Smudges on Touchscreen Phones Could Reveal User Passwords
A study by Department of Computer and Information Science at the University of Pennsylvania has found that it can be possible to uncover passwords by analyzing the smudges left on touchscreen phones. Touch screens are touched, so oily residues, or smudges, remain on the screen as a side effect. Latent smudges may be usable to infer recently and frequently touched areas of the screen - a form of information leakage.
The researchers said that they believe smudge attacks are a threat for three reasons. First, smudges are surprisingly persistent in time. Second, it is surprisingly difficult to incidentally obscure or delete smudges through wiping or pocketing the device. Third and finally, collecting and analyzing oily residue smudges can be done with readily-available equipment such as a camera and a computer.
The analysis requires a photograph of the screen to be uploaded to a computer. However, the presumption that lighting conditions would affect the quality of the photo, and hence the ability to extract passwords was shown to be false. In one experiment, the pattern was partially identifiable in 92% and fully in 68% of the tested lighting and camera setups. Even in our worst performing experiment, under less than ideal pattern entry conditions, the pattern can be partially extracted in 37% of the setups and fully in 14% of them.
By enhancing the photo of the screen in the computer, the smudge patterns could be seen. Critically, the requirement of the password structure as used in Android phones resulted in distinctive patterns, which lead to the ability to work out which "buttons" were pressed.
In particular, there are a three restrictions on acceptable patterns. The password must contact a minimum of four points, so a single stroke is unacceptable. Additionally, a contact point can only be used once. These two restrictions imply that every pattern will have at least one direction change, and as the number of contact points increases, more and more such direction changes are required.
Due to the intermediate contact point restriction, the password space of the Android password pattern contains 389,112 possible patterns. This is significantly smaller than a general ordering of contact points, which contains nearly 1 million possible patterns. Still, this is a reasonably large space of patterns, but when considering information leakage of smudge attacks, an attacker can select a highly likely set of patterns, increasing her chances of guessing the correct one before the phone locks-out.
The paper concluded that the practice of entering sensitive information via touch screens needs careful analysis in light of their results. The Android password pattern, in particular, should be strengthened.
On the web: Smudge Attacks on Smartphone Touch Screens