Slashdot Mirror

← Back to Stories (view on slashdot.org)

Touchscreens Open To Smudge Attacks

Posted by CmdrTaco on from the windex-security dept.

nk497 writes "The smudges left behind on touchscreen devices could be used to decipher passwords to gain access, according to researchers at the University of Pennsylvania. The report tested the idea out (PDF) on Android phones, which use a graphical pattern that the user traces to unlock the handset. The researchers took photos of the smudge trails left on the screen and bumped up the contrast, finding they could unlock the phone 92% of the time. While they noted Android 2.2 also offers an alphanumeric password option, the researchers claimed such a smudge attack could be used against other touchscreen interfaces, including bank machines and voting machines. 'In future work, we intend to investigate other devices that may be susceptible, and varied smudge attack styles, such as heat trails caused by the heat transfer of a finger touching a screen,' they said."

22 of 185 comments (clear)

  1. Rather simple fix by Halifax+Samuels · · Score: 5, Insightful

    It would be easy enough to implement an alphanumeric password on a keyboard that's always a different shape / place on the screen. Or just instruct users to wipe their hand across the screen a few times on public touchscreens - maybe include a small microfiber cloth attached to the kiosk / ATM / whatever so clean it with.

    1. Re:Rather simple fix by TrisexualPuppy · · Score: 4, Interesting

      This isn't exactly a new idea. Even I had a similar idea that I realized years ago.

      Back when I was at MIT, we had utility vehicles on campus and several keypadded gates. The men in trucks drove up to the gates and entered codes. Since I didn't want to build any hardware, I colored the keypad over with a permanent marker in similar color to the keys. I counted the audible beeps emitted by the controller. After a day or so, I went up and saw that only three keys had been depressed for the five beeps. After four tries, I had the code and could pointlessly open the gate for no reason at all at will!

    2. Re:Rather simple fix by Anonymous Coward · · Score: 5, Funny

      You'll find it's actually quite common to get incredibly lucky in stories that you made up. In fact, just the other day when I was getting a blowjob from Jessica Alba, a million dollars fell into my lap.

    3. Re:Rather simple fix by Anonymous Coward · · Score: 3, Funny

      that must be made up. what probably really happened was the million dollars fell on her head and she didn't get to finish her job.

    4. Re:Rather simple fix by tokul · · Score: 2, Insightful

      maybe include a small microfiber cloth attached to the kiosk

      That cloth will soon become virus/bacteria farm instead of being security feature.

    5. Re:Rather simple fix by dmomo · · Score: 2, Funny

      > solution? wipe the screen regularly or dont use your ipad while eating barbecue ribs.

      So, never use an ipad?

    6. Re:Rather simple fix by riperrin · · Score: 2, Informative
      Actually I have a similar story. My brother left his car at the back of my house while he spent a year travelling. When he came back he couldn’t remember the code to deactivate the immobiliser. 10000 possible combinations and every third time you got it wrong you’d get the alarm going off and you’d have to disconnect the battery. Clearly a brute force attack would piss off the neighbours. So we sat an had a little think about it with a cup of tea (we are British), at which point we noticed that four of the buttons were a lot cleaner than the others. Suddenly we only had 24 combinations to try and managed to set the alarm off only twice.

      Top tip: If you’ve got a number pad immobiliser, give it a bit of a clean.

      In similar news, I find watching someone draw a pattern a lot easier to replicate than seeing them type numbers. With the “trail” option on you can see the pattern from half the pub away.

    7. Re:Rather simple fix by Dragonslicer · · Score: 2, Funny

      Or get an iPhone. Yes in theory the smug attack still exists.

      Oh, I'm pretty sure that there's no "in theory" about it.

  2. Just randomize the keyboard every time by Gruturo · · Score: 3, Insightful

    Just randomize the keyboard every time, bam, smudges are now useless. Or use Apple's oleophobic display coating (http://iphoneindia.gyanin.com/2009/06/11/iphone-3gs-gets-oleophobic-coating-whats-this-oleophobic-coating/) assuming it's good enough to thwart this attack.

    --

    Vacuum cleaners suck. Kings rule.
    1. Re:Just randomize the keyboard every time by MikeCamel · · Score: 3, Interesting

      A couple of issues with this.

      1) the Android set-up doesn't actually use a keyboard: just dots, which you're supposed to join in the same order.
      2) I believe that there are patents around the randomising idea.

      I'm certainly aware of this issue on my Android phone. The fact that you're supposed to keep your finger on the screen as you join the dots means that there's often a pretty clear track, even if you have clean hands. And you can tell the order in which tracks were made if you have one which crosses over another.

      I quite like the technology, but it's good to be reminded of the possible dangers. I'll keep wiping mine once I've logged in.

    2. Re:Just randomize the keyboard every time by jewens · · Score: 3, Funny

      That wont work for me you insensitive clod, my passcode is all 8s.

      --
      That group of bovine standing over there appears quite portentous. That's right it's an ominous cow herd.
  3. Well, maybe ... by krzysz00 · · Score: 2, Insightful

    ... people could either wipe down touchscreens after use, WASH THEIR HANDS, or the public ones could have a cloth or something to remove smudges.

    1. Re:Well, maybe ... by ihatejobs · · Score: 3, Insightful

      You haven't used a touchscreen phone if you really think keeping it clean is as simple as washing your hands.

      --
      Can anyone tell me why 99% of /. users are total assclowns?
  4. Non touch-screens, too by Rob+the+Bold · · Score: 4, Informative

    This isn't really that different from the case of push-button locks that are subject to "wear attacks", is it? You know, just check to see which of the 5 or so buttons are most worn/polished/dirty. If it's 3 of them, you've only got to try 6 permutations -- maximum -- to open it. Worked fine in my wife's hospital room for the locked supply drawer. Two tries. All the bandaids and gauze I wanted.

    I'd say this case is much harder to fix than the touchscreen, given the "randomize" suggestion above. Sure it's a little bit of a pain, but not that bad if security is actually important.

    --
    I am not a crackpot.
    1. Re:Non touch-screens, too by swb · · Score: 2, Interesting

      Yes, I've made use of this myself and have also seen it done similarly in films where the keypad is sprayed with a UV luminescent spray; when illuminated you can easily see which keys are pressed and which aren't.

      The obvious "solution" is to require all buttons be pressed (ie, 6 button keypad means 6 digit combinations). One of my gun safes uses an Ilco mechanical lock and you have to push all the buttons; it does allow you to cut the "length" of the combination by using two-button presses as a single combination "digit" but you still have to press all the buttons. The added bonus to combinations is they increase the number of button presses possible when trying to brute force the combination.

  5. Practically by pinkushun · · Score: 2, Insightful

    Does this mean I should stop eating chocolate while using my touchscreen toy? :/

    No seriously, it might work 92% of the time, but that's assuming the user just unlocked and did not use the device. Using it would introduce noise and break the unlock-smudges, dropping the percentage closer to zero the more they use it.

  6. Graphical Pattern Lock Usage by quatin · · Score: 5, Interesting

    This comes at no surprise. Most people draw simple shapes on the graphical pattern lock. Would you be surprised if your computer was hacked if you set the password to "1234"?

    For example, how many of you have drawn a triangle as your pattern? I know I did the first time I used my android phone. Then a few weeks later, when I was on an airplane, I watched a senior gentleman pull out his smart phone and draw the exact same pattern lock as me.

    I then sat down and pondered the complexity of passwords using a graphical pattern lock. There's only 9 buttons to use and for most people they tend to only use adjacent buttons when drawing. If one were confined to this set of rules, the passwords would all be linear and simple geometric shapes. However, I figured out through trial and error, that you can actually double back on buttons you've activated and activate buttons that are non-adjacent to active ones by drawing in the blank space in between buttons. This should be a criteria for a strong graphical pattern lock, just like how there's requirements for strong alpha-numerical password locks. You should always have at least one double back button and one non-adjacent button as part of the pattern lock. This way the smudges left on your phone are non-linear.

    1. Re:Graphical Pattern Lock Usage by unixan · · Score: 3, Interesting

      However, I figured out through trial and error, that you can actually double back on buttons you've activated and activate buttons that are non-adjacent to active ones by drawing in the blank space in between buttons. This should be a criteria for a strong graphical pattern lock

      I also noticed this, shortly after I got the idea to use an unlock pattern. Once you noticed those two aspects (ability to draw between buttons, and harmlessly slide over already-activated buttons), the permutations multiply.

      With those in mind, here is how unique a randomized unlock pattern can be:
      4 dots = 1624 permutations (as weak as a 3 number password!)
      5 dots = 7152 permutations (much better, but not by far)
      6 dots = 26016 permutations (at least as strong as a 4-digit bank card PIN)
      7 dots = 140704 permutations (about as strong as a 5-digit bank card PIN)

      As a bonus, choosing more dots reduces the ability for a smudge attack to succeed. But only if you choose a pseudo-random one. Don't kid yourself, one that you come up on your own is biased in favor of a like-minded (i.e. homo sapien) attacker.

      To help, here's a quick bit of shell code to easily generate a strong unlock code for an Android phone. It numbers the dots like a telephone: top-left button is 1, top-middle is 2, top-right is 3, ...etc. Just draw the dots in the pattern indicated.

      rand -N 9 -M 9 -u | perl -ane '%seen=();%bad=qw(13 2 17 4 19 5 28 5 31 2 37 5 39 6 46 5 64 5 71 4 73 5 79 8 82 5 91 5 93 6 97 8);$last=0;print map {$next=$_+1;$combo=$last.$next;if ($bad{$combo} and not $seen{$bad{$combo}}) {()} else {$seen{$next}=1;$last=$next;$next,"\n"}} @F'

      --
      This signature intentionally left unblank.
  7. Scanning for heat trails? by Pioto · · Score: 2, Informative

    Scanning for heat trails... that reminds me of Cyberia...

  8. Re:Duh by arcsimm · · Score: 2, Insightful

    I was suprised this is news as well. Dusting keypad locks to see which keys are used most often isn't unheard of, and this just seems like a variation on that.

  9. Re:Could be just me, but... by natehoy · · Score: 2

    You're right, an ATM with a touchscreen would be an instant ADA fail, since putting braille on a touchscreen would be somewhat difficult.

    That aside...

    An ATM would be a lot harder to crack, because lots of people use it so the keys are going to be somewhat more randomly-used (since everyone has a different PIN).

    The only way of using this would be to put a shim on the ATM to read the magstripe, then some sort of substance on the keypad, and then go back and determine which keys were pressed between each use of the ATM. And, hell, if you're going to go to that much trouble just integrate a pinhole camera into the shim and capture the actual fingers pressing the actual keys along with the magstripe. No fancy guesswork required.

    --
    "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
  10. Why not use the orientation sensor instead? by izomiac · · Score: 2, Interesting

    Having recently gotten an android phone, I have to wonder why nobody has written a locker that simply tracks phone orientation changes through some movement pattern rather than the touchscreen. There'd be no smudges (so better security and a cleaner screen), and it should be quicker. Kinda like using a secret handshake to unlock your phone. Example passcode: +x, -y, -z, +y (750 possibilities for a four movement code, more if you get fancier in movement tracking).