Smartphone Security Vulnerable to Touch-Screen Smudges, Researchers Report

Aug 12th, 2010 | By technologynews | Category: Technology

Security researchers from the University of Pennsylvania
have highlighted a potential attack vector for accessing your mobile devicesthe smudges from your fingertips.

In a paper (PDF) presented this week at the USENIX Security Symposium in
Washington, D.C., the researchers revealed that oily residues on the surface of
touch screens used on devices such as smartphones can be used to infer
passwords. 

We believe smudge
attacks are a threat for three reasons, the researchers wrote. First, smudges
are surprisingly persistent in time. Second, it is surprisingly difficult to
incidentally obscure or delete smudges through wiping or pocketing the device.
Third and finally, collecting and analyzing oily residue smudges can be done
with readily available equipment such as a camera and a computer.

According to a study by comScore released last November,
touch-screen mobile phone
adoption
in the United States grew by 159 percent between August 2008 and 2009,
from 9.2 million to 23.8 million subscribers. This outpaced overall smartphone
adoption, which grew at an otherwise respectable rate of 63 percent, from 20.7
million to 33.8 million subscribers.

The researchers experimented with two types of Google
Android-based smartphones, the HTC G1 and the HTC Nexus1, under various
lighting and camera conditions.

In one experiment, the researchers found they were able to
recover the entire password pattern 68 percent of the time after the phone had
been in contact with a persons face, as would happen during a normal phone
call. When the experiment was conducted with the pattern entered with only
light touches, partial information was discernible 30 percent of the time.

Though the researchers said the techniques could be applied
to other smartphones and devices such as ATMs, they focused on Android phones
with 389,112 possible password patterns. While the team called this a reasonably
large space of patterns, in the event of smudge attacks the attackers can
select a highly likely set of patterns, increasing her chances of guessing the
correct one before the phone locks-out.

We believe smudge
attacks based on reflective properties of oily residues are but one possible
attack vector on touch screens, the researchers wrote, adding the practice of
entering sensitive information via touch screens needs careful analysis in
light of our results.

 

Full Text RSS Feeds | WordPress Auto Translator

Tags: , , , , , , , , , , , , , , , , , , ,

Comments are closed.