Can Greasy Fingerprints on Smart Phones Give Away Passcodes?

By Joseph Calamia | August 16, 2010 11:26 am

androidThat grease trail you’ve smeared on your smart phone’s touchscreen could give away more than your lightsaber skills or virtual girlfriend’s whims: Would-be smudge attackers, a recent paper argues, could follow your finger oils as a clue to your passcode.

In the paper “Smudge Attacks on Smartphone Touchscreens,” which we first saw on Gizmodo, a team in the computer science department at the University of Pennsylvania tried to pick out grease patterns from Android phones by photographing the phones and enhancing the patterns with photo-editing software. From the paper’s introduction:

“We believe smudge attacks are a threat for three reasons. First, smudges are surprisingly persistent in time. Second, it is surprisingly difficult to incidentally obscure smudges through wiping or pocketing the device. Third and finally, collecting and analyzing oil residue smudges can be done with readily-available equipment such as a camera and a computer.”

android-passcodeThough the smudge alone can’t confirm the exact passcode, the study’s authors hint that it may help an attacker rule out possibilities. In the paper, the authors describe the three by three number grid of “contact points” that some earlier Android phones employed for entering passcodes. The team assumed three limitations on smudge patterns using this grid: it must have four or more contact points; it cannot use any contact point more than once; and if there is any contact point between two others on a smudge trail, then it must also be a contact point. They calculate that using just the last of these restrictions, an attacker could reduce the number of possible patterns from 1 million to 389,112 patterns–a way to reduce a phone lockout during hacking.

The study also investigated the best conditions for identifying a smudge pattern. A particularly easy partial pattern to find, the researchers say, appeared when the phone was “dirty prior to password entry,” i.e. after the user had just finished chatting, allowing the phone’s screen to soak up some extra face dirt for finger smudge contrast.

Related content:
Discoblog: Bizarre Makeup Patterns Can Fool Face Recognition Software
Discoblog: Augmented Reality Phone App Can Identify Strangers on the Street
Discoblog: Augmented Reality Tattoos Are Visible Only to a Special Camera
Discoblog: One Small Step Closer to Superhuman Cyborg Vision
Discoblog: Will the Laptops of the Future Be a Pair of Eye Glasses?

Image: flickr / p_kim

  • Chris

    Or much easier, look over the person’s shoulder.

  • Brian Too

    I used to use a door with an old-fashioned pushbutton keycode. Just 5 keys available, and the paint was worn on 3 of them. Since key reuse was impossible on that system and there was no limit on the number of retries… guessing the combination was within easy reach. Oops!

NEW ON DISCOVER
OPEN
CITIZEN SCIENCE
ADVERTISEMENT

Discover's Newsletter

Sign up to get the latest science news delivered weekly right to your inbox!

Discoblog

Quirky, funny, and surprising science news from the edge of the known universe.
ADVERTISEMENT

See More

ADVERTISEMENT
Collapse bottom bar
+

Login to your Account

X
E-mail address:
Password:
Remember me
Forgot your password?
No problem. Click here to have it e-mailed to you.

Not Registered Yet?

Register now for FREE. Registration only takes a few minutes to complete. Register now »