backtop

Gadgets Smudges on Touchscreens May Pose Threat
Tracie McDaniel - August 12, 2010 1:46 PM
Print 31 comment(s) - last by subverb.. on Aug 16 at 11:26 AM

  (Source: saraindia.org)
Oily residue could give away passwords or other vital information.

Touch screens could be compromised by a clever criminal to help figure out your password. That's the word coming out of a Usenix conference this week after researchers from the University of Pennsylvania presented their paper, "Smudge Attacks on Smartphone Touch Screens" [PDF].   

The researchers concluded that touch screens may pose a security risk.  They argue that  residual oil from the body leave behind smudges that offer would-be-attackers unauthorized access to a user's information.  

The research suggests that ATMS, smartphones, voting machines, PIN entry devices and other devices can be susceptible but that the Android graphical password pattern is particularly vulnerable according to PC Pro

"We believe smudge attacks based on reflective properties of oily residues are but one possible attack vector on touch screens," the report added. “In future work, we intend to investigate other devices that may be susceptible, and varied smudge attack styles, such as heat trails caused by the heat transfer of a finger touching a screen."

"The practice of entering sensitive information via touch screens needs careful analysis in light of our results."

The Android phone was the main focus of their research.  They analyzed the swipe-style unlock system on the Android phone HTC G1 and the HTC Nexus One models.  They were able to recreate access codes for the phone by using a camera, computer and photo-editing software.  

They photographed the screen using various camera angles and lighting positions.  They increased the contrast and studied the directional patterns of the smudges and figured out the sequences of patterns.  

They were successful in unlocking the Android phones over 90 percent of the time.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
Don't want to sound like captain obvious but...
By Quadrillity on 8/12/2010 2:30:41 PM , Rating: 2
wipe off your screen when you are away from your phone, maybe?




RE: Don't want to sound like captain obvious but...
By nafhan on 8/12/2010 3:03:01 PM , Rating: 2
Or rub it in oil :)


RE: Don't want to sound like captain obvious but...
By nstott on 8/12/2010 3:52:38 PM , Rating: 3
Or have it with some fava beans and a nice chianti.


By chagrinnin on 8/13/2010 12:12:59 PM , Rating: 2
svch-svch-svch-svch


By Camikazi on 8/12/2010 4:21:34 PM , Rating: 3
That is one of my things with Touchscreens, I can't stand fingerprints on my screens so I am always cleaning mine and cause of that there are no prints! Guess my little OCD helps in this case.


By Lazarus Dark on 8/12/2010 9:48:49 PM , Rating: 2
Skinomi
http://www.amazon.com/s/ref=nb_sb_noss?url=search-...

Solved all my finger smudge issues, now everyone I know with a touchscreen is using Skinomi.


Possible workaround...
By teko on 8/12/2010 2:09:59 PM , Rating: 3
Use overlapping gestures for your login screen. So it's harder to tell where it starts/finishes. If that works at all...




RE: Possible workaround...
By sviola on 8/12/2010 3:07:43 PM , Rating: 2
It would be easier to have the characters you type for a password to appear randomly on the screen...


RE: Possible workaround...
By CZroe on 8/12/2010 3:47:39 PM , Rating: 5
AND you have to drag them to an "Input box" that's also sliding all over the screen, Pong-style. ;)


RE: Possible workaround...
By camylarde on 8/13/2010 10:27:49 AM , Rating: 2
Gimme just 15 minutes, i need to open my addressbook on the phone.


Secure or Security
By dreddly on 8/12/2010 1:56:54 PM , Rating: 2
Is getting access to a smartphone a high security risk? This doesn't really seem like an exploit or likely security scenario, as most phones can be rooted or accessed if you have enough time to sit down with them.

Using a camera and having the time to sit down with the phone is probably the primary way your phone will be 'unsecure'.

This doesn't seem like a legitimate 'security' threat....




RE: Secure or Security
By spread on 8/12/2010 2:01:25 PM , Rating: 2
Maybe it's just a ruse to get funding for anti-smudge screens.

That would be sweet.


RE: Secure or Security
By Dark Legion on 8/12/2010 4:17:42 PM , Rating: 2
Regardless, bring them on!


This was worth mentioning?
By mindless1 on 8/12/2010 9:31:00 PM , Rating: 4
Some things don't need to be said, and in related news have you heard about the new SIGHT-BASED password attack?

Yep... rumor has it that if someone sees you type in your password they can potentially replicate that.




RE: This was worth mentioning?
By AssBall on 8/12/2010 10:11:04 PM , Rating: 2
I share your confusion.


Does it REALLY work in the wild?
By HighWing on 8/12/2010 4:03:04 PM , Rating: 3
Just a thought, but testing this in a lab where a majority of the strokes on the phone are for entering the password/code, it only makes sense that they got the results they did...

However, in the real world, people touch their phone for a LOT more than just entering security passwords. I would like to see them actually test phones older than a few days/weeks where the users heavily used the the phones for games and web surfing and see if they can still get their claimed 90% unlock rate.




By kmmatney on 8/12/2010 8:32:37 PM , Rating: 2
Exactly - this assume that someone got a hold of a phone where the clean was just cleaned, and only the password was entered. Even with a clean screen, with an alphanumeric password, they would not know the order that keys were pressed. But I really doubt this is a real security threat...


Interesting....
By Souka on 8/12/2010 2:17:25 PM , Rating: 4
If I lose my phone, I just issue a wipe command remotely...nukes the phone and SD contents.
Yes, someone could be smart enough to take it offline, but they'd have to unlock it first with my custom swipe pattern. Company email is protected by a pin# also.

Also...regarding touch screen security... at my previous job we had a magnetic card + security code you had to punch in to get into our server room.

The keypad would randomize the position of the numbers each time it powered on and had a very narrow viewing angle. Illumination of the numbers looked like those old calulators from the 70's/80's with red neon-like characters.

I'd imagine something like this could easily be implememnted with voting booths... the question order could be random along with the corresponding screen area to press for the voter's choice.

My $.02




Keep It Simple
By DtTall on 8/12/2010 3:08:41 PM , Rating: 2
I just have an anti-glare sheet over the top of my iPhone. I guess the display is a little less crisp/shiny, but my finger leaves no noticeable smudges on the screen.

Not the best long term solution, but it is an easy fix that can be done right now.




RE: Keep It Simple
By Quadrillity on 8/12/2010 3:55:19 PM , Rating: 2
quote:
...iPhone... Not the best long term solution, but it is an easy fix that can be done right now.


Sorry, I couldn't resist the urge to remember the recent rubber-band fix :)


fingerprints
By Murloc on 8/12/2010 4:17:08 PM , Rating: 2
you could always add a fingerprint security to the phone if you think that some advanced guy may want to access your phone.
Or just randomize characters




RE: fingerprints
By ClownPuncher on 8/12/2010 7:28:15 PM , Rating: 2
Or wash your hands.


This is hardly news...
By DanNeely on 8/12/2010 2:19:36 PM , Rating: 3
The numberpad I have to use to open secure doors at work randomizes the digit placement every time to thwart this sort of attack. They looked old when I started here 5+ years ago.




I guess
By PitViper2057 on 8/12/2010 2:38:29 PM , Rating: 3
I guess if all you ever touched the screen for was to unlock it...




MacGuyver
By The Raven on 8/13/2010 9:59:11 AM , Rating: 2
Yes, MacGuyver taught me how to get this sensitive data.
You take a pencil and rub the lead on a sheet of paper until you have a pile of graphite. Then you blow the graphite on to the phone and use a piece of tape to pick up their finger prints. Then you use the tape to make a pattern and use the fingerprint to gain access to the phone. You also could see what 'buttons' the owner pushed the most, narrowing the number of possible passwords. Then it would be a walk in the park to crack their code.

He also would sometimes get information by looking over their shoulder.

What is wrong with people these days? Why don't they watch more MacGuyver. More MacGuyver and less MacGruber.




RE: MacGuyver
By Lerianis on 8/13/2010 11:53:59 PM , Rating: 1
Yeah, MacGyver did this in 4 or 5 episodes of the series.... the first time I believe was in an episode of Season 2 where he was breaking into that computerized military base and the computer became 'sentient' and freaked out that he got inside and it didn't know who he was!


And, in other news...
By redbone75 on 8/13/2010 8:51:19 AM , Rating: 2
All your data are belong to us!




A better way
By SnakeBlitzken on 8/13/2010 9:38:59 AM , Rating: 2
Still, the best way to steal a password is to mail the victim a rare, antique political button coated in lemon juice. Sneak into the facility late at night and use a special light to see what keys they touched on the keyboard. Well, it worked for Nickolaus Cage anyway.




For once, Hollywood leads the pack.
By FoxFour on 8/13/2010 11:50:52 AM , Rating: 2
Just how many movies have there been over the last decade in which someone used the fingerprints left on a touch-screen or keypad to figure out the code/combination? I can think of a dozen off the top of my head.

Now suddenly someone has presented a paper on the subject and it's news to everyone?




By tygrus on 8/13/2010 6:12:42 PM , Rating: 2
Internet banking sites sometimes use a method for PIN entry which protects the sequence. Instead of a text box they use a pop-up box with the 11 buttons (10 digits plus OK) which are randomly allocated and positioned eg..
5 2 8
1 0 3
9 4 6
7 OK

Simple Key-loggers can't capture but I guess faster internet (and faster CPU for comression) has enabled loggers to capture screen, keyboard and mouse. The idea should work well with touch screens. Can be adapted for alphabetical input.




known about this
By subverb on 8/16/2010 11:26:49 AM , Rating: 2
This, at least to me and my friends, has been known for quite some time. A few of us all have Android devices and when ones not looking we will grab others phones to change the background picure to something embarassing or stupid. Yes, not very mature but for college students it helps give us a quick laugh. We just angle the phone so the light hits the screen to show off the smudges clearly.

It works for iPhones too, but definitely not as easily to "hack" as the Android pattern system.




"We’re Apple. We don’t wear suits. We don’t even own suits." -- Apple CEO Steve Jobs











botimage
Copyright 2012 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki