Slashdot Mirror
Touchscreens Open To Smudge Attacks
nk497 writes "The smudges left behind on touchscreen devices could be used to decipher passwords to gain access, according to researchers at the University of Pennsylvania. The report tested the idea out (PDF) on Android phones, which use a graphical pattern that the user traces to unlock the handset. The researchers took photos of the smudge trails left on the screen and bumped up the contrast, finding they could unlock the phone 92% of the time. While they noted Android 2.2 also offers an alphanumeric password option, the researchers claimed such a smudge attack could be used against other touchscreen interfaces, including bank machines and voting machines. 'In future work, we intend to investigate other devices that may be susceptible, and varied smudge attack styles, such as heat trails caused by the heat transfer of a finger touching a screen,' they said."
It would be easy enough to implement an alphanumeric password on a keyboard that's always a different shape / place on the screen. Or just instruct users to wipe their hand across the screen a few times on public touchscreens - maybe include a small microfiber cloth attached to the kiosk / ATM / whatever so clean it with.
Just randomize the keyboard every time, bam, smudges are now useless. Or use Apple's oleophobic display coating (http://iphoneindia.gyanin.com/2009/06/11/iphone-3gs-gets-oleophobic-coating-whats-this-oleophobic-coating/) assuming it's good enough to thwart this attack.
Vacuum cleaners suck. Kings rule.
... people could either wipe down touchscreens after use, WASH THEIR HANDS, or the public ones could have a cloth or something to remove smudges.
My daughter's phone is locked with the pattern thing and I was amused that I could easily read it from the smudges.
I have the same phone model but I don't bother to lock it. There's nothing on it anyway.
I actually thought this was common knowledge for many years now. One of the biggest flawed security screens is the connect-the-dots unlock screen for Android. To really highlight that, just clean up the screen and attempt to unlock. Look at screen from the side. You should see smudges AND streaks. Those streaks can help you easily make out the direction to move in.
No shit? If you draw something with an object that leaves residue you can see what you had drawn. With my new xt720 I noticed this day one. Either cleaning the screen or simply "smudging the smudges" by just "scribbling" out the grease smear works great. Although, over time I can see the protector being physically altered in the same pattern as my swipe code. I guess then you just replace the protector.
But seriously, this is as obvious as saying that walking in sand or snow allows people to follow you. How insightful.
You won't believe how many times I clean my iPhone screen on a single day. I carry around a blue cleaning pad with me at all times. I guess you could say that borderline OCD would be the solution. =)
http://nyewin.org http://nyexug.com http://nycsqlusergroup.com http://nylug.org
This isn't really that different from the case of push-button locks that are subject to "wear attacks", is it? You know, just check to see which of the 5 or so buttons are most worn/polished/dirty. If it's 3 of them, you've only got to try 6 permutations -- maximum -- to open it. Worked fine in my wife's hospital room for the locked supply drawer. Two tries. All the bandaids and gauze I wanted.
I'd say this case is much harder to fix than the touchscreen, given the "randomize" suggestion above. Sure it's a little bit of a pain, but not that bad if security is actually important.
I am not a crackpot.
This is a classic and not new. I have seen the use of gummy bears to beat fingerprint readers etc, which are all smudge style attacks. The problem with their paper is, it is not practical. If the touchscreens have smudges, they are going to have a lot of them! The problem with their experiment is that they do not take into account the amount of use and abuse the touchscreens get. They only have 'holding the phone up to face' action. So, if somebody ONLY uses their touchscreen Android phone for only unlocking their phone and holding it up to their face, they deserve to have their unlock pattern stolen...
I'm sure the few of you who saw National Treasure remember the scene where Nicholas Cage is standing in front of a touchscreen keypad used to gain access to the secure documents room. He shines a light on the keyboard and the keys which Abigail Chase (played Diane Kruger, mmmmmmm, Diane Kruger) had touched for her password were lit up.
While National Treasure used a fluorescing powder to identify which key was pressed, the principle is the same.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
...from an episode of MacGyver.
It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
NT
SecureID cards (one-time password generators) are like that, only worse because the
only time you touch it is to enter your PIN.
If someone watches you enter your password over your shoulder, they'll know your password! Also, if you say the password out-loud when you enter it, someone may overhear you.
Does this mean I should stop eating chocolate while using my touchscreen toy? :/
No seriously, it might work 92% of the time, but that's assuming the user just unlocked and did not use the device. Using it would introduce noise and break the unlock-smudges, dropping the percentage closer to zero the more they use it.
Never clean your touchscreen.
This comes at no surprise. Most people draw simple shapes on the graphical pattern lock. Would you be surprised if your computer was hacked if you set the password to "1234"?
For example, how many of you have drawn a triangle as your pattern? I know I did the first time I used my android phone. Then a few weeks later, when I was on an airplane, I watched a senior gentleman pull out his smart phone and draw the exact same pattern lock as me.
I then sat down and pondered the complexity of passwords using a graphical pattern lock. There's only 9 buttons to use and for most people they tend to only use adjacent buttons when drawing. If one were confined to this set of rules, the passwords would all be linear and simple geometric shapes. However, I figured out through trial and error, that you can actually double back on buttons you've activated and activate buttons that are non-adjacent to active ones by drawing in the blank space in between buttons. This should be a criteria for a strong graphical pattern lock, just like how there's requirements for strong alpha-numerical password locks. You should always have at least one double back button and one non-adjacent button as part of the pattern lock. This way the smudges left on your phone are non-linear.
Scanning for heat trails... that reminds me of Cyberia...
Whenever I go somewhere leave my Droid on the desk at work, I put a little poo on the screen. Best. Defense. Ever. against someone taking it and trying to figure out my pass swipe pattern.
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
Requiring the trace to start and stop at the same spot could help. The complexity would increase with each vertex. A simple square would result in 8 possible swipes.
For tv shows like Burn Notice, but I'll just keep using my handy microfiber data encryption algorithm cloth. It's also handy for cleaning eyeglasses too.
But I don't use it for security, but rather to prevent accidentally doing anything while the phone is in my pocket. The normal "slide down to unlock" feature seems to be insufficient to prevent this...
Every spy movie ever made called, and they want their 'we can tell where your fingers were' concept back. Seriously, 'touch screen' does NOT make this new. People have been worried about this with keypads and the like for AGES.
this is why it's important to always, ALWAYS rub your penis(or vaginal juices!) all over the screen as soon as you get it. Not only does that create extra smudging, you are pretty much guaranteed that nobody will want to touch it afterwards.
Monstar L
I could market Security Slugs. You buy one and then let it crawl across your screen after it is locked, thereby messing up the smudge-crackers' attempts at determining the unlock code.
Of course, there are some pre-release obstacles to overcome. In initial tests, people really were creeped out by trying to talk on their phones after the slugs left their slime trails. Perhaps I need to send this one back to R&D...
I use irony whenever I can, but my shirts are still wrinkled...
This really isn't a big deal to me. Anytime somebody gets physical access to a device, they can eventually access the data if they want it bad enough. If somebody steals your computer they can take as much time as they need to break any password you put on it. The same is true of your phone or just about any electronic device. Smudges just make it easier to unlock.
...I have yet to encounter an ATM where the PIN entry was on the touch screen. I live in the NE US; can anyone confirm if they have actually run into ATMs where the only input device was a touch screen? - I believe (at least in the US) that this would be against the Americans with Disabilities Act (ADA).
Give a hacker physical access to any device and they will eventually find a way to crack it.
It amazes me that scientists and journalists phrase this as an "attack." It normally takes an act of thievery or an "attack" on the street to lose your phone. If you lose your phone, your fucked anyway, right? The lock on a phone is meant as a casual lock for someone who just happens to walk by and wants to sneak a peek. In fact wouldn't it be easier to plug the phone in via USB and hack it that way, perhaps by mounting it as a hard drive and messing with the contents?
Nice academic study, but not that big of a deal.
"All great wisdom is contained in .signature files"
The solution for me is to use a PIN lock application instead - the point-smudges from this would be far less distinguishable from those left by normal touchscreen use. Android 2.2 (Froyo) includes this option, as does CyanogenMod (5.0+ I think), but unfortunately also makes it harder for custom lockscreen apps.
For those still using Android 2.1 or lower - any pointers to secure lockscreen replacement apps with PIN locks? There are many without the PIN lock, but I haven't found one that has a PIN lock and is not trivially bypassed.
It would be easy enough to implement an alphanumeric password on a keyboard that's always [...] different ...
This is actually a standard solution to numeric key combo entry systems in high security zones. Use a standard keyboard shape, but just randomize the key position values (like swapping qwerty / dvorak but more random). Why this isn't done already is simply mind boggling. But then I don't have a cell phone <sigh>.
I've known about this vulnerability for quite a long time. Although not exactly the same thing, touch-pad door locks also had this problem. You had 10 keys and lets say 4 keystrokes. In theory that gives 10 ** 4 combinations. The problem comes after a extended period of use... The paint on the keys you use gets worn off and it becomes quite obvious which 4 keys are used. Now the possible combinations are reduced from 10000 to 256. Sure, it would take patience to open the lock but opening the lock is now feasible.
This issue is quite clear, I considered it trivial when I got my touchscreen Android. Smudges are visible, so it leaves one with two options. 1. Keep your screen clear. 2. Create a touch pattern that will at least once touch the pattern drawn earlier (for example 1,5 circles instead of one).
But of course as long as we have people who don't change their default PIN's from 0000 or 1234 to anything useful, we will also have people who don't change their patterns to anything that actually makes sense. Oh the human nature x-)
A bit off-topic:
Similar things happened in early 90's with those old numerical access panels next to doorways. After few years the code would be clearly visible as the related buttons were physically worn out. Solution to this was to start using digital numbering on the buttons - they would change places after every input.
EDIT: My colleague just reminded me that there are still apartment blocks even TODAY with these antiquated access panels here in Amsterdam. One can easily enter the building or yard just by guessing in which order the worn out buttons were pressed... Maybe that's intended as indirect help for the homeless people. Not to mention burglars, of course.
I've got a G1, and had an Invisishield on it from the moment I carried it. Smudges are almost imperceptible on that stuff. I am not a seller for Zagg or Invisishield, just a customer.
But I scored a banged-up G1 as a root/test/spare, and while it needs a new housing, the bare screen shows smudges really badly. If I locked it, a monkey could guess the pattern. Maybe even a pickpocket could.
Try using a screen protector.
deleting the extra space after periods so i can stay relevant, yeah.
I believe the first report was on the security based reality show titled "Get Smart" in the the 60's
6.8SPC TR of 550, l xwind at 6, drift rt at 26" drops 77". AT has 503 ft-lbs at 1403 fps. FT 0.86
It used to be only super burglers needed to don the (invariably black) gloves and/or wipe their fingerprints from every surface. Now, it's become a common concern.
I can see it now, nestled eye-level with the toothbrushes and mouthwash, in a spring green box with a smart creme-colored swoosh on the side:
A joint venture between Swifter and Swatch, of course...
... on an episode of MacGuyver?
Except, I think he used drywall dust from the nearest wall (always carry a knife) instead of photo tricks to 'bump up the contrast.'
Code softly but carry a big magnet.
Woot!! :D
If someone can get your phone long enough to take these pictures of its screen, they can probably get into its cache of secrets. This is why phones should have more security features ensuring it doesn't leave its owner's possession without permission or for very long, and wipe all confidential info (including resetting remote passwords the phone had access to in cleartext).
When phones are locked down better, they'll be better "universal keys" to all the other devices we have to access. I wish my phone held a local log of every attempted access of every account of mine around the Internet, local logs of all financial transactions, or at least notifications on the phone that are logged at a remote server the phone can immediately access. For example, I hate having to rely on my bank to faithfully report all account activity, when my bank has been wrong / lied in the past in ways that have cost me money, and perhaps compromised my ID.
--
make install -not war
This would, IMHO, quite effectively counter smudge attacks as there wouldn't be any smudges on my device.
Do any Android devices have oleophobic screens? If not, maybe something like this would work (not sure in practice how it would fare).
Make sure everyone's vote counts: Verified Voting
... had a policy where the combo was changed every time someone with access rotated out of the organization, or every 90 days, whichever came first. So in practice, wear patterns on the keys wasn't an issue.
I routinely wipe my touchscreen devices with my butt. IF any smudge detector can figure that out, they deserve my password.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
I, as a gamer, have seen some popular MMO games that require a PIN, either numbers, letters, or a combination. There is a catch, every time you click a character, the letters/numbers on the screen rearrange. Just set a feature to rearrange the characters and that basically fixes the visual tracing. Now just got to buy a private filter, like for monitors, and put it on your phone so no one can find out your SSN, phone number, or card pin number.
Having recently gotten an android phone, I have to wonder why nobody has written a locker that simply tracks phone orientation changes through some movement pattern rather than the touchscreen. There'd be no smudges (so better security and a cleaner screen), and it should be quicker. Kinda like using a secret handshake to unlock your phone. Example passcode: +x, -y, -z, +y (750 possibilities for a four movement code, more if you get fancier in movement tracking).
Go to the Canada or mid Africa and they are totally unable to crack your iPhone, using "tracking heat trails" technique. :-)
Well, why not show a randomized keyboard? This one is not at all difficult, you could have infinite variations that could protect your passcode.
But as usual, they try to emulate the real keypad with fixed digits.
Also this would force people into actually remembering their passcodes instead of the key-pattern made by their passcodes.
Ben Gates and Riley Poole are one step ahead of you. They've already used a smudge attack to crack a password and get into a restricted area of the National Archives.