Slashdot Mirror

← Back to Stories (view on slashdot.org)

Touchscreens Open To Smudge Attacks

Posted by CmdrTaco on from the windex-security dept.

nk497 writes "The smudges left behind on touchscreen devices could be used to decipher passwords to gain access, according to researchers at the University of Pennsylvania. The report tested the idea out (PDF) on Android phones, which use a graphical pattern that the user traces to unlock the handset. The researchers took photos of the smudge trails left on the screen and bumped up the contrast, finding they could unlock the phone 92% of the time. While they noted Android 2.2 also offers an alphanumeric password option, the researchers claimed such a smudge attack could be used against other touchscreen interfaces, including bank machines and voting machines. 'In future work, we intend to investigate other devices that may be susceptible, and varied smudge attack styles, such as heat trails caused by the heat transfer of a finger touching a screen,' they said."

8 of 185 comments (clear)

  1. Rather simple fix by Halifax+Samuels · · Score: 5, Insightful

    It would be easy enough to implement an alphanumeric password on a keyboard that's always a different shape / place on the screen. Or just instruct users to wipe their hand across the screen a few times on public touchscreens - maybe include a small microfiber cloth attached to the kiosk / ATM / whatever so clean it with.

    1. Re:Rather simple fix by tokul · · Score: 2, Insightful

      maybe include a small microfiber cloth attached to the kiosk

      That cloth will soon become virus/bacteria farm instead of being security feature.

  2. Just randomize the keyboard every time by Gruturo · · Score: 3, Insightful

    Just randomize the keyboard every time, bam, smudges are now useless. Or use Apple's oleophobic display coating (http://iphoneindia.gyanin.com/2009/06/11/iphone-3gs-gets-oleophobic-coating-whats-this-oleophobic-coating/) assuming it's good enough to thwart this attack.

    --

    Vacuum cleaners suck. Kings rule.
    1. Re:Just randomize the keyboard every time by Anonymous Coward · · Score: 1, Insightful

      And we have the winner! Only downside of randomization I can think of is that it might cause problems for the blind and visually impaired, but then I don't know if the blind can even use touchscreens in the first place, and someone who has a visual impairment serious enough that randomization would cause problems might not be inclined to use touchscreens in the first place.

  3. Well, maybe ... by krzysz00 · · Score: 2, Insightful

    ... people could either wipe down touchscreens after use, WASH THEIR HANDS, or the public ones could have a cloth or something to remove smudges.

    1. Re:Well, maybe ... by ihatejobs · · Score: 3, Insightful

      You haven't used a touchscreen phone if you really think keeping it clean is as simple as washing your hands.

      --
      Can anyone tell me why 99% of /. users are total assclowns?
  4. Practically by pinkushun · · Score: 2, Insightful

    Does this mean I should stop eating chocolate while using my touchscreen toy? :/

    No seriously, it might work 92% of the time, but that's assuming the user just unlocked and did not use the device. Using it would introduce noise and break the unlock-smudges, dropping the percentage closer to zero the more they use it.

  5. Re:Duh by arcsimm · · Score: 2, Insightful

    I was suprised this is news as well. Dusting keypad locks to see which keys are used most often isn't unheard of, and this just seems like a variation on that.