Smartphone Security Thwarted by Fingerprint Smudges
By Tony Bradley
Smartphones have relatively large storage capacities for devices that are so easily lost or stolen. You might think that the data and information stored on your smartphone is protected by the clever passcode you created, but researchers have determined that it’s possible to crack the passcode based on the oily smudges your fingers leave behind.
A team of researchers from the University of Pennsylvania presented a paper titled “Smudge Attacks on Smartphone Touch Screens” at WOOT ’10–the fourth Usenix Workshop on Offensive Technologies conference in Washington DC this week. The researchers describe a method for uncovering the smartphone password based on the fingerprints on the touchscreen.
The research paper explains “Oily residues, or smudges, on the touch screen surface, are one side effect of touches from which frequently used patterns such as a graphical password might be inferred.” Bottom line–because your fingers leave oily smudges, an attacker can possibly determine where your fingers have been on the touch screen and break your password.
The research team lists three reasons that smudge attacks are a threat to smartphone security. “First, smudges are surprisingly persistent in time. Second, it is surprisingly difficult to incidentally obscure or delete smudges through wiping or pocketing the device. Third and finally, collecting and analyzing oily residue smudges can be done with readily-available equipment such as a camera and a computer.”
According to the research paper, the team found the results of their testing to be “extremely encouraging. IT admins and smartphone owners, however, might interpret the findings as discouraging. “In one experiment, the pattern was partially identifiable in 92% and fully in 68% of the tested lighting and camera setups. Even in our worst performing experiment, under less than ideal pattern entry conditions, the pattern can be partially extracted in 37% of the setups and fully in 14% of them.”
The security risk is present on all touchscreen smartphones to some extent, but it is a much bigger risk on Android devices that rely on a swipe pattern rather than the more traditional numeric or alphanumeric PIN.
Android displays a pattern of nine circles and lets the user create a passcode based on how they connect the dots. Because the pattern is completed without lifting your finger off of the display, the oily smudges show which circles are part of the passcode, and also betray the order or pattern traced by the smartphone owner’s finger.
In contrast, an attacker might be able to determine where an iPhone owner’s fingers have touched the screen, but not which order the numbers or letters were entered. The attacker would also not necessarily be able to determine if the same number or letter is repeated within the password, or how many times it is repeated.