Enlarge (credit: Chaos Computer Club)

Hackers have broken the iris-based authentication in Samsung's Galaxy S8 smartphone in an easy-to-execute attack that's at odds with the manufacturer's claim that the mechanism is "one of the safest ways to keep your phone locked."

The cost of the hack is less than the $725 price for an unlocked Galaxy S8 phone, hackers with the Chaos Computer Club in Germany said Tuesday. All that was required was a digital camera, a laser printer (ironically, models made by Samsung provided the best results), and a contact lens. The hack required taking a picture of the subject's face, printing it on paper, superimposing the contact lens, and holding the image in front of the locked Galaxy S8. The photo need not be a close up, although using night-shot mode or removing the infrared filter helps. The hackers provided a video demonstration of the bypass.

Starbug, the moniker used by one of the principal researchers behind the hack, told Ars he singled out the Samsung Galaxy S8 because it's among the first flagship phones to offer iris recognition as an alternative to passwords and PINs. He said he suspects future mobile devices that offer iris recognition may be equally easy to hack. Despite the ease, both Samsung and Princeton Identity, the manufacturer of the iris-recognition technology used in the Galaxy S8, say iris recognition provides "airtight security" that allows consumers to "finally trust that their phones are protected." Princeton Identity also said the Samsung partnership "brings us one step closer to making iris recognition the standard for user authentication."

Enlarge (credit: Getty Images | Valery Brozhinsky)

On May 8, when the Federal Communications Commission website failed and many people were prevented from submitting comments about net neutrality, the cause seemed obvious. Comedian John Oliver had just aired a segment blasting FCC Chairman Ajit Pai's plan to gut net neutrality rules, and it appeared that the site just couldn't handle the sudden influx of comments.

But when the FCC released a statement explaining the website's downtime, the commission didn't mention the Oliver show or people submitting comments opposing Pai's plan. Instead, the FCC attributed the downtime solely to "multiple distributed denial-of-service attacks (DDoS)." These were "deliberate attempts by external actors to bombard the FCC's comment system with a high amount of traffic to our commercial cloud host," performed by "actors" who "were not attempting to file comments themselves; rather, they made it difficult for legitimate commenters to access and file with the FCC."

The FCC has faced skepticism from net neutrality activists who doubt the website was hit with multiple DDoS attacks at the same time that many new commenters were trying to protest the plan to eliminate the current net neutrality rules. Besides the large influx of legitimate comments, what appeared to be spam bots flooded the FCC with identical comments attributed to people whose names were drawn from data breaches, which is another possible cause of downtime. There are now more than 2.5 million comments on Pai's plan. The FCC is taking comments until August 16, and will make a final decision sometime after that.

Enlarge (credit: Health Service Journal)

Researchers have found more digital fingerprints tying this month's WCry ransomware worm to the same prolific hacking group that attacked Sony Pictures in 2014 and the Bangladesh Central Bank last year.

Last week, a researcher at Google identified identical code found in a WCry sample from February and an early 2015 version of Contopee, a malicious backdoor used by Lazarus Group, a hacking team that has been operating since at least 2011. Additional fingerprints linked Lazarus Group to hacks that wiped almost a terabyte's worth of data from Sony Pictures and siphoned a reported $81 million from the Bangladesh Central Bank last year. Researchers say Lazarus Group carries out hacks on behalf of North Korea.

On Monday, researchers from security firm Symantec presented additional evidence that further builds the case that WCry, which is also known as WannaCry, is closely linked to Lazarus Group. The evidence includes: