Researchers use smudge attack, identify Android passcodes 68 percent of the time

Summary:Penn State researchers managed to identify the pass code patterns on two Android smartphones (the HTC G1 and the HTC Nexus One), 68% of the time, using photographs taken under different lighting conditions, and camera positions.

In a movie-plot like scenario, where a biometric system is bypassed using restored fingerprint samples, Penn State researchers managed to identify the pass code patterns on two Android smartphones (the HTC G1 and the HTC Nexus One), 68% of the time, using photographs taken under different lighting conditions, and camera positions.

From their paper, "Smudge Attacks on Smartphone Touch Screens":

To explore the feasibility of smudge attacks against the Android password pattern, our analysis begins by evaluating the conditions by which smudges can be photographically extracted from smartphone touch screen surfaces. We consider a variety of lighting angles and light sources as well as various camera angles with respect to the orientation of the phone.

Our results are extremely encouraging: in one experiment, the pattern was partially identi?able in 92% and fully in 68% of the tested lighting and camera setups. Even in our worst performing experiment, under less than ideal pattern entry conditions, the pattern can be partially extracted in 37%of the setups and fully in 14% of them.

The experimenting took place using two different scenarios - the passive attacker, who operates from a distance, and the active attacker who has breached the physical security of the device, namely, has physical access to it. Even in the worst possible experiment conditions, the were still able to partially extract 37% of the setups, and fully in 14% of the cases, using residual oils on the touch screens.

Related post:

The research recommends that "Android's password pattern, should be strengthened". From another perspective, entrusting the confidentiality of your data to a highly marketable, user-friendly touch screen password pattern, is a bad decision in the first place, if the user is not considering the use of third-party data encrypting applications in case the device gets stolen/lost.

Topics: Smartphones, Hardware, Mobility, Security

About

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.