Forgot your password?
typodupeerror
Google Security Technology

Touchscreens Open To Smudge Attacks 185

Posted by CmdrTaco
from the windex-security dept.
nk497 writes "The smudges left behind on touchscreen devices could be used to decipher passwords to gain access, according to researchers at the University of Pennsylvania. The report tested the idea out (PDF) on Android phones, which use a graphical pattern that the user traces to unlock the handset. The researchers took photos of the smudge trails left on the screen and bumped up the contrast, finding they could unlock the phone 92% of the time. While they noted Android 2.2 also offers an alphanumeric password option, the researchers claimed such a smudge attack could be used against other touchscreen interfaces, including bank machines and voting machines. 'In future work, we intend to investigate other devices that may be susceptible, and varied smudge attack styles, such as heat trails caused by the heat transfer of a finger touching a screen,' they said."
This discussion has been archived. No new comments can be posted.

Touchscreens Open To Smudge Attacks

Comments Filter:
  • Rather simple fix (Score:5, Insightful)

    by Halifax Samuels (1124719) on Wednesday August 11, 2010 @08:02AM (#33214280)
    It would be easy enough to implement an alphanumeric password on a keyboard that's always a different shape / place on the screen. Or just instruct users to wipe their hand across the screen a few times on public touchscreens - maybe include a small microfiber cloth attached to the kiosk / ATM / whatever so clean it with.
    • by Lumpy (12016)

      Easier yet. install a matte anti glare screen protector and suddenly this goes away. It's been a "problem" for decades. if you wanted to you could dust a keypad for fingerprints and see the buttons that are the most used.

      solution? wipe the screen regularly or dont use your ipad while eating barbecue ribs.

      • Re: (Score:3, Funny)

        by dmomo (256005)

        > solution? wipe the screen regularly or dont use your ipad while eating barbecue ribs.

        So, never use an ipad?

      • by delinear (991444)
        Public machines could also have some mechanism to wipe the screen after use, some shutter mechanism with a microfibre cloth. As a bonus it could be disinfectant, too - I always worry what I might catch on these public terminals.
    • Rather than a random keyboard, they should be using Passfaces [passfaces.com]. A grid of random face photos is shown, with one of the faces, a key face, belonging to a set that the user has chosen. Do this a couple of times with random key faces and you've authenticated the user. Since the position of the photo within the grid is random, tracking the smudges won't help.
      • by Americano (920576)

        For Pin entry, something I've seen done for touchscreens is that the pin keyboard (whatever alphanumerics are allowed) has a randomized layout.

        Similar to what you describe, the position and pattern followed by typing out your pin on the randomly-placed keys will rarely be "the same", making it much harder to deduce the pin based on fingerprint positioning.

        • For Pin entry, something I've seen done for touchscreens is that the pin keyboard (whatever alphanumerics are allowed) has a randomized layout.

          The advantage that passface technology has is that it is well nigh impossible to write down the password. At the same time, it is very easy for most people to recognize someone they know. So if you see eight strangers and Uncle Bob (assuming a 3x3 grid) it's very easy to know what to press, even if you forgot that Uncle Bob was in your "recognized" list.
          • by Americano (920576)

            True, I'd expect it would work as well as a pin code, I think the randomized layout thing in either case handily prevents the "smudge" attack being discussed.

    • by IBBoard (1128019)

      maybe include a small microfiber cloth attached to the kiosk / ATM / whatever so clean it with

      Yeah, because no-one is ever going to try to steal/rip from the chain/burn/destroy/cover with sticky stuff a cloth on a bit of string at an outside terminal! As it is they have to chain up pens inside the bank in case someone steals it.

      • Your point is valid, but I think far more people would absent mindedly walk off with pens with no intent for theft! Since I can never keep up with my own pens, maybe I should chain one to my desk! I always walk off with them and set them down in odd places!

      • by delinear (991444)
        There are better ways to manage cleaning the screen, but even with this approach if you saw the cloth had been destroyed you might be a little more cautious when using the terminal (wipe it with a tissue or a sleeve or something just in case someone's gone to the trouble of removing the wiping mechanism for a reason).
    • Re: (Score:2, Insightful)

      by tokul (682258)

      maybe include a small microfiber cloth attached to the kiosk

      That cloth will soon become virus/bacteria farm instead of being security feature.

    • by d3ac0n (715594)

      Or, you know, you could just buy a phone WITH A KEYBOARD.

      Seriously, typing on the screen sucks, screen smudges and attacks based on them notwithstanding.

      • by delinear (991444)
        Actually I can probably "Swype [swypeinc.com]" faster than I can type on a phone keyboard these days. I always thought the google password lock was more of a fun feature than serious security, anyway - kind of like those diaries kids get with the chunky plastic locks, they wouldn't stand up to a serious attack but they'd stop the casual intrusion. There are plenty of alternative security solutions for Android phones if it's a real consideration (including buying an Android phone with a physical keyboad if you're really wo
    • Or get an iPhone. Yes in theory the smug attack still exists. However it looks that much better then the Android plastic molded kiddy toys that the owner after is done using it cleans the glass just to keep the phone looking presentable.

      • Re: (Score:3, Funny)

        by Dragonslicer (991472)

        Or get an iPhone. Yes in theory the smug attack still exists.

        Oh, I'm pretty sure that there's no "in theory" about it.

    • This has already been done. The first I personally encountered such was in a then-new university building in the mid-90's. It had security panels at various points with individual illuminated LED display buttons. When not active, each button face was a rather enigmatic black. On the first press, the panels would "wake up", make (I kid you not) a sci-fi show warbling sound and scrambling animation on each keyface, then present a set of shuffled digits on the various keys. Each press reshuffled the displ

    • It would be easy enough to implement an alphanumeric password on a keyboard that's always a different shape / place on the screen. Or just instruct users to wipe their hand across the screen a few times on public touchscreens - maybe include a small microfiber cloth attached to the kiosk / ATM / whatever so clean it with.

      Knew about this idea many years ago from spy movies/police shows. The cops/spies needed the combo to open a door/safe/whatever...so they blew/sprinkled dust on the keypad and got in. Too bad people haven't been paying attention all these years and guess it's a slow day.

    • Or a simple software fix: After you type in the correct number of code digits (or hit enter), then the digits that you *didn't* use light up, and you have to press each of them (and hit enter again) to access the device. Still *somewhat* vulnerable to "wear" detection, but much improved.
  • by Gruturo (141223) on Wednesday August 11, 2010 @08:04AM (#33214292)

    Just randomize the keyboard every time, bam, smudges are now useless. Or use Apple's oleophobic display coating (http://iphoneindia.gyanin.com/2009/06/11/iphone-3gs-gets-oleophobic-coating-whats-this-oleophobic-coating/) assuming it's good enough to thwart this attack.

    • by MikeCamel (6264) on Wednesday August 11, 2010 @08:20AM (#33214448) Homepage

      A couple of issues with this.

      1) the Android set-up doesn't actually use a keyboard: just dots, which you're supposed to join in the same order.
      2) I believe that there are patents around the randomising idea.

      I'm certainly aware of this issue on my Android phone. The fact that you're supposed to keep your finger on the screen as you join the dots means that there's often a pretty clear track, even if you have clean hands. And you can tell the order in which tracks were made if you have one which crosses over another.

      I quite like the technology, but it's good to be reminded of the possible dangers. I'll keep wiping mine once I've logged in.

      • by Tukz (664339)

        As the summery states, Android 2.2 offers a alphanumeric option.
        It uses an actual (T9) keyboard.

        I'd assume it wouldn't be too hard to make an app that randomizes that keyboard or implements one that is randomized.

        • Actually the alphanumeric password in Android uses a full keyboard. Their is also a new PIN option in 2.2 which uses a number pad.

      • by blincoln (592401)

        I believe that there are patents around the randomising idea.

        There are active patents on randomizing the order of digits on a numeric keypad-based lock? Point of No Return [imdb.com] had a shot with a randomized-order touch-screen lock in 1993, and I'd be a bit surprised if the idea was invented by the prop department for that film.

      • by drinkypoo (153816)

        1) the Android set-up doesn't actually use a keyboard: just dots, which you're supposed to join in the same order.

        Change them to symbols (pictures?) which must be connected in order, and randomize their positions, you're done. See sibling for prior art.

      • 2) I believe that there are patents around the randomising idea.

        Yeah, there are. I came up with a variation on the idea I called wokkey [bfccomputing.com] which I used for the times when I was left with no option but to use a "cybercafe" terminal for logging into my accounts. I had a patch against SquirrelMail for a while, worked fine, but it's slow and onerous, so only useful for the paranoid, not the android users.

    • by Brandee07 (964634)

      Just a bit of empirical data here: On an iPhone 4 with the oleophobic coating, I traced an android-style unlock pattern with my thumb, and an oil trail was visible on the screen that showed me exactly the pattern I traced.

      This makes sense, since oleophobic coatings do not prevent your fingers from secreting oils, nor from depositing those oils on nice glass surfaces. They only make it easier to wipe the oil away. It looks like this study took into account that smudges may be obscured due to phones generally

    • by BobMcD (601576)

      Or require a keyfob authenticator, like a certain wildly popular MMO and/or your more responsible employers do. This randomizes the necessary input, rather than the layout of the screen. You could also have it ask you a series of questions. Or randomize photos and ask you to pick the one tied to the word you input when you set it all up. The list is really endless, all while leaving the keyboard in place.

    • by delinear (991444)
      I wonder if they accounted for subsequent user actions once they've unlocked the phone (as far as I know the swipe only unlocks, you can lock by just hitting the power key right?). It's got to be pretty rare that a user will activate their phone and then do nothing with it, just lock it again - I guess when checking the time but you don't need to unlock the phone for that, it could be handled with a different mechanism, i.e. if the phone is locked and you hit the power key it just shows the time for 10 seco
  • Well, maybe ... (Score:2, Insightful)

    by krzysz00 (1842280)
    ... people could either wipe down touchscreens after use, WASH THEIR HANDS, or the public ones could have a cloth or something to remove smudges.
    • Re: (Score:3, Insightful)

      by ihatejobs (1765190)
      You haven't used a touchscreen phone if you really think keeping it clean is as simple as washing your hands.
    • I've found btw - that the drier your hands are - the less they leave a smudge on the screen (thats my experience with the Droid-X) - immediately after washing your hands you're probably more likely to smudge the screen.

      The good news is the smudges wipe clean with a shirt tale or similar cloth.

    • by yyxx (1812612)

      Producing oil is part of the normal function of human skin. If your skin doesn't do it, you're either a robot or very, very sick.

  • by MazTaim (1376)

    I actually thought this was common knowledge for many years now. One of the biggest flawed security screens is the connect-the-dots unlock screen for Android. To really highlight that, just clean up the screen and attempt to unlock. Look at screen from the side. You should see smudges AND streaks. Those streaks can help you easily make out the direction to move in.

    • Re: (Score:2, Insightful)

      by arcsimm (1084173)
      I was suprised this is news as well. Dusting keypad locks to see which keys are used most often isn't unheard of, and this just seems like a variation on that.
  • No shit? If you draw something with an object that leaves residue you can see what you had drawn. With my new xt720 I noticed this day one. Either cleaning the screen or simply "smudging the smudges" by just "scribbling" out the grease smear works great. Although, over time I can see the protector being physically altered in the same pattern as my swipe code. I guess then you just replace the protector.

    But seriously, this is as obvious as saying that walking in sand or snow allows people to follow you.

  • by Rob the Bold (788862) on Wednesday August 11, 2010 @08:23AM (#33214484)

    This isn't really that different from the case of push-button locks that are subject to "wear attacks", is it? You know, just check to see which of the 5 or so buttons are most worn/polished/dirty. If it's 3 of them, you've only got to try 6 permutations -- maximum -- to open it. Worked fine in my wife's hospital room for the locked supply drawer. Two tries. All the bandaids and gauze I wanted.

    I'd say this case is much harder to fix than the touchscreen, given the "randomize" suggestion above. Sure it's a little bit of a pain, but not that bad if security is actually important.

    • Re: (Score:3, Interesting)

      by swb (14022)

      Yes, I've made use of this myself and have also seen it done similarly in films where the keypad is sprayed with a UV luminescent spray; when illuminated you can easily see which keys are pressed and which aren't.

      The obvious "solution" is to require all buttons be pressed (ie, 6 button keypad means 6 digit combinations). One of my gun safes uses an Ilco mechanical lock and you have to push all the buttons; it does allow you to cut the "length" of the combination by using two-button presses as a single comb

  • I'm sure the few of you who saw National Treasure remember the scene where Nicholas Cage is standing in front of a touchscreen keypad used to gain access to the secure documents room. He shines a light on the keyboard and the keys which Abigail Chase (played Diane Kruger, mmmmmmm, Diane Kruger) had touched for her password were lit up.

    While National Treasure used a fluorescing powder to identify which key was pressed, the principle is the same.

  • ...from an episode of MacGyver.

  • Practically (Score:3, Insightful)

    by pinkushun (1467193) on Wednesday August 11, 2010 @08:33AM (#33214608) Journal

    Does this mean I should stop eating chocolate while using my touchscreen toy? :/

    No seriously, it might work 92% of the time, but that's assuming the user just unlocked and did not use the device. Using it would introduce noise and break the unlock-smudges, dropping the percentage closer to zero the more they use it.

  • by quatin (1589389) on Wednesday August 11, 2010 @08:34AM (#33214628)

    This comes at no surprise. Most people draw simple shapes on the graphical pattern lock. Would you be surprised if your computer was hacked if you set the password to "1234"?

    For example, how many of you have drawn a triangle as your pattern? I know I did the first time I used my android phone. Then a few weeks later, when I was on an airplane, I watched a senior gentleman pull out his smart phone and draw the exact same pattern lock as me.

    I then sat down and pondered the complexity of passwords using a graphical pattern lock. There's only 9 buttons to use and for most people they tend to only use adjacent buttons when drawing. If one were confined to this set of rules, the passwords would all be linear and simple geometric shapes. However, I figured out through trial and error, that you can actually double back on buttons you've activated and activate buttons that are non-adjacent to active ones by drawing in the blank space in between buttons. This should be a criteria for a strong graphical pattern lock, just like how there's requirements for strong alpha-numerical password locks. You should always have at least one double back button and one non-adjacent button as part of the pattern lock. This way the smudges left on your phone are non-linear.

    • by Rhaban (987410)

      My first pattern was a big Z.

    • by PitaBred (632671)

      I concur. Not gonna brag, but I never liked the simple shapes... always thought it would be too easy to guess.

      One of the connections on my code is from the top row, far left dot to the middle row, far right dot. It's possible, uncommon, and makes a very hard to guess pattern while still being pretty easy to unlock with one hand, IMHO. Just to help illustrate your non-adjacent comment.

    • Re: (Score:3, Interesting)

      by unixan (800014)

      However, I figured out through trial and error, that you can actually double back on buttons you've activated and activate buttons that are non-adjacent to active ones by drawing in the blank space in between buttons. This should be a criteria for a strong graphical pattern lock

      I also noticed this, shortly after I got the idea to use an unlock pattern. Once you noticed those two aspects (ability to draw between buttons, and harmlessly slide over already-activated buttons), the permutations multiply.

      With those in mind, here is how unique a randomized unlock pattern can be:
      4 dots = 1624 permutations (as weak as a 3 number password!)
      5 dots = 7152 permutations (much better, but not by far)
      6 dots = 26016 permutations (at least as strong as a 4-digit bank card PIN)
      7 dots = 1407

  • by Pioto (933065)
    Scanning for heat trails... that reminds me of Cyberia [wikipedia.org]...
    • by Syberz (1170343)

      Scanning for heat trails... that reminds me of Cyberia...

      The first thought that popped in my head was of Splinter Cell.

  • Every spy movie ever made called, and they want their 'we can tell where your fingers were' concept back. Seriously, 'touch screen' does NOT make this new. People have been worried about this with keypads and the like for AGES.

  • I could market Security Slugs. You buy one and then let it crawl across your screen after it is locked, thereby messing up the smudge-crackers' attempts at determining the unlock code.

    Of course, there are some pre-release obstacles to overcome. In initial tests, people really were creeped out by trying to talk on their phones after the slugs left their slime trails. Perhaps I need to send this one back to R&D...
  • ...I have yet to encounter an ATM where the PIN entry was on the touch screen. I live in the NE US; can anyone confirm if they have actually run into ATMs where the only input device was a touch screen? - I believe (at least in the US) that this would be against the Americans with Disabilities Act (ADA).
    • by avm (660)

      Lots of POS terminals in grocery stores and the like use touchscreens for PIN entry, often with a stylus. Easy to shoulder surf as well, with the onscreen buttons changing colors when pressed.

    • by natehoy (1608657)

      You're right, an ATM with a touchscreen would be an instant ADA fail, since putting braille on a touchscreen would be somewhat difficult.

      That aside...

      An ATM would be a lot harder to crack, because lots of people use it so the keys are going to be somewhat more randomly-used (since everyone has a different PIN).

      The only way of using this would be to put a shim on the ATM to read the magstripe, then some sort of substance on the keypad, and then go back and determine which keys were pressed between each use o

    • by mcgrew (92797) *

      I believe (at least in the US) that this would be against the Americans with Disabilities Act (ADA).

      How so? If you can press a button you can touch a screen.

    • "Only"? No, I've not seen that. Drive-up ATM's have the touchscreen as well as the Braille buttons around here (Denver).
  • Give a hacker physical access to any device and they will eventually find a way to crack it.

    It amazes me that scientists and journalists phrase this as an "attack." It normally takes an act of thievery or an "attack" on the street to lose your phone. If you lose your phone, your fucked anyway, right? The lock on a phone is meant as a casual lock for someone who just happens to walk by and wants to sneak a peek. In fact wouldn't it be easier to plug the phone in via USB and hack it that way, perhaps by m

    • by Fred IV (587429)

      Give a hacker physical access to any device and they will eventually find a way to crack it....In fact wouldn't it be easier to plug the phone in via USB and hack it that way, perhaps by mounting it as a hard drive and messing with the contents?

      True, but at least my android phone defaults to charge only mode when plugged in via USB (default action is user-configurable). I need to unlock it after plugging it in to mount it as a drive.

  • The solution for me is to use a PIN lock application instead - the point-smudges from this would be far less distinguishable from those left by normal touchscreen use. Android 2.2 (Froyo) includes this option, as does CyanogenMod (5.0+ I think), but unfortunately also makes it harder for custom lockscreen apps.

    For those still using Android 2.1 or lower - any pointers to secure lockscreen replacement apps with PIN locks? There are many without the PIN lock, but I haven't found one that has a PIN lock and i

    • by mlts (1038732) *

      My Cliq with Android 1.6 had the ability to use a PIN lock. Ideally, it would be nice to have 4-5 types of lock options:

      1: Pick x amount of pictures from a 3x3 or 4x4 array. The pictures will be randomly placed, and the user just selects the ones he or she has marked, and either 1 or more will show up.

      2: Normal PIN.

      3: Password entry. I know some people who have sensitive enough information that a solid password is a must. Perhaps have the option for the keys to be randomly placed.

      4: Click places in

  • I've known about this vulnerability for quite a long time. Although not exactly the same thing, touch-pad door locks also had this problem. You had 10 keys and lets say 4 keystrokes. In theory that gives 10 ** 4 combinations. The problem comes after a extended period of use... The paint on the keys you use gets worn off and it becomes quite obvious which 4 keys are used. Now the possible combinations are reduced from 10000 to 256. Sure, it would take patience to open the lock but opening the lock is

  • I've got a G1, and had an Invisishield on it from the moment I carried it. Smudges are almost imperceptible on that stuff. I am not a seller for Zagg or Invisishield, just a customer.

    But I scored a banged-up G1 as a root/test/spare, and while it needs a new housing, the bare screen shows smudges really badly. If I locked it, a monkey could guess the pattern. Maybe even a pickpocket could.

    Try using a screen protector.

  • I believe the first report was on the security based reality show titled "Get Smart" in the the 60's
  • It used to be only super burglers needed to don the (invariably black) gloves and/or wipe their fingerprints from every surface. Now, it's become a common concern.

    I can see it now, nestled eye-level with the toothbrushes and mouthwash, in a spring green box with a smart creme-colored swoosh on the side:

    SWASN'T ME! (tm)
    retractable screen wipes
    (attractive wrist band included!)

    A joint venture between Swifter and Swatch, of course...

  • ... on an episode of MacGuyver?

    Except, I think he used drywall dust from the nearest wall (always carry a knife) instead of photo tricks to 'bump up the contrast.'

  • If someone can get your phone long enough to take these pictures of its screen, they can probably get into its cache of secrets. This is why phones should have more security features ensuring it doesn't leave its owner's possession without permission or for very long, and wipe all confidential info (including resetting remote passwords the phone had access to in cleartext).

    When phones are locked down better, they'll be better "universal keys" to all the other devices we have to access. I wish my phone held

  • I always (because I'm like that) wipe down my 3GS (a simple swipe on cotton pant or shirt does the trick) after using it for any period, to remove the marks and make the screen clear. Because of the oleophobic screen coating, with my 3GS, it's completely easy and now a habit. I find I do it even if the screen isn't necessarily dirty, just muscle memory.

    This would, IMHO, quite effectively counter smudge attacks as there wouldn't be any smudges on my device.

    Do any Android devices have oleophobic screens? I

Your own mileage may vary.

Working...