Researchers use smudge attack, identify Android passcodes 68 percent of the time

In a movie-plot like scenario, where a biometric system is bypassed using restored fingerprint samples, Penn State researchers managed to identify the pass code patterns on two Android smartphones (the HTC G1 and the HTC Nexus One), 68% of the time, using photographs taken under different lighting conditions, and camera positions.

From their paper, "Smudge Attacks on Smartphone Touch Screens":

To explore the feasibility of smudge attacks against the Android password pattern, our analysis begins by evaluating the conditions by which smudges can be photographically extracted from smartphone touch screen surfaces. We consider a variety of lighting angles and light sources as well as various camera angles with respect to the orientation of the phone.

Our results are extremely encouraging: in one experiment, the pattern was partially identi?able in 92% and fully in 68% of the tested lighting and camera setups. Even in our worst performing experiment, under less than ideal pattern entry conditions, the pattern can be partially extracted in 37%of the setups and fully in 14% of them.

The experimenting took place using two different scenarios - the passive attacker, who operates from a distance, and the active attacker who has breached the physical security of the device, namely, has physical access to it. Even in the worst possible experiment conditions, the were still able to partially extract 37% of the setups, and fully in 14% of the cases, using residual oils on the touch screens.

Related post:

• Man-in-the-middle attacks demoed on 4 smartphones

The research recommends that "Android's password pattern, should be strengthened". From another perspective, entrusting the confidentiality of your data to a highly marketable, user-friendly touch screen password pattern, is a bad decision in the first place, if the user is not considering the use of third-party data encrypting applications in case the device gets stolen/lost.