An academic research paper by University of Pennsylvania researchers claims touch screen phones may be vulnerable to smudge attacks, a new form of security vulnerability based on the oily residue left on the screen. The researchers claim malicious attackers may be able to ascertain a certain amount of information, such as inferring a password used by the devices owner, left by the smudges left on a touch screen.
The researchers took photos of screens and used a program to analyze the photos closely. They found they could figure out the password over 90 percent of the time. The study used Android phones, which use a graphical pattern to allow users to unlock the phone. Phones included the Nexus 1.
The study also found that “pattern smudges,” which build up from writing the same password numerous times, are particularly recognizable.
While it sounds somewhat plausible, I find it hard to believe that practical use of this vulnerability, assuming it is even an issue, will result in widespread exploits. The attackers would have to gain physical access to the device in order to make use of the exploit, and most bad guys prefer to do their dirty deeds from afar. This is not to necessarily downplay the issue but to speak towards the reality of the situation.
It should be worth watching to see if any true security issues ever come from this research. I applaud the University of Pennsylvania team for conducting some very exhaustive investigative work, and some very informative and interesting research, but the reality is this “vulnerability” is a non-issue right now.
I agree with you that I don't think it is that high of a concern, particularly due to having to get access to the physical concern, I can tell you that I did have a co-worker pick up my phone and in the first try get the password right. When I asked her how she said she could she the smudge on the screen where I put in the code. Definitely one of those things you don't think too much about until someone does it and you think “ohhhhhh” :)
August 28, 2010 @ 16:08
Very relevant article I believe. Thanks Scott.
August 29, 2010 @ 00:05
It’s a little over the top but still worth keeping an eye on methinks. I’m not sure this is a vulnerability to lose sleep over but it is definitely plausible, especially as technology inches towards increased touch screen use.
August 29, 2010 @ 00:49
That is a little scary that she was able to guess your password on the first try just because of the smudges. Although you may be able to see distinct smudges on four numbers, one must still guess the correct order. There are almost 10k potential combinations for four digits, so guessing on the first try was a stroke of luck methinks.
August 29, 2010 @ 00:50
you can clearly see the smudge LINE though, that is what makes it so easy on an Android phone, you have to drag your finger from one to another, and, I actually use all nine dots, so basically she saw I started in one corner so she looked at where the line started in that corner, and then simply followed the smear line to the last dot.
I was more concerned about the fact that she wanted to touch oily smudge, ewww
August 30, 2010 @ 18:34