The Galaxy S8 iris scanner can be hacked with aging tech

Biometrics are becoming our next de facto security measure, and they’re supposed to be a vast improvement on easily-forgotten and hackable passwords. Yet a point-and-shoot camera, laser printer and contact lens is all it took for German hacking group Chaos Computer Club to crack the Samsung Galaxy S8’s iris scanner. “By far [the] most expensive part of the iris biometry hack was the purchase of the Galaxy S8,” the group wrote on its website.

They pulled it off by taking a photo of the target from about five meters away, and printing a close-up of the eye on a laser printer — made by Samsung, no less. A regular contact lens was placed on top of the print to replicate the curve of an eyeball. When the print was held up to the smartphone, the S8 unlocked.

“The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot,” said Dirk Engling, spokesperson for the group, which previously hacked the iPhone 5S fingerprint sensor using photos of a glass surface. “Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris.”

Biometric security is taking off, particularly with the rise of mobile payments. Mastercard has rolled out “selfie pay” in Europe, while Australia has introduced facial recognition to replace passports in airports, and Chinese ride-share company Didi helps passengers verify their driver’s identity using face scanning.

Sci-fi has told us that iris scans are so accurate you’d need to cut out someone’s eyes to fool them. But the disappointing reality so far is that stuff a hacker could rummage for on Craigslist is probably good enough.

Source: Chaos Computer Club

Engadget RSS Feed

Popular teen social app Wishbone hacked

Popular teen social networking app Wishbone was hacked, according to a report today from Motherboard. Now, millions of email addresses and thousands of cell phone numbers are circulating the internet, many of them from kids under 18.

Wishbone is one of the top 10 most popular social networking apps for iPhone in the US, according to analyst firm App Annie. It lets users vote on pop culture-based questions like whether they prefer Dominos or Pizza Hut, whether they prefer eyeshadow or eyeliner, or which Kendall Jenner outfit they like best. After picking a side, they get to see how their friends voted. Hackers apparently accessed the app’s database through an unprotected API and took an estimated 2.2 million email addresses and over 287,000 cellphone numbers, along with personal information like birthdates and gender. No passwords or financial information were stolen, Wishbone said.

Wishbone owner Science Inc. told Motherboard the security hole is now fixed, and offered an apology to users in the following statement:

We value your privacy and deeply regret that this incident occurred. Maintaining the integrity of your personal information is extremely important to us. We sincerely apologize for any inconvenience this incident may have caused you. We are continuing to investigate this matter and have taken and will continue to take appropriate action to prevent future similar incidents. Please be assured that we will keep you informed of any developments in the investigation that may be of importance to you.

Via: TechCrunch

Source: Motherboard

Engadget RSS Feed

Apple patches three zero-day exploits after activist is hacked

Apple has rolled out a patch for three previously unknown zero-day exploits that were used to hack into the iPhone 6 of Ahmed Mansoor, an award-winning human rights activist based in the United Arab Emirates. Security company Lookout and internet watchdog group Citizen Lab investigated the attack on Mansoor’s iPhone and found it to be the product of NSO Group, a “cyber war” organization based in Israel that’s responsible for distributing a powerful, government-exclusive spyware product called Pegasus.

The hack took advantage of three zero-day exploits that allowed the attackers to jailbreak Mansoor’s iPhone and install spyware to track his movements, record his WhatsApp and Viber calls, log his messages and access his microphone and camera. Given the high cost of iPhone zero-days and the use of a government-specific spyware product, Citizen Lab believes the UAE is behind the hack. The UAE has previously targeted Mansoor.

“We are not aware of any previous instance of an iPhone remote jailbreak used in the wild as part of a targeted attack campaign, making this a rare find,” Citizen Lab writes.

Once Citizen Lab discovered the zero-days, it contacted Apple and says the company responded promptly. Apple released a software update today, iOS 9.3.5, that addresses the three flaws.

Source: Citizen Lab, Apple, Lookout

Engadget RSS Feed