An academic research paper by University of Pennsylvania researchers claims touch screen phones may be vulnerable to smudge attacks, a new form of security vulnerability based on the oily residue left on the screen. The researchers claim malicious attackers may be able to ascertain a certain amount of information, such as inferring a password used by the devices owner, left by the smudges left on a touch screen.
The researchers took photos of screens and used a program to analyze the photos closely. They found they could figure out the password over 90 percent of the time. The study used Android phones, which use a graphical pattern to allow users to unlock the phone. Phones included the Nexus 1.
The study also found that “pattern smudges,” which build up from writing the same password numerous times, are particularly recognizable.
While it sounds somewhat plausible, I find it hard to believe that practical use of this vulnerability, assuming it is even an issue, will result in widespread exploits. The attackers would have to gain physical access to the device in order to make use of the exploit, and most bad guys prefer to do their dirty deeds from afar. This is not to necessarily downplay the issue but to speak towards the reality of the situation.
It should be worth watching to see if any true security issues ever come from this research. I applaud the University of Pennsylvania team for conducting some very exhaustive investigative work, and some very informative and interesting research, but the reality is this “vulnerability” is a non-issue right now.