Slashdot Mirror
Touchscreens Open To Smudge Attacks
nk497 writes "The smudges left behind on touchscreen devices could be used to decipher passwords to gain access, according to researchers at the University of Pennsylvania. The report tested the idea out (PDF) on Android phones, which use a graphical pattern that the user traces to unlock the handset. The researchers took photos of the smudge trails left on the screen and bumped up the contrast, finding they could unlock the phone 92% of the time. While they noted Android 2.2 also offers an alphanumeric password option, the researchers claimed such a smudge attack could be used against other touchscreen interfaces, including bank machines and voting machines. 'In future work, we intend to investigate other devices that may be susceptible, and varied smudge attack styles, such as heat trails caused by the heat transfer of a finger touching a screen,' they said."
It would be easy enough to implement an alphanumeric password on a keyboard that's always a different shape / place on the screen. Or just instruct users to wipe their hand across the screen a few times on public touchscreens - maybe include a small microfiber cloth attached to the kiosk / ATM / whatever so clean it with.
Just randomize the keyboard every time, bam, smudges are now useless. Or use Apple's oleophobic display coating (http://iphoneindia.gyanin.com/2009/06/11/iphone-3gs-gets-oleophobic-coating-whats-this-oleophobic-coating/) assuming it's good enough to thwart this attack.
Vacuum cleaners suck. Kings rule.
... people could either wipe down touchscreens after use, WASH THEIR HANDS, or the public ones could have a cloth or something to remove smudges.
My daughter's phone is locked with the pattern thing and I was amused that I could easily read it from the smudges.
I have the same phone model but I don't bother to lock it. There's nothing on it anyway.
I actually thought this was common knowledge for many years now. One of the biggest flawed security screens is the connect-the-dots unlock screen for Android. To really highlight that, just clean up the screen and attempt to unlock. Look at screen from the side. You should see smudges AND streaks. Those streaks can help you easily make out the direction to move in.
No shit? If you draw something with an object that leaves residue you can see what you had drawn. With my new xt720 I noticed this day one. Either cleaning the screen or simply "smudging the smudges" by just "scribbling" out the grease smear works great. Although, over time I can see the protector being physically altered in the same pattern as my swipe code. I guess then you just replace the protector.
But seriously, this is as obvious as saying that walking in sand or snow allows people to follow you. How insightful.
You won't believe how many times I clean my iPhone screen on a single day. I carry around a blue cleaning pad with me at all times. I guess you could say that borderline OCD would be the solution. =)
http://nyewin.org http://nyexug.com http://nycsqlusergroup.com http://nylug.org
This isn't really that different from the case of push-button locks that are subject to "wear attacks", is it? You know, just check to see which of the 5 or so buttons are most worn/polished/dirty. If it's 3 of them, you've only got to try 6 permutations -- maximum -- to open it. Worked fine in my wife's hospital room for the locked supply drawer. Two tries. All the bandaids and gauze I wanted.
I'd say this case is much harder to fix than the touchscreen, given the "randomize" suggestion above. Sure it's a little bit of a pain, but not that bad if security is actually important.
I am not a crackpot.
This is a classic and not new. I have seen the use of gummy bears to beat fingerprint readers etc, which are all smudge style attacks. The problem with their paper is, it is not practical. If the touchscreens have smudges, they are going to have a lot of them! The problem with their experiment is that they do not take into account the amount of use and abuse the touchscreens get. They only have 'holding the phone up to face' action. So, if somebody ONLY uses their touchscreen Android phone for only unlocking their phone and holding it up to their face, they deserve to have their unlock pattern stolen...
I'm sure the few of you who saw National Treasure remember the scene where Nicholas Cage is standing in front of a touchscreen keypad used to gain access to the secure documents room. He shines a light on the keyboard and the keys which Abigail Chase (played Diane Kruger, mmmmmmm, Diane Kruger) had touched for her password were lit up.
While National Treasure used a fluorescing powder to identify which key was pressed, the principle is the same.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
...from an episode of MacGyver.
It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
If someone watches you enter your password over your shoulder, they'll know your password! Also, if you say the password out-loud when you enter it, someone may overhear you.
Does this mean I should stop eating chocolate while using my touchscreen toy? :/
No seriously, it might work 92% of the time, but that's assuming the user just unlocked and did not use the device. Using it would introduce noise and break the unlock-smudges, dropping the percentage closer to zero the more they use it.
This comes at no surprise. Most people draw simple shapes on the graphical pattern lock. Would you be surprised if your computer was hacked if you set the password to "1234"?
For example, how many of you have drawn a triangle as your pattern? I know I did the first time I used my android phone. Then a few weeks later, when I was on an airplane, I watched a senior gentleman pull out his smart phone and draw the exact same pattern lock as me.
I then sat down and pondered the complexity of passwords using a graphical pattern lock. There's only 9 buttons to use and for most people they tend to only use adjacent buttons when drawing. If one were confined to this set of rules, the passwords would all be linear and simple geometric shapes. However, I figured out through trial and error, that you can actually double back on buttons you've activated and activate buttons that are non-adjacent to active ones by drawing in the blank space in between buttons. This should be a criteria for a strong graphical pattern lock, just like how there's requirements for strong alpha-numerical password locks. You should always have at least one double back button and one non-adjacent button as part of the pattern lock. This way the smudges left on your phone are non-linear.
Scanning for heat trails... that reminds me of Cyberia...
Whenever I go somewhere leave my Droid on the desk at work, I put a little poo on the screen. Best. Defense. Ever. against someone taking it and trying to figure out my pass swipe pattern.
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
For tv shows like Burn Notice, but I'll just keep using my handy microfiber data encryption algorithm cloth. It's also handy for cleaning eyeglasses too.
Every spy movie ever made called, and they want their 'we can tell where your fingers were' concept back. Seriously, 'touch screen' does NOT make this new. People have been worried about this with keypads and the like for AGES.
this is why it's important to always, ALWAYS rub your penis(or vaginal juices!) all over the screen as soon as you get it. Not only does that create extra smudging, you are pretty much guaranteed that nobody will want to touch it afterwards.
Monstar L
I could market Security Slugs. You buy one and then let it crawl across your screen after it is locked, thereby messing up the smudge-crackers' attempts at determining the unlock code.
Of course, there are some pre-release obstacles to overcome. In initial tests, people really were creeped out by trying to talk on their phones after the slugs left their slime trails. Perhaps I need to send this one back to R&D...
I use irony whenever I can, but my shirts are still wrinkled...
...I have yet to encounter an ATM where the PIN entry was on the touch screen. I live in the NE US; can anyone confirm if they have actually run into ATMs where the only input device was a touch screen? - I believe (at least in the US) that this would be against the Americans with Disabilities Act (ADA).
Give a hacker physical access to any device and they will eventually find a way to crack it.
It amazes me that scientists and journalists phrase this as an "attack." It normally takes an act of thievery or an "attack" on the street to lose your phone. If you lose your phone, your fucked anyway, right? The lock on a phone is meant as a casual lock for someone who just happens to walk by and wants to sneak a peek. In fact wouldn't it be easier to plug the phone in via USB and hack it that way, perhaps by mounting it as a hard drive and messing with the contents?
Nice academic study, but not that big of a deal.
"All great wisdom is contained in .signature files"
The solution for me is to use a PIN lock application instead - the point-smudges from this would be far less distinguishable from those left by normal touchscreen use. Android 2.2 (Froyo) includes this option, as does CyanogenMod (5.0+ I think), but unfortunately also makes it harder for custom lockscreen apps.
For those still using Android 2.1 or lower - any pointers to secure lockscreen replacement apps with PIN locks? There are many without the PIN lock, but I haven't found one that has a PIN lock and is not trivially bypassed.
Very true. The trick is to limit the guesses someone can make. I just wish Android would have the ability to wipe itself after x amount of failed attempts. Blackberries have this, the iPhone does. My old Windows Mobile device even has this functionality. The only way I've seen to do this in Android is to use a third party utility like WaveSecure,
I've known about this vulnerability for quite a long time. Although not exactly the same thing, touch-pad door locks also had this problem. You had 10 keys and lets say 4 keystrokes. In theory that gives 10 ** 4 combinations. The problem comes after a extended period of use... The paint on the keys you use gets worn off and it becomes quite obvious which 4 keys are used. Now the possible combinations are reduced from 10000 to 256. Sure, it would take patience to open the lock but opening the lock is now feasible.
I've got a G1, and had an Invisishield on it from the moment I carried it. Smudges are almost imperceptible on that stuff. I am not a seller for Zagg or Invisishield, just a customer.
But I scored a banged-up G1 as a root/test/spare, and while it needs a new housing, the bare screen shows smudges really badly. If I locked it, a monkey could guess the pattern. Maybe even a pickpocket could.
Try using a screen protector.
deleting the extra space after periods so i can stay relevant, yeah.
I believe the first report was on the security based reality show titled "Get Smart" in the the 60's
6.8SPC TR of 550, l xwind at 6, drift rt at 26" drops 77". AT has 503 ft-lbs at 1403 fps. FT 0.86
It used to be only super burglers needed to don the (invariably black) gloves and/or wipe their fingerprints from every surface. Now, it's become a common concern.
I can see it now, nestled eye-level with the toothbrushes and mouthwash, in a spring green box with a smart creme-colored swoosh on the side:
A joint venture between Swifter and Swatch, of course...
I just wish Android would have the ability to wipe itself after x amount of failed attempts.
The Android lacks this? Really? Seriously?
Wow.
Just... wow.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
... on an episode of MacGuyver?
Except, I think he used drywall dust from the nearest wall (always carry a knife) instead of photo tricks to 'bump up the contrast.'
Code softly but carry a big magnet.
The two security features I really want to see as pasts of the Android OS are the ability to wipe parts, and the ability to encrypt data. Android 2.2 encrypts apps stored on the SD card, but what I would like to see is the ability to use file by file encryption with EncFS, or encrypt the whole memory card as a block image, using LUKS. This way, if the Android device is hard reset and the encryption keys purged, there wouldn't be a way for the SD card to be useful if the phone falls into the wrong hands.
If someone can get your phone long enough to take these pictures of its screen, they can probably get into its cache of secrets. This is why phones should have more security features ensuring it doesn't leave its owner's possession without permission or for very long, and wipe all confidential info (including resetting remote passwords the phone had access to in cleartext).
When phones are locked down better, they'll be better "universal keys" to all the other devices we have to access. I wish my phone held a local log of every attempted access of every account of mine around the Internet, local logs of all financial transactions, or at least notifications on the phone that are logged at a remote server the phone can immediately access. For example, I hate having to rely on my bank to faithfully report all account activity, when my bank has been wrong / lied in the past in ways that have cost me money, and perhaps compromised my ID.
--
make install -not war
You can't even encrypt the SD card with a self-destructing key? Oh, right, no "x-tries-and-you-die" means no way for the key to self-destruct.
But at least you should be able to encrypt the damned card so removing it from the phone makes it useless.
And yet they encrypt the APPS? The one thing you CAN get from other sources and don't really represent secure data?
My jaw just dropped another inch. I may need surgery to reattach it now. There's room for an albatross to fly in.
Wow, if I was ever offered a choice of phones here at work, I was seriously considering Android. I'm going to have to re-evaluate that if and when the opportunity arises. Those are critical security failures for any phone that contains more than gramma's phone number and pictures of the kids.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
This would, IMHO, quite effectively counter smudge attacks as there wouldn't be any smudges on my device.
Do any Android devices have oleophobic screens? If not, maybe something like this would work (not sure in practice how it would fare).
Make sure everyone's vote counts: Verified Voting
Key storage is simple... create a directory on the onboard flash, store a 256 bit nonce from /dev/urandom in there. Then use that to encrypt the EncFS or LUKS image. This way, someone can recover it who is authorized, while on a hard reset, this directory is purged and recreated so the old key is gone. Bonus points in having specific memory "cells" dedicated to storing encryption keys similar to what eTokens have that are easily and thoroughly wiped (no need to worry about wear leveling or data relocation.)
I agree 100% with you, and this is Android's biggest obstacle to replacing Windows Mobile devices and Blackberries in the enterprise.
... had a policy where the combo was changed every time someone with access rotated out of the organization, or every 90 days, whichever came first. So in practice, wear patterns on the keys wasn't an issue.
I, as a gamer, have seen some popular MMO games that require a PIN, either numbers, letters, or a combination. There is a catch, every time you click a character, the letters/numbers on the screen rearrange. Just set a feature to rearrange the characters and that basically fixes the visual tracing. Now just got to buy a private filter, like for monitors, and put it on your phone so no one can find out your SSN, phone number, or card pin number.
Having recently gotten an android phone, I have to wonder why nobody has written a locker that simply tracks phone orientation changes through some movement pattern rather than the touchscreen. There'd be no smudges (so better security and a cleaner screen), and it should be quicker. Kinda like using a secret handshake to unlock your phone. Example passcode: +x, -y, -z, +y (750 possibilities for a four movement code, more if you get fancier in movement tracking).
Go to the Canada or mid Africa and they are totally unable to crack your iPhone, using "tracking heat trails" technique. :-)