In a paper, researchers from the University of Pennsylvania revealed how the smudge marks left on your smartphone's touch screen can be used to guess your password.
Security researchers from the University of Pennsylvania
have highlighted a potential attack vector for accessing your mobile devices-the smudges from your fingertips.
In a paper (PDF)
presented this week at the USENIX Security Symposium in
Washington, D.C., the researchers revealed that oily residues on the surface of
touch screens used on devices such as smartphones can be used to infer
"We believe smudge
attacks are a threat for three reasons," the researchers wrote. "First, smudges
are surprisingly persistent in time. Second, it is surprisingly difficult to
incidentally obscure or delete smudges through wiping or pocketing the device.
Third and finally, collecting and analyzing oily residue smudges can be done
with readily available equipment such as a camera and a computer."
According to a study by comScore released last November,
touch-screen mobile phone
in the United States grew by 159 percent between August 2008 and 2009,
from 9.2 million to 23.8 million subscribers. This outpaced overall smartphone
adoption, which grew at an otherwise respectable rate of 63 percent, from 20.7
million to 33.8 million subscribers.
The researchers experimented with two types of Google
Android-based smartphones, the HTC G1 and the HTC Nexus1, under various
lighting and camera conditions.
In one experiment, the researchers found they were able to
recover the entire password pattern 68 percent of the time after the phone had
been in contact with a person's face, as would happen during a normal phone
call. When the experiment was conducted with the pattern entered with only
"light touches," partial information was discernible 30 percent of the time.
Though the researchers said the techniques could be applied
to other smartphones and devices such as ATMs, they focused on Android phones
with 389,112 possible password patterns. While the team called this a reasonably
large space of patterns, in the event of smudge attacks the attackers can
select a "highly likely set of patterns, increasing her chances of guessing the
correct one before the phone locks-out."
"We believe smudge
attacks based on reflective properties of oily residues are but one possible
attack vector on touch screens," the researchers wrote, adding "the practice of
entering sensitive information via touch screens needs careful analysis in
light of our results."