Touchscreens Open To Smudge Attacks

nk497 writes "The smudges left behind on touchscreen devices could be used to decipher passwords to gain access, according to researchers at the University of Pennsylvania. The report tested the idea out (PDF) on Android phones, which use a graphical pattern that the user traces to unlock the handset. The researchers took photos of the smudge trails left on the screen and bumped up the contrast, finding they could unlock the phone 92% of the time. While they noted Android 2.2 also offers an alphanumeric password option, the researchers claimed such a smudge attack could be used against other touchscreen interfaces, including bank machines and voting machines. 'In future work, we intend to investigate other devices that may be susceptible, and varied smudge attack styles, such as heat trails caused by the heat transfer of a finger touching a screen,' they said."

Rather simple fix

[Halifax Samuels]

It would be easy enough to implement an alphanumeric password on a keyboard that's always a different shape / place on the screen. Or just instruct users to wipe their hand across the screen a few times on public touchscreens - maybe include a small microfiber cloth attached to the kiosk / ATM / whatever so clean it with.

Just randomize the keyboard every time

[Gruturo]

Just randomize the keyboard every time, bam, smudges are now useless. Or use Apple's oleophobic display coating (http://iphoneindia.gyanin.com/2009/06/11/iphone-3gs-gets-oleophobic-coating-whats-this-oleophobic-coating/) assuming it's good enough to thwart this attack.

Well, maybe ...

[krzysz00]

... people could either wipe down touchscreens after use, WASH THEIR HANDS, or the public ones could have a cloth or something to remove smudges.

Re:Just randomize the keyboard every time

[Anonymous Coward]

And we have the winner! Only downside of randomization I can think of is that it might cause problems for the blind and visually impaired, but then I don't know if the blind can even use touchscreens in the first place, and someone who has a visual impairment serious enough that randomization would cause problems might not be inclined to use touchscreens in the first place.

Re:Well, maybe ...

[ihatejobs]

You haven't used a touchscreen phone if you really think keeping it clean is as simple as washing your hands.

Practically

[pinkushun]

Does this mean I should stop eating chocolate while using my touchscreen toy? :/

No seriously, it might work 92% of the time, but that's assuming the user just unlocked and did not use the device. Using it would introduce noise and break the unlock-smudges, dropping the percentage closer to zero the more they use it.

Re:Duh

[arcsimm]

I was suprised this is news as well. Dusting keypad locks to see which keys are used most often isn't unheard of, and this just seems like a variation on that.

Re:Rather simple fix

[tokul]

maybe include a small microfiber cloth attached to the kiosk

That cloth will soon become virus/bacteria farm instead of being security feature.