Touchscreens open to smudge attacks

Google Nexus One

Android phones hacked by researchers using smudges on the touchscreen

Greasy fingerprints can take the shine off a new touchscreen handset, and the smudges they leave behind could also leave it open to hacking, according to researchers.

When touchscreen devices are held up to the face, they pick up oil from the skin, explained researchers from the University of Pennsylvania at the Usenix security conference. The next time the password is entered, the pattern can be traced – and photographed – in the resulting smudges.

"Touchscreens are touched, so oily residues, or smudges, remain on the screen as a side effect," the report said. "Latent smudges may be usable to infer recently and frequently touched areas of the screen – a form of information leakage."

The researchers tested Android handsets because the Google OS uses a graphical password, with users tracing a pattern on the phone to unlock the device. In ideal lighting conditions, the researchers managed to decipher the phone’s password 92% of the time by taking photos of the screen and bumping up the contrast.

Slipping a phone into a pocket isn’t enough to clean the password trail from the screen, the researchers found, so anyone wary of such an attack should take care to wipe their phone down frequently.

While smudge attacks might sound trivial, the researchers said the threat was genuine because it was so easy to analyse the patterns with just a computer and camera.

Although the experiment focused on Android handsets, the resarchers said smudge attacks could be used against other touchscreen devices, including bank machines, voting devices, and PIN entry systems.

“We believe smudge attacks based on reflective properties of oily residues are but one possible attack vector on touch screens,” the report added. “In future work, we intend to investigate other devices that may be susceptible, and varied smudge attack styles, such as heat trails caused by the heat transfer of a finger touching a screen.

"The practice of entering sensitive information via touchscreens needs careful analysis in light of our results."

The researchers said the Android password pattern needed to be strengthened, but noted that Android 2.2 will also include the option to use an alphanumeric password.

Read more

News