The Hacker News — Cyber Security, Hacking, Technology News

With the growing number of cyber attacks and data breaches, a number of tech companies and organisations have started Bug Bounty programs for encouraging hackers, bug hunters and researchers to find and responsibly report bugs in their services and get rewarded.

Samsung is the latest in the list of tech companies to launch a bug bounty program, announcing that the South Korean electronics giant will offer rewards of up to $200,000 to anyone who discovers vulnerabilities in its mobile devices and associated software.

Dubbed Mobile Security Rewards Program, the newly-launched bug bounty program will cover 38 Samsung mobile devices released from 2016 onwards which currently receive monthly or quarterly security updates from the company.

So, if you want to take part in the Samsung Mobile Security Rewards Program, you have these devices as your target—the Galaxy S, Galaxy Note, Galaxy A, Galaxy J, and the Galaxy Tab series, as well as Samsung's flagship devices, the S8, S8+, and Note 8.

"We take security and privacy issues very seriously; and as an appreciation for helping Samsung Mobile improve the security of our products and minimizing risk to our end-consumers, we are offering a rewards program for eligible security vulnerability reports," the company explains on its bug bounty website. 

"We look forward to your continued interests and participations in our Samsung Mobile Security Rewards Program. Through this rewards program, we hope to build and maintain valuable relationships with researchers who coordinate disclosure of security issues with Samsung Mobile."

Not just mobile devices, the tech giant's Mobile Services suite is also part of its bug bounty program, which will also cover apps and services such as Bixby, Samsung Account, Samsung Pay, Samsung Pass, among others.

For the eligibility of a reward, researchers and bug hunters need to provide a valid proof-of-concept (PoC) exploit that can compromise a Samsung handset without requiring any physical connection or third-party application.

The company will evaluate the reward depending on the severity level of the vulnerability (Critical, High, Moderate, and Low) and its impact on devices. The least reward is $200, which is for low-severity flaws, while the highest reward is $200,000, which is for critical bugs.

The Higher reward will be offered for bugs that lead to trusted execution environment (TEE) or Bootloader compromise. The level of severity will be determined by Samsung.

Samsung’s bounty of $200,000 is equal to the bounty reward offered under Apple's bug bounty program but is slightly lower than Microsoft's newly launched bounty program that offers $250,000 for Windows 10 security bugs.

Following the path of major tech companies, the non-profit group behind Tor Project recently joined hands with HackerOne to launch its own bug bounty program, with the highest payout for the flaws has been kept $4,000.

So, what you are waiting for? Hunt for bugs in Samsung products and submit your findings to the company via the Security Reporting page.

Samsung recently launched its new flagship smartphones, the Galaxy S8 and Galaxy S8 Plus, with both Facial and IRIS Recognition features, making it easier for users to unlock their smartphone and signing into websites.

We already knew that the Galaxy S8's facial unlock feature could be easily fooled with just a simple photograph of the device owner, but now hackers have also discovered a simple way to bypass the iris-based authentication, which Samsung wants you to think is unbeatable.

All it took for German hacking group Chaos Computer Club (CCC) to break the Galaxy S8's iris-recognition system was nothing but a camera, a printer, and a contact lens.

The white hat hacking group also published a video showing how to defeat Samsung's iris scanner.

Video Demonstration — Bypassing Iris Scanner

The process was very simple. The CCC group simply used the night mode setting on a Sony digital camera to capture a medium range photo of their subject.

Since the iris scanner uses infrared light, the group then printed out a real-life sized infrared image of one eye using a Samsung printer and placed a contact lens on the top of the printed picture to provide some depth. And, it was done.

The Samsung Galaxy S8 instantly recognized the mare photo as being a "real" human eye and unlocked the phone, giving hackers full access to the phone, including Samsung Pay.

So, the hackers successfully bypassed Galaxy S8's iris-based authentication, which Samsung claims is "one of the safest ways to keep your phone locked."

"The patterns in your irises are unique to you and are virtually impossible to replicate, meaning iris authentication is one of the safest ways to keep your phone locked and the contents private," Samsung's official website reads.

Here's what Samsung said about the iris-recognition system hack:

"We are aware of the issue, but we would like to assure our customers that the iris scanning technology in the Galaxy S8 has been developed through rigorous testing to provide a high level of accuracy and prevent attempts to compromise its security, such as images of a person's iris. If there is a potential vulnerability or the advent of a new method that challenges our efforts to ensure security at any time, we will respond as quickly as possible to resolve the issue."

This is not the first time when CCC hacked into biometric systems. Late 2014, the group recreated an accurate thumbprint a fingerprint of a Germany's federal minister of defense using a standard photo that could fool any fingerprint security systems. The same technique the group also claimed could be used to fool IRIS Biometric security systems.

In March 2013, the CCC group managed to fool Apple's TouchID fingerprint authentication system.

So, it is a good reminder for people to always stick on a strong passcode and device encryption to secure their devices, instead of relying on biometric features, like fingerprint scan, IRIS scan, or facial recognition, that can eventually be broken by a determined hacker.

Samsung launched its new flagship smartphones, the Galaxy S8 and Galaxy S8 Plus, at its Unpacked 2017 event on Wednesday in New York, with both IRIS and Facial Recognition features, making it easier for users to unlock their smartphone and signing into websites.

All users need to do is simply hold their Galaxy S8 or S8 Plus in front of their eyes or their entire face, as if they were taking a selfie, in order to unlock their phone.

Biometric technology – that involve person's unique identification (ID), such as Retinal, IRIS, Fingerprint or DNA – is now being integrated into more consumer devices for improved security.

But, we have seen a number of hacks involving Biometric security systems in the past, which prove that fingerprint scanner and IRIS scanner are less secure than a passcode and can be fooled by anyone, perhaps, using a photograph of the user.

But how secure is the built-in sensor from Samsung to allow for facial recognition? Not so much...at least for now.

I was wondering if the new facial recognition integrated into Samsung's Galaxy S8 and S8 Plus can be fooled into unlocking a device using a photograph of the device owner, and somebody just made it possible.

Video Demonstration

YouTube vlogger iDeviceHelp posted a video on his channel, in which Marcianotech demonstrated that unlocking a Galaxy S8 or Galaxy S8 Plus is as simple as getting the device owner's picture from Facebook and waving that photo at the phone.

It is unclear, at this moment, as to how precise the photo used in the demonstration should be compared to the real face? Or at what distance the phone was held from the camera? Or what angle they chose during the registration of the recognition?

But what's clear is the fact that a gap remains in the security system of the Samsung's new facial recognition feature.

Moreover, there are reports that Samsung’s Galaxy S8 would include a facial recognition feature for mobile payments in the coming months.

The company has yet to comment on this issue, so we hope that this is because the software is still in a demo state for now, or maybe it is just a bug that Samsung will be addressing before the device ships out on April 21.

Whatever be the case, the Galaxy S8 and S8 Plus do offer other security tools, including IRIS scanning and fingerprint scanning, as well, so you'd rather use these security features to unlock your device, or simply your passcode; instead of the facial recognition, for now.