Researchers use smudge attack, identify Android passcodes 68 percent of the time

Researchers use smudge attack, identify Android passcodes 68 percent of the time

Summary: Penn State researchers managed to identify the pass code patterns on two Android smartphones (the HTC G1 and the HTC Nexus One), 68% of the time, using photographs taken under different lighting conditions, and camera positions.

SHARE:

In a movie-plot like scenario, where a biometric system is bypassed using restored fingerprint samples, Penn State researchers managed to identify the pass code patterns on two Android smartphones (the HTC G1 and the HTC Nexus One), 68% of the time, using photographs taken under different lighting conditions, and camera positions.

From their paper, "Smudge Attacks on Smartphone Touch Screens":

To explore the feasibility of smudge attacks against the Android password pattern, our analysis begins by evaluating the conditions by which smudges can be photographically extracted from smartphone touch screen surfaces. We consider a variety of lighting angles and light sources as well as various camera angles with respect to the orientation of the phone.

Our results are extremely encouraging: in one experiment, the pattern was partially identi?able in 92% and fully in 68% of the tested lighting and camera setups. Even in our worst performing experiment, under less than ideal pattern entry conditions, the pattern can be partially extracted in 37%of the setups and fully in 14% of them.

The experimenting took place using two different scenarios - the passive attacker, who operates from a distance, and the active attacker who has breached the physical security of the device, namely, has physical access to it. Even in the worst possible experiment conditions, the were still able to partially extract 37% of the setups, and fully in 14% of the cases, using residual oils on the touch screens.

Related post:

The research recommends that "Android's password pattern, should be strengthened". From another perspective, entrusting the confidentiality of your data to a highly marketable, user-friendly touch screen password pattern, is a bad decision in the first place, if the user is not considering the use of third-party data encrypting applications in case the device gets stolen/lost.

Topics: Smartphones, Hardware, Mobility, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • Who thought that was secure?

    I've successfully used "smudge attacks" to identify the codes of 4 of my friends Android devices. So? Anyone who has used the devices for any length of time should know that. Use your phone on a summer day in Houston, then have to unlock it a few minutes later. You could tell the pattern a mile away.

    Smartphones should always be setup with remote wipe of some sort.
    LiquidLearner
  • Waiting for the Apple fanbois...

    ... to say that their oleofobic displays are superior
    Roque Mocan
    • And your point is?

      @Roque Mocan This is talking about the security of the swipe patterns Android devices use... why do you trolls want to bring up things not even related?
      athynz
    • RE: Researchers use smudge attack, identify Android passcodes 68 percent of the time

      @Roque Mocan Great informative post thanks for sharing.....
      <a href="http://www.pureresearchpapers.com/">Research Paper</a>
      <a href="http://www.puretermpapers.com/">Term Paper</a>
      <a href="http://www.pureessays.com/">Essay</a>
      bynes69
    • RE: Researchers use smudge attack, identify Android passcodes 68 percent of the time

      @Roque Mocan I just want to emphasize the good work on this , has excellent views and a clear vision of what you are looking for
      <a href="http://www.purethesis.com/">Thesis</a>
      <a href="http://www.puredissertation.com/">Dissertation</a>
      bynes69
  • RE: Researchers use smudge attack, identify Android passcodes 68 percent of the time

    This is new?
    My son suprised me by doing that with my iPhone pin code years ago.
    Yes it can also be done on my Nexus One too.
    and any tablet computer and Pad and ....

    on a side note, if you do a lot of stuff on your phone, good luck picking up my pass code / pass swipe. - unless you get it just after I "unlock" it.

    fyi: both of my smartphones have wipe after "x" number of failed attempts. remote wipe; no.
    rhonin
    • Remote wipe

      @zenwalker and the "find my iPhone" feature are the only reasons I subscribe to MobileMe... and it has already paid for itself as my daughter had misplaced her iPhone and we were able to find it using that feature.
      athynz
  • RE: Researchers use smudge attack, identify Android passcodes 68 percent of the time

    Ok, so what is a good third party data encryption application for an android? Finish the story!
    ronald.warden@...
  • Our teenagers have known this for a decade.

    My son, now nearly 21, has been dating constantly since high school. He has had a standard cell phone (not even a fancy touch screen smartphone either) the entire time. Every girl friend he has dated has gleaned his unlock code from watching him. They then read his text messages while he sleeps, showers or otherwise leaves the phone unattended. When I asked him if he resented the invasion of privacy his answer was, "My what?" The ensuing discussion illustrated to me that the new generation just doesn't give a flip. Perhaps that will change when he starts to make enough money that it can't all be carried in his wallet. It certainly didn't change the several times he got busted for double-dating and I don't mean with another couple. So go ahead and access my phone. All you'll be able to do is make crank calls because I don't have anything on my phone that I wouldn't mind other's seeing. It's all public information and if you keep personal stuff on your phone perhaps you should reconsider. YMMV.
    Mark Bryant
    • RE: Researchers use smudge attack, identify Android passcodes 68 percent of the time

      @Mabrick
      Sounds like your son has some issues either he is known to cheat or his esteem issues have him picking damaged insecure women who are easy pickings..Also not so bright if he lets his pass be seen so easy
      Fletchguy
  • dumb story

    This is a physical attack and a really simple one at that... I don't know why reading smudges is garnering so much attention when it's been a reality for such a long time. I also don't know why any individual researcher is getting any credit for this attack, it seems like the sort of thing I thought of as soon as I got my Eris (which it was)....

    Stop covering this story, it isn't news.
    snoop0x7b
  • RE: Researchers use smudge attack, identify Android passcodes 68 percent of the time

    How do you know what smudges to use since on a touchscreen phone the entire screen is usually smudged and touch few thousand times a day making finding 4 smudges almost impossible. I guess if you use a qwearty key pad for text, email, and web surfing and just the touch screen for your code then maybe but I dont see the average users touch smudges being usable after ferw thousand touches
    Fletchguy
  • Improve the sign-in...

    Improve the sign-in by having, in the background, a semitransparent arrow indicating orientation of the grid and the angle of arrow (and grid) then varies each sign-in to new randomly picked orientation.
    Yes I realize that the sharp-eyed the passive attacker would still be able to at least partially extract the pass code patterns but the the active attacker should have much more difficulty.
    Agnostic_OS
  • RE: Researchers use smudge attack, identify Android passcodes 68 percent of the time

    You can use other things than the passcode, and you can easily wipe the screen off (carrying around a small microfiber cloth for just such wiping may be overkill, but some people do it....)

    I have a Motorola DROID, and I have enabled the *pattern* code since day one - it is relatively simplistic, but the main reason I use it is that, unless you know what to look for, it is a bit harder to discern because the smudges left are not, in fact, pressure points, but *swipes* - the same style of smudging left when I, oh, say, surf the web, read and reply to my email, read and post tweets, read and post facebook statuses, play a video game, look at the pictures in my gallery, call a friend, text a friend, check my voicemail....oh, wait, pretty much everything I do on the phone, b/c 1) I don't use the physical KB, and 2) I *do* use Swype.

    I wonder if the same researchers have attempted to 'decode' the pattern locking mechanism?

    Also, disabling haptic feedback on your phone may help prevent detection, although this is purely a guess on my part.

    Finally, there are a few products that allow for remote wiping of the phone in case of the phone being lost or stolen. The one I got in on, when it was still in the Beta stages (and without all of the current Bells and Whistles) is WaveSecure, but ther eare others (and with McAfee taking over WS, I might be looking for a new alternative). It has the ability to track as well as remote wipe (and a few other key features as well).
    johnlgalt@...
  • Not Penn State

    It's the University of Pennsylvania, not Penn State. The former is the Ivy League research university where ENIAC was developed, and today has engineering programs that emphasize interdisciplinary research and learning. The latter is a public university with a noteworthy football team and a huge EE department. Both are excellent in their own ways, but don't confuse the two.
    Number_6