That grease trail you’ve smeared on your smart phone’s touchscreen could give away more than your lightsaber skills or virtual girlfriend’s whims: Would-be smudge attackers, a recent paper argues, could follow your finger oils as a clue to your passcode.
In the paper “Smudge Attacks on Smartphone Touchscreens,” which we first saw on Gizmodo, a team in the computer science department at the University of Pennsylvania tried to pick out grease patterns from Android phones by photographing the phones and enhancing the patterns with photo-editing software. From the paper’s introduction:
“We believe smudge attacks are a threat for three reasons. First, smudges are surprisingly persistent in time. Second, it is surprisingly difficult to incidentally obscure smudges through wiping or pocketing the device. Third and finally, collecting and analyzing oil residue smudges can be done with readily-available equipment such as a camera and a computer.”
Though the smudge alone can’t confirm the exact passcode, the study’s authors hint that it may help an attacker rule out possibilities. In the paper, the authors describe the three by three number grid of “contact points” that some earlier Android phones employed for entering passcodes. The team assumed three limitations on smudge patterns using this grid: it must have four or more contact points; it cannot use any contact point more than once; and if there is any contact point between two others on a smudge trail, then it must also be a contact point. They calculate that using just the last of these restrictions, an attacker could reduce the number of possible patterns from 1 million to 389,112 patterns–a way to reduce a phone lockout during hacking.
The study also investigated the best conditions for identifying a smudge pattern. A particularly easy partial pattern to find, the researchers say, appeared when the phone was “dirty prior to password entry,” i.e. after the user had just finished chatting, allowing the phone’s screen to soak up some extra face dirt for finger smudge contrast.
Discoblog: Bizarre Makeup Patterns Can Fool Face Recognition Software
Discoblog: Augmented Reality Phone App Can Identify Strangers on the Street
Discoblog: Augmented Reality Tattoos Are Visible Only to a Special Camera
Discoblog: One Small Step Closer to Superhuman Cyborg Vision
Discoblog: Will the Laptops of the Future Be a Pair of Eye Glasses?
Image: flickr / p_kim