Schneier on Security
A blog covering security and security technology.
« Late Teens and Facebook Privacy |
| Cloning Retail Gift Cards »
August 12, 2010
Security Analysis of Smudges on Smart Phone Touch Screens
"Smudge Attacks on Smartphone Touch Screens":
Abstract: Touch screens are an increasingly common feature on personal computing devices, especially smartphones, where size and user interface advantages accrue from consolidating multiple hardware components (keyboard, number pad, etc.) into a single software definable user interface. Oily residues, or smudges, on the touch screen surface, are one side effect of touches from which frequently used patterns such as a graphical password might be inferred.
In this paper we examine the feasibility of such smudge attacks on touch screens for smartphones, and focus our analysis on the Android password pattern. We first investigate the conditions (e.g., lighting and camera orientation) under which smudges are easily extracted. In the vast majority of settings, partial or complete patterns are easily retrieved. We also emulate usage situations that interfere with pattern identification, and show that pattern smudges continue to be recognizable. Finally, we provide a preliminary analysis of applying the information learned in a smudge attack to guessing an Android password pattern.
Reminds me of similar attacks on alarm and lock keypads.
Posted on August 12, 2010 at 6:48 AM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
It's one reason the Android phone I selected has a flip out keypad.
Also one advantage of a flip screen is the time lag in fliping which allows you a second or so to wipe your finger across it.
Also in some modes putting your finger on the light sensor blanks the screen and in the process stops any input from the touch screen so you can again wipe it with a finger.
So in some android phones it's a matter user smarts.
As far as I can tell from the paper, they didn't use the phone for other (regular) activities - I reckon that 'smudges' from normal usage would make it harder to distinguish password 'smudges'.
Some encrypted hard drives that also use a keypad on a touchscreen (don't recall the manufacturer) prevent this attack by randomising the key sequence on the displayed keypad (so instead of the standard 1 2 3 4 5 6 7 8 9 0 the keypad is for example shown as 3 6 1 7 2 9 0 5 4 8)
@Clive "it's a matter user smarts."
What we need is a stronger white rat.
smudges can be removed by lense cleaner, I wish they would make eyeglass lenses out of gorilla glass. TM corning glass co
Simple way around this - don't have a password on your smartphone.
Android 2.2 has three options for the unlock, the pattern, a pin, or a password.
If this is really a big deal, touch screens have a wonderful mechanism to combat this: randomizing the positions of the "keys." Of course, that might infuriate users...but, what else is new?
Honestly, I think this is a moot point. If the only thing you do is enter the password on your smart phone touch screen and make sure you don't touch anything else - then YES, it will be easy to get the password or at least the digits involved in the unlocking process.
However, people don't only use their touch screen for just that function on their smart phones. On my old iPhone for example, I would clean it at the end of every day as it would be smudged to hell from all the finger swiping.
I could see this being a vulnerability if the touch screen had only 1 password being used, then it would be easy to visibly see the points of contact, or lift the oils off the sensor glass.
It seems to me the "smudge" trail is totally insignificant. The touch locations are known or stored in the smartphone itself so why not just use that data?
Where I used to work, we used these scrambling keypads (http://www.hirschelectronics.com/Products_ScramblePads.asp) for physical access. Pretty slick. (Not very friendly for those without vision, however. I imagine a braille version one exists, of course.) The same concept would work fine for PIN entry on iPhones or Android devices.
Before entering the phone's password, enter a wrong password that uses different digits.
Yeah I noticed this flaw with Android's system too. I don't think the lock screen is meant to be highly secure.
Jelie: Stochastic: Read the article. It wouldn't work in this case.
Touch screens have an advantage over normal keypads there because they can obfuscate this information leakage by switching or moving the key positions.
As usual, this would trade insecurity for inconvenience, since you can't type without looking.
@Jelle - Yup, that's the right answer to addressing the problem.
What's all the fuss. Just remember to wipe the screen after entering a password. That's what shirt sleeves were made for - but make sure there's no snot first.
It seems that it would be easier to shoulder-surf the password pattern then to photograph it. I do not consider the "password pattern" even close to adequate protection. It is possible to get the pattern from accross the room- given the size of the screen.
Hey Bruce, how about an article about the wave of countries threatening to ban messaging services of RIM's phones if the company does not help them get access to monitor them? UAE, Saudi Arabia and India are the ones I recall but maybe there were others. I'd love to hear your opinion about all of this. They're all using the "terrorists" excuse, but what other reasons might they have? (Sharing business secrets with local companies? Discouraging certain types of frowned-on behaviour, such as women and men chatting with each other in the UAE?)
Heh. I introduced my husband to "Defend the Castle" - I think playing that game wipes out the most persistent password smudges ;)
As with many of these items, those who are /speculating/ on the validity of the attack without experience should to shut their (pardon my french) pie holes.
About two years ago we tried this, successfully, with pattern "passwords." Yes, even with normal use, at least some unlock sequences are pretty obvious, or are one of the things that gets done over and over, so leave discernable residue above other, random, gestures.
The boss, whose phone we did this on, not tries to remember to wipe the screen clean before locking and putting it down or away. But a random keyboard or just using a pin/passcode on a physical keyboard would seem a better solution.
The only problem with using the scramble pad idea is that you would have to probably license it from Hirsch Electronics because they hold a patent on that concept.
To remove smudges on iPhone, iPod and iPad I made "Clean my Screen".
(Sorry, I couldn't let this slide)
I just saw you feeding giraffes at the breakfast table on Weird and Wonderful Hotels.
Finally a security justification for smudge-resistance and keeping skin clean...policy should now officially ban oily foods. No more fish n' chips for the mobile user.
Smudges, heck. Consider the people who use screen protectors. Permanent marks in fairly short order.
Cracked an admin password on a server using this once. Look for clean keys if dusty, guess out the combinations . It's why you don't make your system susceptible to a dictionary crack. Would have been harder if it was random characters.
As to pins, four numbers, work out the permutations and you're in.
Consider: You do not need to randomize the key order for PIN-based authentication, simply have the 10-key pad take up 30-40% of the screen and have its location and orientation change around upon each display.
Thus the user is not frustrated with the time lag involved in a scrambled 10key order, but the actual touchscreen location being used is varied over repeat uses.
There was a recent episode of the British TV show "The Real Hustle" in which the presenters, posing as policemen, persuaded a jeweller to open his safe in order to check that the contents were OK. The safe had a numeric touchpad and the jeweller was careful to shield it with his body while he entered the PIN. But one of the presenters had an infra-red camera hidden under a clipboard. When the jeweller relocked the safe and stepped away from it, one snapshot from the IR camera showed clearly which buttons he had pressed because of the heat from his fingers. Not only that, but because the heat was slowly fading from the buttons, it was perfectly clear what order they had been pressed in.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.