×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Touchscreens Open To Smudge Attacks

CmdrTaco posted more than 3 years ago | from the windex-security dept.

Google 185

nk497 writes "The smudges left behind on touchscreen devices could be used to decipher passwords to gain access, according to researchers at the University of Pennsylvania. The report tested the idea out (PDF) on Android phones, which use a graphical pattern that the user traces to unlock the handset. The researchers took photos of the smudge trails left on the screen and bumped up the contrast, finding they could unlock the phone 92% of the time. While they noted Android 2.2 also offers an alphanumeric password option, the researchers claimed such a smudge attack could be used against other touchscreen interfaces, including bank machines and voting machines. 'In future work, we intend to investigate other devices that may be susceptible, and varied smudge attack styles, such as heat trails caused by the heat transfer of a finger touching a screen,' they said."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

185 comments

Rather simple fix (5, Insightful)

Halifax Samuels (1124719) | more than 3 years ago | (#33214280)

It would be easy enough to implement an alphanumeric password on a keyboard that's always a different shape / place on the screen. Or just instruct users to wipe their hand across the screen a few times on public touchscreens - maybe include a small microfiber cloth attached to the kiosk / ATM / whatever so clean it with.

Re:Rather simple fix (1)

underqualified (1318035) | more than 3 years ago | (#33214388)

or they could play games on it. keeping your phone safe while having fun.

Re:Rather simple fix (4, Interesting)

TrisexualPuppy (976893) | more than 3 years ago | (#33214678)

This isn't exactly a new idea. Even I had a similar idea that I realized years ago.

Back when I was at MIT, we had utility vehicles on campus and several keypadded gates. The men in trucks drove up to the gates and entered codes. Since I didn't want to build any hardware, I colored the keypad over with a permanent marker in similar color to the keys. I counted the audible beeps emitted by the controller. After a day or so, I went up and saw that only three keys had been depressed for the five beeps. After four tries, I had the code and could pointlessly open the gate for no reason at all at will!

Re:Rather simple fix (1)

FuckingNickName (1362625) | more than 3 years ago | (#33214782)

I went up and saw that only three keys had been depressed for the five beeps. After four tries

If only number of presses is relevant but order is irrelevant, that's as close to expected as you can get... but if order is relevant, that's very lucky.

Re:Rather simple fix (5, Funny)

Anonymous Coward | more than 3 years ago | (#33214848)

You'll find it's actually quite common to get incredibly lucky in stories that you made up. In fact, just the other day when I was getting a blowjob from Jessica Alba, a million dollars fell into my lap.

Re:Rather simple fix (3, Funny)

Anonymous Coward | more than 3 years ago | (#33214930)

that must be made up. what probably really happened was the million dollars fell on her head and she didn't get to finish her job.

Re:Rather simple fix (-1)

Anonymous Coward | more than 3 years ago | (#33215332)

Her version- "Yesterday I was really lucky- I was flossing, I forget what with, but sometimes it's hard to find something small enough, anyway, I was flossing and this small pile of cash fell and just missed my head! It wasn't that much, but the guy who had the floss or whatever really wanted it so I left it there."

Re:Rather simple fix (2, Informative)

riperrin (1310447) | more than 3 years ago | (#33215758)

Actually I have a similar story. My brother left his car at the back of my house while he spent a year travelling. When he came back he couldn’t remember the code to deactivate the immobiliser. 10000 possible combinations and every third time you got it wrong you’d get the alarm going off and you’d have to disconnect the battery. Clearly a brute force attack would piss off the neighbours. So we sat an had a little think about it with a cup of tea (we are British), at which point we noticed that four of the buttons were a lot cleaner than the others. Suddenly we only had 24 combinations to try and managed to set the alarm off only twice.

Top tip: If you’ve got a number pad immobiliser, give it a bit of a clean.

In similar news, I find watching someone draw a pattern a lot easier to replicate than seeing them type numbers. With the “trail” option on you can see the pattern from half the pub away.

Re:Rather simple fix (0)

Anonymous Coward | more than 3 years ago | (#33214488)

The idea of moving fingers over the screen could work wonders.
Notify users of correct entry, then tell them to move their fingers at random over the screens buttons to obfuscate past presses.
Estimating the age of finger presses would drop the guesses down to less than 1% because of varied temperatures, convection at differing rates due to smudges and wind, a little conduction as well.
Using the whole hand isn't a good idea since the surface of the palm or back is different to that of a fingers surface both in shape, heat, and average chemicals on them. Plus, hand-heat would uniformly heat the panel for the most part.

A simpler solution would be to heat the screen internally with different rates per button area, at random. Or at least shine some light towards it with a lens varying the heat over the screen.
But these are probably too expensive in the long run, a simple jet of cold air could protect against a heat attack.
Smudge-wipers could clean off smudge every transaction.

Photo-taking at ATMs will be noticeable, so that's out of the picture. Well, they could mod the camera to take a flash at a frequency outside human sight, which could probably be more useful actually. (in either IR or UV)

Of course, none of this will happen since nobody will care enough, despite the fact that it is the banks who suffer these attacks in the end.

Re:Rather simple fix (0)

Anonymous Coward | more than 3 years ago | (#33215826)

What I'd prefer is if they left it to us to figure out how to obfuscate our data entry. Back in the early days of ATM machines, I was shocked nobody seemed to cover over their number while entering it - thieves would watch over the shoudler and eventually became more sophisticated, attaching a facia that would scan the card with a camera that would record the PIN, I never felt vulnerable during that period. Now every machine tells you to cover your number and make sure the machine doesn't look tampered with and that nobody is standing over your shoulder, suddenly the average user is no longer the low hanging fruit that stops the thieves targetting me. Now it's only a matter of time until the thieves come up with a better attack vector and at that point I'll be just as exposed as some guy who needs a big red sticker on a cash machine to tell him what to do, that hardly seems fair at all (since he'll probably withdraw his cash and go waste it on some other scam anyway).

Re:Rather simple fix (1)

Lumpy (12016) | more than 3 years ago | (#33214660)

Easier yet. install a matte anti glare screen protector and suddenly this goes away. It's been a "problem" for decades. if you wanted to you could dust a keypad for fingerprints and see the buttons that are the most used.

solution? wipe the screen regularly or dont use your ipad while eating barbecue ribs.

Re:Rather simple fix (2, Funny)

dmomo (256005) | more than 3 years ago | (#33215620)

> solution? wipe the screen regularly or dont use your ipad while eating barbecue ribs.

So, never use an ipad?

Re:Rather simple fix (1)

delinear (991444) | more than 3 years ago | (#33215936)

Public machines could also have some mechanism to wipe the screen after use, some shutter mechanism with a microfibre cloth. As a bonus it could be disinfectant, too - I always worry what I might catch on these public terminals.

Re:Rather simple fix (1)

camperdave (969942) | more than 3 years ago | (#33214718)

Rather than a random keyboard, they should be using Passfaces [passfaces.com]. A grid of random face photos is shown, with one of the faces, a key face, belonging to a set that the user has chosen. Do this a couple of times with random key faces and you've authenticated the user. Since the position of the photo within the grid is random, tracking the smudges won't help.

Re:Rather simple fix (0)

Anonymous Coward | more than 3 years ago | (#33214764)

Can the same approach be used with body parts other than faces?

Re:Rather simple fix (1)

IBBoard (1128019) | more than 3 years ago | (#33214830)

maybe include a small microfiber cloth attached to the kiosk / ATM / whatever so clean it with

Yeah, because no-one is ever going to try to steal/rip from the chain/burn/destroy/cover with sticky stuff a cloth on a bit of string at an outside terminal! As it is they have to chain up pens inside the bank in case someone steals it.

Re:Rather simple fix (1)

CharlieHedlin (102121) | more than 3 years ago | (#33215710)

Your point is valid, but I think far more people would absent mindedly walk off with pens with no intent for theft! Since I can never keep up with my own pens, maybe I should chain one to my desk! I always walk off with them and set them down in odd places!

Re:Rather simple fix (1)

delinear (991444) | more than 3 years ago | (#33215960)

There are better ways to manage cleaning the screen, but even with this approach if you saw the cloth had been destroyed you might be a little more cautious when using the terminal (wipe it with a tissue or a sleeve or something just in case someone's gone to the trouble of removing the wiping mechanism for a reason).

Re:Rather simple fix (2, Insightful)

tokul (682258) | more than 3 years ago | (#33214978)

maybe include a small microfiber cloth attached to the kiosk

That cloth will soon become virus/bacteria farm instead of being security feature.

Re:Rather simple fix (1)

Lion XL (1849898) | more than 3 years ago | (#33215062)

Actually...that whole google password swipe idea is stupid, of course you figure it out from the smudge, I figured my sons out by watching him from across the room.

The problem with it is that the endpoints have to intersect a number ( 1 of 9) which is like, what a 1-bit hash key????
There are some simple ways to fix this:

a) press the numbers like a keypad and not swipe, still breakable but a little harder

b) remove the numbers and image the swipe, allow the swipe to be random so it doesn't rely on fixed endpoints, still breakable but a little harder

c) increase the endpoints by adding symbols and the alpha keys, much harder to break, much harder on the end user to remember
any of these would be better than some after the fact 'screen wiping'.

Re:Rather simple fix (1)

FingerDemon (638040) | more than 3 years ago | (#33215420)

Yes, I was also thinking you could use the length of time as an added decision point. When a particular choice is being made the user would have to wait a second or two before entering it. Anything before that wouldn't work. You have the user choose how the time sensitive entry would work beforehand and give very few clues on the screen when it is happening.

For example, I could set things up so that when I'm entering my password, the last two keys have to be separated from the others by a timespan of between two seconds and four. It wouldn't help if someone was watching you do it, but it would help obfuscate how smudges are read after the fact to guess a password. Nothing about the smudges should indicate when they were pressed. I guess if you were doing some heat signature analysis for the fading heat of the finger press, you might be able to glean that. But that seems like an awful lot of trouble to go through and you would need full access to the device shortly after its use to even do that.

Re:Rather simple fix (1)

geminidomino (614729) | more than 3 years ago | (#33215648)

The problem with it is that the endpoints have to intersect a number ( 1 of 9) which is like, what a 1-bit hash key????

It's even worse. Each point can only be used once, and there's no ability to "skip" a point (say to connect from point "3" to point "1" without hitting point "2"). While you can sometimes "split" a diagonal and go from "2" to "7", I doubt most users are going to bother since "accidentally" hitting "4" or "5" on the way down is more likely than not.

Random Keyboard Re:Rather simple fix (0)

Anonymous Coward | more than 3 years ago | (#33215130)

It would be easy enough to implement an alphanumeric password on a keyboard that's always [...] different ...

This is actually a standard solution to numeric key combo entry systems in high security zones. Use a standard keyboard shape, but just randomize the key position values (like swapping qwerty / dvorak but more random). Why this isn't done already is simply mind boggling. But then I don't have a cell phone <sigh>.

Re:Rather simple fix (1)

d3ac0n (715594) | more than 3 years ago | (#33215576)

Or, you know, you could just buy a phone WITH A KEYBOARD.

Seriously, typing on the screen sucks, screen smudges and attacks based on them notwithstanding.

Re:Rather simple fix (1)

delinear (991444) | more than 3 years ago | (#33216026)

Actually I can probably "Swype [swypeinc.com]" faster than I can type on a phone keyboard these days. I always thought the google password lock was more of a fun feature than serious security, anyway - kind of like those diaries kids get with the chunky plastic locks, they wouldn't stand up to a serious attack but they'd stop the casual intrusion. There are plenty of alternative security solutions for Android phones if it's a real consideration (including buying an Android phone with a physical keyboad if you're really worried about smudge readers).

Just randomize the keyboard every time (3, Insightful)

Gruturo (141223) | more than 3 years ago | (#33214292)

Just randomize the keyboard every time, bam, smudges are now useless. Or use Apple's oleophobic display coating (http://iphoneindia.gyanin.com/2009/06/11/iphone-3gs-gets-oleophobic-coating-whats-this-oleophobic-coating/) assuming it's good enough to thwart this attack.

Re:Just randomize the keyboard every time (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33214396)

And we have the winner! Only downside of randomization I can think of is that it might cause problems for the blind and visually impaired, but then I don't know if the blind can even use touchscreens in the first place, and someone who has a visual impairment serious enough that randomization would cause problems might not be inclined to use touchscreens in the first place.

Re:Just randomize the keyboard every time (1)

fabioalcor (1663783) | more than 3 years ago | (#33215066)

Easy to solve this. For the blind, in the first touch, the device (let's say, an ATM) can say what key is being pressed (by headphones, of course). A second touch confirms the keystroke. Another solution is: touch and slide the finger over the keys, hearing what key is under the touch and release to confirm.

Re:Just randomize the keyboard every time (1)

0100010001010011 (652467) | more than 3 years ago | (#33215412)

"You are interacting with a randomly assigned keypad. The numbers are in this order: 9 4 6 2 4 3 1 5 7. "

Re:Just randomize the keyboard every time (3, Interesting)

MikeCamel (6264) | more than 3 years ago | (#33214448)

A couple of issues with this.

1) the Android set-up doesn't actually use a keyboard: just dots, which you're supposed to join in the same order.
2) I believe that there are patents around the randomising idea.

I'm certainly aware of this issue on my Android phone. The fact that you're supposed to keep your finger on the screen as you join the dots means that there's often a pretty clear track, even if you have clean hands. And you can tell the order in which tracks were made if you have one which crosses over another.

I quite like the technology, but it's good to be reminded of the possible dangers. I'll keep wiping mine once I've logged in.

Re:Just randomize the keyboard every time (1)

Shakrai (717556) | more than 3 years ago | (#33214528)

the Android set-up doesn't actually use a keyboard: just dots, which you're supposed to join in the same order.

My Droid-X has a PIN option as well as the pattern phrase. We told all of our users to use the PIN -- this "exploit" was apparent to us as soon as we held one of our droids up to a light and noticed the finger oils all over the screen.

Re:Just randomize the keyboard every time (1)

Tukz (664339) | more than 3 years ago | (#33214802)

As the summery states, Android 2.2 offers a alphanumeric option.
It uses an actual (T9) keyboard.

I'd assume it wouldn't be too hard to make an app that randomizes that keyboard or implements one that is randomized.

Re:Just randomize the keyboard every time (1)

blincoln (592401) | more than 3 years ago | (#33215076)

I believe that there are patents around the randomising idea.

There are active patents on randomizing the order of digits on a numeric keypad-based lock? Point of No Return [imdb.com] had a shot with a randomized-order touch-screen lock in 1993, and I'd be a bit surprised if the idea was invented by the prop department for that film.

Re:Just randomize the keyboard every time (1)

drinkypoo (153816) | more than 3 years ago | (#33215210)

1) the Android set-up doesn't actually use a keyboard: just dots, which you're supposed to join in the same order.

Change them to symbols (pictures?) which must be connected in order, and randomize their positions, you're done. See sibling for prior art.

Re:Just randomize the keyboard every time (0)

Anonymous Coward | more than 3 years ago | (#33215602)

In that case one would lose the point of such system, since after that you should remember the order of symbols, exactly like in pin code you remember the order of numbers. In "connect the points" you can use your spatial memory to remember the shape you draw.

Re:Just randomize the keyboard every time (1)

drinkypoo (153816) | more than 3 years ago | (#33215778)

In "connect the points" you can use your spatial memory to remember the shape you draw.

Thus providing opportunity for numerous attacks. You really can't remember a logical sequence of symbols?

Re:Just randomize the keyboard every time (1)

Brandee07 (964634) | more than 3 years ago | (#33214572)

Just a bit of empirical data here: On an iPhone 4 with the oleophobic coating, I traced an android-style unlock pattern with my thumb, and an oil trail was visible on the screen that showed me exactly the pattern I traced.

This makes sense, since oleophobic coatings do not prevent your fingers from secreting oils, nor from depositing those oils on nice glass surfaces. They only make it easier to wipe the oil away. It looks like this study took into account that smudges may be obscured due to phones generally living in pants pockets. I duplicated that part of the experiment as well, and the smudges were still clearly visible after a trip into and out of my pocket, so it's obviously not that much better at repelling oil.

Randomizing the points does sound like it would be a better lock system. You'd memorize a PIN, and have to trace from one number to the next, but the numbers would be in difference places each time. That would make it difficult to guess from either smudges or by glancing at someone entering the password (on the iPhone's lock screen, you can make a good guess at the PIN even if the person is holding the phone so you can't see the screen, just by watching their thumb.)

Re:Just randomize the keyboard every time (1)

BobMcD (601576) | more than 3 years ago | (#33214888)

Or require a keyfob authenticator, like a certain wildly popular MMO and/or your more responsible employers do. This randomizes the necessary input, rather than the layout of the screen. You could also have it ask you a series of questions. Or randomize photos and ask you to pick the one tied to the word you input when you set it all up. The list is really endless, all while leaving the keyboard in place.

Re:Just randomize the keyboard every time (1)

Kepesk (1093871) | more than 3 years ago | (#33214950)

And until that happens, remember to use a password that has duplicate characters so that nobody can tell how often the letters you punched are used in your password.

Also, wipe your screen off after you enter it.

Well, maybe ... (2, Insightful)

krzysz00 (1842280) | more than 3 years ago | (#33214384)

... people could either wipe down touchscreens after use, WASH THEIR HANDS, or the public ones could have a cloth or something to remove smudges.

Re:Well, maybe ... (0)

Anonymous Coward | more than 3 years ago | (#33214472)

Or get a phone with buttons and not worry about it.

Re:Well, maybe ... (1)

Issarlk (1429361) | more than 3 years ago | (#33214604)

Washing hands is not enough. The skin replaces the missing oil all the time.

Re:Well, maybe ... (0)

Anonymous Coward | more than 3 years ago | (#33215002)

The skin replaces the missing oil all the time

Where can I get that kindof skin? I run out of oil ALL the time...

Re:Well, maybe ... (1)

Skuld-Chan (302449) | more than 3 years ago | (#33215588)

I've found btw - that the drier your hands are - the less they leave a smudge on the screen (thats my experience with the Droid-X) - immediately after washing your hands you're probably more likely to smudge the screen.

The good news is the smudges wipe clean with a shirt tale or similar cloth.

Done that (1, Informative)

Anonymous Coward | more than 3 years ago | (#33214394)

My daughter's phone is locked with the pattern thing and I was amused that I could easily read it from the smudges.

I have the same phone model but I don't bother to lock it. There's nothing on it anyway.

Re:Done that (1)

Shakrai (717556) | more than 3 years ago | (#33214546)

Lock it anyway unless you want some asshat to steal your phone and run up your bill before you notice it.

Re:Done that (1)

Abstrackt (609015) | more than 3 years ago | (#33214934)

Most people I've seen with touchscreen phones have them literally attached to their hip at all times, they'd probably notice pretty quickly if it went missing. Besides, if someone is going through the trouble of stealing your phone in the first place I doubt having to read smudges to unlock it will be much of a hindrance.

Re:Done that (1)

Shakrai (717556) | more than 3 years ago | (#33215256)

My thought process with the PIN is that it will buy enough time for me to call Verizon and have the phone shut off and blacklisted. Having the phone stolen is bad enough -- I don't want to have to deal with a huge bill because they decided to run it up before I was able to report it stolen.

Duh (1)

MazTaim (1376) | more than 3 years ago | (#33214444)

I actually thought this was common knowledge for many years now. One of the biggest flawed security screens is the connect-the-dots unlock screen for Android. To really highlight that, just clean up the screen and attempt to unlock. Look at screen from the side. You should see smudges AND streaks. Those streaks can help you easily make out the direction to move in.

Re:Duh (2, Insightful)

arcsimm (1084173) | more than 3 years ago | (#33214818)

I was suprised this is news as well. Dusting keypad locks to see which keys are used most often isn't unheard of, and this just seems like a variation on that.

Hate to say it... (1)

rotide (1015173) | more than 3 years ago | (#33214462)

No shit? If you draw something with an object that leaves residue you can see what you had drawn. With my new xt720 I noticed this day one. Either cleaning the screen or simply "smudging the smudges" by just "scribbling" out the grease smear works great. Although, over time I can see the protector being physically altered in the same pattern as my swipe code. I guess then you just replace the protector.

But seriously, this is as obvious as saying that walking in sand or snow allows people to follow you. How insightful.

Re:Hate to say it... (1)

natehoy (1608657) | more than 3 years ago | (#33215610)

I guess then you just replace the protector

Or change the swipe code frequently so the traces that are left are misleading.

But, yeah, a PIN or passcode is a far better security code, making sure it is nice and long and you have at least one or two repeats so the person who took your phone can't even figure out how long the passcode is.

And, of course, if your phone has some sort of limit on the number of tries, that's critical. My Blackberry will wipe itself clean and lose the encryption key for any secure data on my SD chip after ten consecutive unsuccessful password attempts. Someone gets to keep the handset, but that's not a big concern for my company as long as all the data has been thoroughly nuked - plus the handset gets reported as lost/stolen so if someone wants to try and reactivate the phone it might not go terribly well for them.

Borderline OCD (1)

aoshi73 (1545405) | more than 3 years ago | (#33214468)

You won't believe how many times I clean my iPhone screen on a single day. I carry around a blue cleaning pad with me at all times. I guess you could say that borderline OCD would be the solution. =)

Re:Borderline OCD (1)

Shakrai (717556) | more than 3 years ago | (#33214586)

Buy a screen protector. This [sgpstore.com] is the one that I got for my Droid-X. It still collects finger oils but it's much less obnoxious and easier to read. I only have to clean mine every few days now and can get away with wiping it down with a t-shirt or some such.

Re:Borderline OCD (0)

Anonymous Coward | more than 3 years ago | (#33214906)

You won't believe how many times I clean my iPhone screen on a single day. I carry around a blue cleaning pad with me at all times.

I guess that's why they just named Android in the summary, and not the iPhone. FUD?

you could say that borderline OCD

Re:Borderline OCD (1)

natehoy (1608657) | more than 3 years ago | (#33215828)

Does the iPhone have a "swipe pattern to unlock" option? If not, then excluding Apple from this isn't FUD.

Any phone that includes a "draw a picture to unlock" option is very susceptible to being unlocked by someone other than the owner, and the Android is one of the models that has this feature.

Any phone that does not is not susceptible to this vulnerability.

If you have a phone that has a "draw picture to unlock" feature, stop using it now. If you don't, this doesn't apply.

Non touch-screens, too (4, Informative)

Rob the Bold (788862) | more than 3 years ago | (#33214484)

This isn't really that different from the case of push-button locks that are subject to "wear attacks", is it? You know, just check to see which of the 5 or so buttons are most worn/polished/dirty. If it's 3 of them, you've only got to try 6 permutations -- maximum -- to open it. Worked fine in my wife's hospital room for the locked supply drawer. Two tries. All the bandaids and gauze I wanted.

I'd say this case is much harder to fix than the touchscreen, given the "randomize" suggestion above. Sure it's a little bit of a pain, but not that bad if security is actually important.

Re:Non touch-screens, too (1, Interesting)

Anonymous Coward | more than 3 years ago | (#33214748)

I once read about a similar tactic involving an almost invisible film of oil on the keypad. If the film is thin enough people won't feel it (or see it unless they look closely) but if you know it's there you can see fingerprints.

Re:Non touch-screens, too (2, Interesting)

swb (14022) | more than 3 years ago | (#33215760)

Yes, I've made use of this myself and have also seen it done similarly in films where the keypad is sprayed with a UV luminescent spray; when illuminated you can easily see which keys are pressed and which aren't.

The obvious "solution" is to require all buttons be pressed (ie, 6 button keypad means 6 digit combinations). One of my gun safes uses an Ilco mechanical lock and you have to push all the buttons; it does allow you to cut the "length" of the combination by using two-button presses as a single combination "digit" but you still have to press all the buttons. The added bonus to combinations is they increase the number of button presses possible when trying to brute force the combination.

Smudge style attacks around since dawn of time (1)

myshadows (1846500) | more than 3 years ago | (#33214496)

This is a classic and not new. I have seen the use of gummy bears to beat fingerprint readers etc, which are all smudge style attacks. The problem with their paper is, it is not practical. If the touchscreens have smudges, they are going to have a lot of them! The problem with their experiment is that they do not take into account the amount of use and abuse the touchscreens get. They only have 'holding the phone up to face' action. So, if somebody ONLY uses their touchscreen Android phone for only unlocking their phone and holding it up to their face, they deserve to have their unlock pattern stolen...

National Treasure already did this (1)

smooth wombat (796938) | more than 3 years ago | (#33214508)

I'm sure the few of you who saw National Treasure remember the scene where Nicholas Cage is standing in front of a touchscreen keypad used to gain access to the secure documents room. He shines a light on the keyboard and the keys which Abigail Chase (played Diane Kruger, mmmmmmm, Diane Kruger) had touched for her password were lit up.

While National Treasure used a fluorescing powder to identify which key was pressed, the principle is the same.

SecureID cards (0)

Anonymous Coward | more than 3 years ago | (#33214564)

SecureID cards (one-time password generators) are like that, only worse because the
only time you touch it is to enter your PIN.

In other news... (1)

Thinine (869482) | more than 3 years ago | (#33214566)

If someone watches you enter your password over your shoulder, they'll know your password! Also, if you say the password out-loud when you enter it, someone may overhear you.

Practically (2, Insightful)

pinkushun (1467193) | more than 3 years ago | (#33214608)

Does this mean I should stop eating chocolate while using my touchscreen toy? :/

No seriously, it might work 92% of the time, but that's assuming the user just unlocked and did not use the device. Using it would introduce noise and break the unlock-smudges, dropping the percentage closer to zero the more they use it.

Even simpler fix (0)

Anonymous Coward | more than 3 years ago | (#33214626)

Never clean your touchscreen.

Graphical Pattern Lock Usage (5, Interesting)

quatin (1589389) | more than 3 years ago | (#33214628)

This comes at no surprise. Most people draw simple shapes on the graphical pattern lock. Would you be surprised if your computer was hacked if you set the password to "1234"?

For example, how many of you have drawn a triangle as your pattern? I know I did the first time I used my android phone. Then a few weeks later, when I was on an airplane, I watched a senior gentleman pull out his smart phone and draw the exact same pattern lock as me.

I then sat down and pondered the complexity of passwords using a graphical pattern lock. There's only 9 buttons to use and for most people they tend to only use adjacent buttons when drawing. If one were confined to this set of rules, the passwords would all be linear and simple geometric shapes. However, I figured out through trial and error, that you can actually double back on buttons you've activated and activate buttons that are non-adjacent to active ones by drawing in the blank space in between buttons. This should be a criteria for a strong graphical pattern lock, just like how there's requirements for strong alpha-numerical password locks. You should always have at least one double back button and one non-adjacent button as part of the pattern lock. This way the smudges left on your phone are non-linear.

Re:Graphical Pattern Lock Usage (1)

ViViDboarder (1473973) | more than 3 years ago | (#33214956)

I drew a pattern that used every node. It was actually quite complicated and if one looked at my smudges it may be hard to figure out exactly the pattern because there is a lot of crossing. It's easy to tell which swipe came first when there are only two crosses, but when you have 3 going over the same point, all you know for sure is the last one.

Re:Graphical Pattern Lock Usage (0)

Anonymous Coward | more than 3 years ago | (#33215480)

Let's stay away from requirements for strong passwords...they really do nothing more than aggravate people and make it more likely to forget them.

I use the Pink Eye defense system (1)

mandark1967 (630856) | more than 3 years ago | (#33214662)

Whenever I go somewhere leave my Droid on the desk at work, I put a little poo on the screen. Best. Defense. Ever. against someone taking it and trying to figure out my pass swipe pattern.

Re:I use the Pink Eye defense system (0)

Anonymous Coward | more than 3 years ago | (#33215622)

Having witnessed the number of people who stand at the urinal with their dick in one hand and their smartphone in the other, I won't be touching anyone else's phone any time soon.

Circle (0)

Anonymous Coward | more than 3 years ago | (#33214730)

Requiring the trace to start and stop at the same spot could help. The complexity would increase with each vertex. A simple square would result in 8 possible swipes.

Sounds like a great plot point (1)

jewishbaconzombies (1861376) | more than 3 years ago | (#33214732)

For tv shows like Burn Notice, but I'll just keep using my handy microfiber data encryption algorithm cloth. It's also handy for cleaning eyeglasses too.

Re:Sounds like a great plot point (0)

Anonymous Coward | more than 3 years ago | (#33214916)

They already used it.

I use the unlock pattern feature (0)

Anonymous Coward | more than 3 years ago | (#33214796)

But I don't use it for security, but rather to prevent accidentally doing anything while the phone is in my pocket. The normal "slide down to unlock" feature seems to be insufficient to prevent this...

Every Spy Movie Ever Made Called (1)

BobMcD (601576) | more than 3 years ago | (#33214856)

Every spy movie ever made called, and they want their 'we can tell where your fingers were' concept back. Seriously, 'touch screen' does NOT make this new. People have been worried about this with keypads and the like for AGES.

Pro tip (1, Funny)

antifoidulus (807088) | more than 3 years ago | (#33214876)

this is why it's important to always, ALWAYS rub your penis(or vaginal juices!) all over the screen as soon as you get it. Not only does that create extra smudging, you are pretty much guaranteed that nobody will want to touch it afterwards.

Re:Pro tip (1)

interval1066 (668936) | more than 3 years ago | (#33215404)

The reason I left the US [slate.com]

THAT is the most idiotic article I ever read. An in-depth psychoanalysis of driving/not driving in the US made you leave? Did the door hit you on the ass on your way out?

Hmmm...marketing opportunity (1)

HikingStick (878216) | more than 3 years ago | (#33214892)

I could market Security Slugs. You buy one and then let it crawl across your screen after it is locked, thereby messing up the smudge-crackers' attempts at determining the unlock code.

Of course, there are some pre-release obstacles to overcome. In initial tests, people really were creeped out by trying to talk on their phones after the slugs left their slime trails. Perhaps I need to send this one back to R&D...

Any physical access is insecure (0)

Anonymous Coward | more than 3 years ago | (#33214904)

This really isn't a big deal to me. Anytime somebody gets physical access to a device, they can eventually access the data if they want it bad enough. If somebody steals your computer they can take as much time as they need to break any password you put on it. The same is true of your phone or just about any electronic device. Smudges just make it easier to unlock.

Re:Any physical access is insecure (1)

mlts (1038732) | more than 3 years ago | (#33215346)

Very true. The trick is to limit the guesses someone can make. I just wish Android would have the ability to wipe itself after x amount of failed attempts. Blackberries have this, the iPhone does. My old Windows Mobile device even has this functionality. The only way I've seen to do this in Android is to use a third party utility like WaveSecure,

Could be just me, but... (1)

kaizendojo (956951) | more than 3 years ago | (#33215028)

...I have yet to encounter an ATM where the PIN entry was on the touch screen. I live in the NE US; can anyone confirm if they have actually run into ATMs where the only input device was a touch screen? - I believe (at least in the US) that this would be against the Americans with Disabilities Act (ADA).

Re:Could be just me, but... (1)

one2wonder (1328797) | more than 3 years ago | (#33215660)

None of the ATM's I've ever used used a touchscreen for pin entry and I'm in the NE US as well. However if someone just used it you may be able to detect subtle differences in the temperature of they keys using a sensitive infrared camera accomplishing very much the same thing. My bank uses metal atm keys which would readily absorb heat.

Re:Could be just me, but... (1)

avm (660) | more than 3 years ago | (#33215674)

Lots of POS terminals in grocery stores and the like use touchscreens for PIN entry, often with a stylus. Easy to shoulder surf as well, with the onscreen buttons changing colors when pressed.

Gee, and it requires possession of the phone (1)

hellfire (86129) | more than 3 years ago | (#33215030)

Give a hacker physical access to any device and they will eventually find a way to crack it.

It amazes me that scientists and journalists phrase this as an "attack." It normally takes an act of thievery or an "attack" on the street to lose your phone. If you lose your phone, your fucked anyway, right? The lock on a phone is meant as a casual lock for someone who just happens to walk by and wants to sneak a peek. In fact wouldn't it be easier to plug the phone in via USB and hack it that way, perhaps by mounting it as a hard drive and messing with the contents?

Nice academic study, but not that big of a deal.

Re:Gee, and it requires possession of the phone (0)

Anonymous Coward | more than 3 years ago | (#33215104)

I'll make sure I take my ATM with me too. Wouldn't want someone else to use that.

Just use a PIN lock app (1)

Cato (8296) | more than 3 years ago | (#33215094)

The solution for me is to use a PIN lock application instead - the point-smudges from this would be far less distinguishable from those left by normal touchscreen use. Android 2.2 (Froyo) includes this option, as does CyanogenMod (5.0+ I think), but unfortunately also makes it harder for custom lockscreen apps.

For those still using Android 2.1 or lower - any pointers to secure lockscreen replacement apps with PIN locks? There are many without the PIN lock, but I haven't found one that has a PIN lock and is not trivially bypassed.

This is nothing new. (1)

wfstanle (1188751) | more than 3 years ago | (#33215514)

I've known about this vulnerability for quite a long time. Although not exactly the same thing, touch-pad door locks also had this problem. You had 10 keys and lets say 4 keystrokes. In theory that gives 10 ** 4 combinations. The problem comes after a extended period of use... The paint on the keys you use gets worn off and it becomes quite obvious which 4 keys are used. Now the possible combinations are reduced from 10000 to 256. Sure, it would take patience to open the lock but opening the lock is now feasible.

Self-evident issue with a workaround (0)

Anonymous Coward | more than 3 years ago | (#33215644)

This issue is quite clear, I considered it trivial when I got my touchscreen Android. Smudges are visible, so it leaves one with two options. 1. Keep your screen clear. 2. Create a touch pattern that will at least once touch the pattern drawn earlier (for example 1,5 circles instead of one).

But of course as long as we have people who don't change their default PIN's from 0000 or 1234 to anything useful, we will also have people who don't change their patterns to anything that actually makes sense. Oh the human nature x-)

A bit off-topic:

Similar things happened in early 90's with those old numerical access panels next to doorways. After few years the code would be clearly visible as the related buttons were physically worn out. Solution to this was to start using digital numbering on the buttons - they would change places after every input.

EDIT: My colleague just reminded me that there are still apartment blocks even TODAY with these antiquated access panels here in Amsterdam. One can easily enter the building or yard just by guessing in which order the worn out buttons were pressed... Maybe that's intended as indirect help for the homeless people. Not to mention burglars, of course.

Never was a problem for me... (1)

rickb928 (945187) | more than 3 years ago | (#33215894)

I've got a G1, and had an Invisishield on it from the moment I carried it. Smudges are almost imperceptible on that stuff. I am not a seller for Zagg or Invisishield, just a customer.

But I scored a banged-up G1 as a root/test/spare, and while it needs a new housing, the bare screen shows smudges really badly. If I locked it, a monkey could guess the pattern. Maybe even a pickpocket could.

Try using a screen protector.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...