Research Claims Hackers Could Figure Out Your Smartphone Password Via Screen Smudges

from the oh-come-on dept

There’s all sorts of interesting security research being done out there, but sometimes you just sort of shake your head. A new report has come out that folks with fancy new smartphones that have large touchscreens may face a threat because the smudges left on the screen could indicate passwords. It certainly makes for a good headline… but… seriously? Has this ever happened? Doubtful. How likely is it to happen? It seems exceptionally unlikely. I recognize the importance of exploring different potential security vulnerabilities, but this one seems a bit far-fetched.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Research Claims Hackers Could Figure Out Your Smartphone Password Via Screen Smudges”

Subscribe: RSS Leave a comment
53 Comments
MrWilson says:

This would only work if you only ever entered your password on the phone. If you used apps that require you to touch other places on the touchscreen, then you’d have smudges all over the place. If you used those apps as often as you type in the password, then you’d have smudge patterns from the repetitive use of those apps as well.

cc (profile) says:

Re: Re:

Indeed, even if you can guess which digits were pressed, you’ll have to brute-force the sequence. If the phone locks itself completely after a number of failed attempts, this is a pretty pointless exploit.

If you think about it, this is not a new “problem”. You could theoretically dust the keys on an ATM for fingerprints to find out which digits the last customer pressed. Since you only get 3 attempts with most credit cards, you need a good deal of luck to guess the PIN number in the correct order.

chris (profile) says:

Re: Re:

In some cases it does reduce the number of digits you need to think about it for a brute force, which reduces the time it takes to get in dramatically.

that’s the reason that number pads in general are terrible interfaces for password security: they are a small number of keys and they are usually not as sturdily made as computer keyboards.

it’s pretty easy to guess the unlock code on a copier because those 4 keys see way more abuse than the others, so just look for the 3-4 keys that have been pressed more than the others and you have taken it from 5000+ key combinations to around 24.

R. Miles (profile) says:

Hollywood's School of Password Breaking

This is right up there with “all passwords are of someone’s name and birthday combination, or the hint is in the photo next to the monitor”.

No way is this “research” accurate, but it’s going to cause a panic nonetheless. Next, someone in Congress will grandstand and push a bill to demand automatic sprinklers be installed on all touchscreens so prints are removed.

This technology will be patented, so anything with a touch screen will skyrocket unnecessarily in price.

This will be the norm until holographic displays enter the market, and the process starts all over again.

*pulls out an easier solution called a tissue

Michael Witt (profile) says:

Re: Debit PINs

A while ago I used ING Direct as my bank. They made you use a PIN instead of a password to log in, but to keep from having people be able to keylog the password, they assigned each number a letter at random, then you had to type in the letters. A bit of a hassle, but I would bet that the number of keylogger-related stolen passwords dropped to zero.

Freak says:

Underestimating the research . . .

Really, all of you, think about it. These are problems that you could think up in a second, why not the researchers?

They used pattern recognition on the smudges to determine which ones were used as part of a sequence, and further were able to discern which ones were used most, which were oldest, and which were re smudged . . . in the same order.
They were able to determine the directionality of all touches on the pad, which means that if they can tell the approximate age of the smudges, they are able to tell the order.

They experimented on phones with ‘light’ and ‘normal’ use, as well as ones that had been pressed to a face, (as after a phonecall). They also experimented with wiping the phone off, in which case they lost some, not all, of the directionality.

In the cases of heavy use, also stimulated, they found they were still able to reconstruct, with uncertainty, some parts of the pattern. By using multiple photographs from different angles, however, they found they were able to reconstruct the whole pattern, or to such an extent that the guessing threshold was below 20.

I just had to check out the paper itself, because it looked a lot to me like a paper I recently read about reconstructing images . . . from teapots. Not shiny metal teapots, either. Ceramics. The white ones that have a bit of a shine, and nothing else. They also studied other partially reflective objects, like eyeballs, polished wooden surfaces, spoons, (metal & plastic), and a lot of others. The image reconstruction was able to read 12 pt font of a computer screen from 15 metres with a normal digital camera & zoom lens. With the computer screen facing away from the camera, and reflected in the object they were studying.

KnownHuman (profile) says:

I wouldn’t exactly call my fellow employees “hackers,” but several of them quickly identified the swipe lock on my Android phone as a pretty easy physical hack. Two went as far as to unlock my phone.

But, that’s all besides the point – anytime someone has physical access to a device, a security breach is not a matter of if, but rather when.

Freak says:

Re: Re: Re:

If you have physical access to the device, it’s very easy to break any encryption, except OTP carried by the owner in a different device/form, as long as you have access to the machine that encrypted the data, (or has the software necessary to decrypt it).

Ever heard of side-channel attacks?

Nevermind that you could ice the memory, (Literally, cool down the physical memory with icecubes or something less likely cause a short), and restart the device with your own OS, and read the encryption algorithms and keys that should still be stored in the memory.

(Thus why militaries & gov’ts often have encryption devices and data storage devices in completely different locations.)

Kerry Kaye (profile) says:

actually....

We were talking about this at work last week. My boss has an android phone and his 7 year old daughter was able to “break into” his phone. When he asked her how she did it, her reply was “your greasy fingers left marks on the screen and I just followed them.” I don’t like having smudges on my screen so I always give it a wipe after I use to so that it doesn’t have any smudges. Another solution to this “problem”, as my coworker thought up, is to have a code that doubles over itself. So yes it can happen, but as for the likelihood? Pretty darn low. Looks like they wanted more grant money…

Chris Hoeschen (profile) says:

Unless you ONLY use your smartphone’s touch screen to enter in your password this is not possible. I have a smartphone with a touch screen and run the same app several times a day. If the location of that app lines up on the screen with a digit for my password it would make it look like that digit is frequently used. Not to mention multiple pages of frequently used apps, taps on the screen once that app is running, or on screen keyboards for typing in URLs or other non-password items. After a while you screen will look like nothing more then one large smudge.

The govt uses touch screens for security entry points where you have to enter in the password to gain entry. To combat this form of breach they have the digits change location on the screen so even if you know where the last person touched on the screen the digits don’t align with those locations anymore so it is useless information. This could easily be incorporated into smart phones for those people who are concerned.

Anonymous Coward says:

honestly… I thought of this as soon as I finished entering my first password, made sure it worked then clicked my phone off. then could clearly see where my disgusting human flesh touched my beautiful capacitive touch screen. It would not take much trial an error to determine it… but seriously just clean your damn phone. I already lost my password to other people easily because I need to get into my phone and people won’t look away!

Jeremy7600 (profile) says:

Touchscreen.. but physical keyboard

My ADP1 (T-mobile G1) has a physical keyboard. I tend to stick to devices that have one, and this may be an even better reason to do so. I never use the touchscreen keyboard except for one handed SMS entry.

As for the 3×3 grid for unlocking the phone, I always used a pattern that crossed over itself. I doubt anyone would be able to get it on the first try, even following the smudges. I don’t use anything to lock the phone anymore, as it was too much of a hassle to re-swipe the code every minute after the screen went off when I was using it to send txts frequently.

My next phone shall have a physical keyboard, but I don’t really think its necessary for the reasons presented here. After all, I only enter passwords once on the phone in any web apps or sites and the phone remembers them. So for me, its pretty much a non-issue. And I don’t visit my bank website from my phone.

Anonymous Coward says:

Re: Touchscreen.. but physical keyboard

I also have a G1 and, in my experience, fingerprints show up particularly well on its keyboard.

I suppose it isn’t quite as bad as using the touchscreen, but you can still clearly see which letters are used more commonly than others if you don’t wipe it off periodically.

Jeremy7600 (profile) says:

Re: Re: Touchscreen.. but physical keyboard

I haven’t had a G1 next to my ADP1 in a long time, and maybe the keyboards are painted/colored differently, but after taking a quick look at my keyboard after I was just texting with it on and off for the past hour and a half, I don’t notice smudges on the keys themselves, but I do see fingerprints in the body of the keyboard around the keys.

The ADP1 isn’t true black, its a deep dark gunmetal color. Not sure if that is whats making me not see them.

Also, I’ve had this phone almost a year now, and from my perspective it doesn’t look like any of the keys have been used more than others (Notwithstanding what I said above about only entering passwords once on this phone)

Anonymous Coward says:

I dont think they were examining just grease that can be cleaned off, but the wear patterns it leaves in the surface. This is probably no harder than recording the sound of keystrokes on a keyboard and recreating the pattern.

The above poster than mentioned a shifting on screen keyboard for passwords has the correct solution if you are worried about this happening to your phone.

TtfnJohn (profile) says:

Re: Disappointed

It’s a valid write up for this site. After all it’s called Tech and dirt!

While The Hill didn’t go over the top about this paper I can guarantee that sites like ZDNet and CNET will go completely spare about it with their “security” bloggers writing up long and involved alerts without even looking at the actual reports. (They’ve done that enough that I don’t believe a word from them any more.)

After reading the paper I’d suggest that the probability of a real world attack by fingertip grease through photography alone is low.

First off they used new sets which were used once, smudged then reused in ideal lighting conditions using unknown high end cameras and lenses. (Weak point guys!).

While the results are what I’d expect, actually, in real life the handset would also be scratched, have wear marks and other things which could cause false positives due to finger “grease” being caught and retained in imperfections on the screen after some use.

To do this remotely would require more than one photo, I’m sure, and probably the use of a telephoto lens or the “close up” button on less expensive cameras which immediately causes distortion on the resulting photo. Further pixilation would occur bringing that photo “close” enough by quick enlargement. You might get a readable pattern but, given the information provided I doubt it. Remember, now, that lighting and other conditions are far from ideal in the real world leading to the need for retakes and so on. (Taking the photo through a window, partially hidden behind a plant or some such thing, exposure length, aperture settings and a whole lot of other things.

It might serve as a good baseline but I can’t see it now given what the report does and does not tell me. (Most importantly the brand and model of camera, the brand and model of lens, settings, resulting bit density of the resulting photo, time of day and exact information on the lighting used.)

As others have noted the paper hasn’t been subject to peer review, as yet, which opens it’s conclusions to further question. Though I can see people grabbing their cheap snapshot cameras and mid to high end SLRs to try to replicate at least some of this.

As others have noted cleaning the screen with wet eyeglass wipes would effectively stop this as well as one’s child “breaking” in by following the interesting finger line on the phone. ๐Ÿ™‚

There’s another drawback to this and that’s that unless you’re being targeted by someone actually looking for information on the set the vast, vast majority of wireless devices are stolen for quick sale to someone else, used for a very short period of time and then disposed of. (Classic pattern is drug addict steals phone –>sells it to dealer for a fix—>dealer uses phone until it’s reported missing and is cut off—> dealer tosses the set into the nearest dumpster.)

The only reason I can see for cracking a cell phone is that you are in possession, or so the potential thief thinks, of some extremely valuable information they can use very quickly, say the alarm code for your house, some valuable commercial or government information and so on.

Thing is, of course, is that don’t leave your life information on the not-so-smart phone! AKA don’t be stupid.

As for what I’d do with Android is I’d override the requirement to use the pattern password and use a key or other password entry.

BTW, it’s interesting that we’re still told to hide our PINs as we use ATMs or debit/credit cards because of a fantastic weakness there. All machines give audio feedback every time a key is pressed. Guess what? Within a few Hz they’re exactly the same on every machine. Should I try to muzzle them?!!!

William N (profile) says:

It only needs to happen once to compromise a lot of information. And just speaking anecdotally from my Android phone, it would totally work.

Anyway, it’s not something a lot of people would have thought of, and something that could be easily fixed if they used a shifting system instead of a fixed pattern to unlock.

Also, I’m hoping to see this used by some clever spy in an upcoming Hollywood movie ๐Ÿ™‚

Emmanuel Carabott (profile) says:

I think there might have been a misunderstanding in my opinion, Cause what the paper suggests is not far fetched at all, on the contrarary to me is obvious. The Android Authentication system is as people said before a 3×3 square of dots and you can create a pattern and use it as a password. In most cases you can bet for convenience it will be a flowing pattern and if you just log in to check a message or something trivial you can bet the pattern will be clearly visible on the screen. Guess that pattern will in most cases require two guesses, either starting from left or from the right. Its the first thing I notice on the first day I used the phone. In fact I dont think of it as a security feature at ll but rather as a mechanism to help avoid the phone unlocking and initiating a phone call while its in my pocket more then to secure my information.

fullcircle62 says:

DROID LOCK

Not a chance. If you are smart enough to use the same dot twice, the finger swipes will override the previous swipe. You can use a two dot combination up to 9 times. Taking that an using more than just the two dots, your finger prints will take logic out of the scenario. I have two locks on my ipod touch. First is the 3×3 lock, and also the stock ipod touch lock. So even if you get past the first one, you still have to deal with the other key in which only takes a few wrong answers to wipe it clean. If someone steals it, then they are not getting any of my information. I am safe enough with that. The thing that is getting me is the number of combinations. I cant find the answer anywhere. Can someone please email me the answer if you find it ?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop ยป

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...