face Unlock” system to Android 4.0 back in 2011, and it had the same picture vulnerability that Samsung’s solution has today.
In Android 4.1, Google’s face unlock added a “liveness check” that attempted to defeat the photo vulnerability by requiring the user to blink.

This too was bypassed (rather hilariously) by grabbing a photo of someone, poorly Photoshopping a second copy of the picture with a set of closed “eyelids,” and then switching between the “eyes open” and “eyes closed” pictures when the face unlock asks the user to blink. It seems Samsung built a face unlock feature from the ground up for the S8, and it’s repeating the same mistakes.
Read 1 remaining paragraphs

Leave a Reply