Touchscreens open to smudge attacks
By Nicole Kobie
Posted on 11 Aug 2010 at 11:09
Greasy fingerprints can take the shine off a new touchscreen handset, and the smudges they leave behind could also leave it open to hacking, according to researchers.
When touchscreen devices are held up to the face, they pick up oil from the skin, explained researchers from the University of Pennsylvania at the Usenix security conference. The next time the password is entered, the pattern can be traced – and photographed – in the resulting smudges.
Top five stories on PC Pro
"Touchscreens are touched, so oily residues, or smudges, remain on the screen as a side effect," the report said. "Latent smudges may be usable to infer recently and frequently touched areas of the screen – a form of information leakage."
The researchers tested Android handsets because the Google OS uses a graphical password, with users tracing a pattern on the phone to unlock the device. In ideal lighting conditions, the researchers managed to decipher the phone’s password 92% of the time by taking photos of the screen and bumping up the contrast.
Slipping a phone into a pocket isn’t enough to clean the password trail from the screen, the researchers found, so anyone wary of such an attack should take care to wipe their phone down frequently.
While smudge attacks might sound trivial, the researchers said the threat was genuine because it was so easy to analyse the patterns with just a computer and camera.
Although the experiment focused on Android handsets, the resarchers said smudge attacks could be used against other touchscreen devices, including bank machines, voting devices, and PIN entry systems.
“We believe smudge attacks based on reflective properties of oily residues are but one possible attack vector on touch screens,” the report added. “In future work, we intend to investigate other devices that may be susceptible, and varied smudge attack styles, such as heat trails caused by the heat transfer of a finger touching a screen.
"The practice of entering sensitive information via touchscreens needs careful analysis in light of our results."
The researchers said the Android password pattern needed to be strengthened, but noted that Android 2.2 will also include the option to use an alphanumeric password.
Quite a few weaknesses in Android then... never mind ordinary hacking, it also has weak passwords! Great.
By SwissMac on 11 Aug 2010
Safer in general
Android might be vulnerable to 'smudge attacks' but I still think the graphical password is far safer.
My 'password' on my android phone is highly complicated but is easy for me to remember just by shape.
Compare that to coming up with a 'complicated' alphanumeric password and most people tend to do simple ones.
By nilathomas on 11 Aug 2010
"most people tend to do simple ones"
Indeed - why can't security people realise that strong passwords have to get written down because they're not memorable? On yes, I know all about the trick of taking the initial letters of memorable phrase - trouble is most people have about 3 memorable phrases at most and the graduates from security school also insist on changing passwords frequently with no repetition for X cycles.
I'm struggling to appreciate the true impact of this vulnerability - neat party trick but wouldn't subsequent use of the touch screen confuse the issue radically?
By AdrianB on 11 Aug 2010
exactly AdrianB. This is great if an Android user puts in their password and then does nothing with it(highly unlikely) but if they then decide to use the phone to browse etc. then the print gets smudged more and makes the password even harder to find.
By TimoGunt on 11 Aug 2010
http://www.passfaces.com/ gets around this by changing the locations of the keys, a side effect of its very cool approach to password management.
By phenotypical on 11 Aug 2010
The standard password system on Eclair is more secure than that of an iPhone 3GS's (you obviously have some form of iPhone). This is mathetical of course as there are many more combinations for the pattern unlock than the simple 4 digit PIN (work it out if you don't believe me!). You may argue that now the iPhone has alphanumeric passwords too but as does the latest Froyo update. Not that I want to spoil your fun but this "hack" could easily work on an iPhone too as you'd just need to see which numbers were pressed (left by marks from your hand like on the Android test). Stop being such a troll and realise that maybe everything Apple makes isn't the best in the world.
By rowanparker_uk on 11 Aug 2010
Why don't they just make an app that recognizes your face and use that as your password. Though I do think all this is bull as nobody just enters their password - they mostly always follow through by checking/sending texts or surfing the net, therefore the smudge is lost.
By nicomo on 11 Aug 2010
Surely there are far easier ways to get past the lock screen than "taking photos of the screen and bumping up the contrast"? The bloke down the market will do it far quicker for a couple of quid.
By nelviticus on 11 Aug 2010
I think if you read this properly you'll find it is about touch screens and not Android (clue's in the title).
By Gz_peterbird38e3 on 12 Aug 2010
Is this an Apple smear campaign against Android?
By milliganp on 12 Aug 2010
What an absolute load of shit, what a complete waste of time. Why am I even commenting on this. What a complete non-story. Oh my god. Oh. My. God.
By deejerox on 12 Aug 2010
It sounds as terribly overblown as the idea that the speech recognition in Windows could somehow be exploited. After all, don't most people not really like smudges on their screens? I don't even have a touchscreen and I try and remove any smudges whenever I use my phone.
By qwertyqwerty87 on 12 Aug 2010
Seems a bit "CSI" to me.
By james016 on 13 Aug 2010
The weakness in graphical passwords is that there are only a few ways in which you can enter a trace.Even if you know what numbers are involved in a PIN code, you still have to work out the correct sequence (of 5040 possibilities). The iPhone PIN can be 6 (151200 combinations) or 8 digits (1814400 combinations, assuming no digit is used twice) if you prefer, making it exponentially harder to hack. The iPhone 4 has an oleophobic covering so there is less chance of a greasy tell-tale print. Nonetheless I agree with deejerox. Non-story.
By Nexxo on 13 Aug 2010
RS Touch Screens
RS Touch Screens.com supply high quality industrial touch screens. We are becoming recognised as one of the UK fastest growing touch screen suppliers and are growing from strength to strength.
Our products can be incorporated within many different applications such as LCD monitor upgrades, kiosks, epos systems, panel PCs and many more. Our kits are extremely easy to set-up and use. We offer user-friendly USB plug and play kits. These kits include a resistive or SAW touch screen, PCB driver, USB leads & Windows / MAC / Linux software.
By rstouchscreens on 29 Dec 2010
- Google Glass: mugger bait, pub problem and other lessons learned from two dangerous weeks
- Twitter, please don't fiddle with my feed
- How Satya Nadella can get some pay-raise karma
- Windows 10: a step back to go forward
- Michael Dell: Cloud infrastructure is the roads, bridges and highways of the 21st century
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords