ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Researchers use smudge attack, identify Android passcodes 68 percent of the time

By | August 16, 2010, 1:55pm PDT

Summary: Penn State researchers managed to identify the pass code patterns on two Android smartphones (the HTC G1 and the HTC Nexus One), 68% of the time, using photographs taken under different lighting conditions, and camera positions.

In a movie-plot like scenario, where a biometric system is bypassed using restored fingerprint samples, Penn State researchers managed to identify the pass code patterns on two Android smartphones (the HTC G1 and the HTC Nexus One), 68% of the time, using photographs taken under different lighting conditions, and camera positions.

From their paper, “Smudge Attacks on Smartphone Touch Screens“:

To explore the feasibility of smudge attacks against the Android password pattern, our analysis begins by evaluating the conditions by which smudges can be photographically extracted from smartphone touch screen surfaces. We consider a variety of lighting angles and light sources as well as various camera angles with respect to the orientation of the phone.

Our results are extremely encouraging: in one experiment, the pattern was partially identifiable in 92% and fully in 68% of the tested lighting and camera setups. Even in our worst performing experiment, under less than ideal pattern entry conditions, the pattern can be partially extracted in 37%of the setups and fully in 14% of them.

The experimenting took place using two different scenarios - the passive attacker, who operates from a distance, and the active attacker who has breached the physical security of the device, namely, has physical access to it. Even in the worst possible experiment conditions, the were still able to partially extract 37% of the setups, and fully in 14% of the cases, using residual oils on the touch screens.

Related post:

The research recommends that “Android’s password pattern, should be strengthened“. From another perspective, entrusting the confidentiality of your data to a highly marketable, user-friendly touch screen password pattern, is a bad decision in the first place, if the user is not considering the use of third-party data encrypting applications in case the device gets stolen/lost.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Touch Screen, Password, Smart Phone, Camera, Attack, Keyboards, Monitors & Displays, Peripherals, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter
15
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Researchers use smudge attack, identify Android passcodes 68 percent of the time
bynes69 17th Sep
@Roque Mocan I just want to emphasize the good work on this , has excellent views and a clear vision of what you are looking for
Thesis
Dissertation
View in thread
0 Votes
+ -
Who thought that was secure?
LiquidLearner 16th Aug 2010
I've successfully used "smudge attacks" to identify the codes of 4 of my friends Android devices. So? Anyone who has used the devices for any length of time should know that. Use your phone on a summer day in Houston, then have to unlock it a few minutes later. You could tell the pattern a mile away.

Smartphones should always be setup with remote wipe of some sort.
0 Votes
+ -
Waiting for the Apple fanbois...
Roque Mocan 16th Aug 2010
... to say that their oleofobic displays are superior
0 Votes
+ -
And your point is?
Pete "athynz" Athens 17th Aug 2010
@Roque Mocan This is talking about the security of the swipe patterns Android devices use... why do you trolls want to bring up things not even related?
0 Votes
+ -
RE: Researchers use smudge attack, identify Android passcodes 68 percent of the time
bynes69 17th Sep
@Roque Mocan Great informative post thanks for sharing.....
Research Paper
Term Paper
Essay
0 Votes
+ -
RE: Researchers use smudge attack, identify Android passcodes 68 percent of the time
bynes69 17th Sep
@Roque Mocan I just want to emphasize the good work on this , has excellent views and a clear vision of what you are looking for
Thesis
Dissertation
0 Votes
+ -
RE: Researchers use smudge attack, identify Android passcodes 68 percent of the time
rhonin 17th Aug 2010
This is new?
My son suprised me by doing that with my iPhone pin code years ago.
Yes it can also be done on my Nexus One too.
and any tablet computer and Pad and ....

on a side note, if you do a lot of stuff on your phone, good luck picking up my pass code / pass swipe. - unless you get it just after I "unlock" it.

fyi: both of my smartphones have wipe after "x" number of failed attempts. remote wipe; no.
0 Votes
+ -
Remote wipe
Pete "athynz" Athens 17th Aug 2010
@zenwalker and the "find my iPhone" feature are the only reasons I subscribe to MobileMe... and it has already paid for itself as my daughter had misplaced her iPhone and we were able to find it using that feature.
0 Votes
+ -
RE: Researchers use smudge attack, identify Android passcodes 68 percent of the time
ronald.warden@... 17th Aug 2010
Ok, so what is a good third party data encryption application for an android? Finish the story!
0 Votes
+ -
Our teenagers have known this for a decade.
Mabrick 17th Aug 2010
My son, now nearly 21, has been dating constantly since high school. He has had a standard cell phone (not even a fancy touch screen smartphone either) the entire time. Every girl friend he has dated has gleaned his unlock code from watching him. They then read his text messages while he sleeps, showers or otherwise leaves the phone unattended. When I asked him if he resented the invasion of privacy his answer was, "My what?" The ensuing discussion illustrated to me that the new generation just doesn't give a flip. Perhaps that will change when he starts to make enough money that it can't all be carried in his wallet. It certainly didn't change the several times he got busted for double-dating and I don't mean with another couple. So go ahead and access my phone. All you'll be able to do is make crank calls because I don't have anything on my phone that I wouldn't mind other's seeing. It's all public information and if you keep personal stuff on your phone perhaps you should reconsider. YMMV.
0 Votes
+ -
RE: Researchers use smudge attack, identify Android passcodes 68 percent of the time
Fletchguy 17th Aug 2010
@Mabrick
Sounds like your son has some issues either he is known to cheat or his esteem issues have him picking damaged insecure women who are easy pickings..Also not so bright if he lets his pass be seen so easy
0 Votes
+ -
dumb story
snoop0x7b 17th Aug 2010
This is a physical attack and a really simple one at that... I don't know why reading smudges is garnering so much attention when it's been a reality for such a long time. I also don't know why any individual researcher is getting any credit for this attack, it seems like the sort of thing I thought of as soon as I got my Eris (which it was)....

Stop covering this story, it isn't news.
0 Votes
+ -
RE: Researchers use smudge attack, identify Android passcodes 68 percent of the time
Fletchguy 17th Aug 2010
How do you know what smudges to use since on a touchscreen phone the entire screen is usually smudged and touch few thousand times a day making finding 4 smudges almost impossible. I guess if you use a qwearty key pad for text, email, and web surfing and just the touch screen for your code then maybe but I dont see the average users touch smudges being usable after ferw thousand touches
0 Votes
+ -
Improve the sign-in...
Agnostic_OS 17th Aug 2010
Improve the sign-in by having, in the background, a semitransparent arrow indicating orientation of the grid and the angle of arrow (and grid) then varies each sign-in to new randomly picked orientation.
Yes I realize that the sharp-eyed the passive attacker would still be able to at least partially extract the pass code patterns but the the active attacker should have much more difficulty.
0 Votes
+ -
RE: Researchers use smudge attack, identify Android passcodes 68 percent of the time
johnlgalt@... 17th Aug 2010
You can use other things than the passcode, and you can easily wipe the screen off (carrying around a small microfiber cloth for just such wiping may be overkill, but some people do it....)

I have a Motorola DROID, and I have enabled the *pattern* code since day one - it is relatively simplistic, but the main reason I use it is that, unless you know what to look for, it is a bit harder to discern because the smudges left are not, in fact, pressure points, but *swipes* - the same style of smudging left when I, oh, say, surf the web, read and reply to my email, read and post tweets, read and post facebook statuses, play a video game, look at the pictures in my gallery, call a friend, text a friend, check my voicemail....oh, wait, pretty much everything I do on the phone, b/c 1) I don't use the physical KB, and 2) I *do* use Swype.

I wonder if the same researchers have attempted to 'decode' the pattern locking mechanism?

Also, disabling haptic feedback on your phone may help prevent detection, although this is purely a guess on my part.

Finally, there are a few products that allow for remote wiping of the phone in case of the phone being lost or stolen. The one I got in on, when it was still in the Beta stages (and without all of the current Bells and Whistles) is WaveSecure, but ther eare others (and with McAfee taking over WS, I might be looking for a new alternative). It has the ability to track as well as remote wipe (and a few other key features as well).
0 Votes
+ -
Not Penn State
Number_6 19th Aug 2010
It's the University of Pennsylvania, not Penn State. The former is the Ivy League research university where ENIAC was developed, and today has engineering programs that emphasize interdisciplinary research and learning. The latter is a public university with a noteworthy football team and a huge EE department. Both are excellent in their own ways, but don't confuse the two.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix