Fingerprint Smudges Can Jeopardize Smart Phone Security

August 17, 2010

A team of researchers from the University of Pennsylvania presented a paper titled " Smudge Attacks on Smartphone Touch Screens" at WOOT '10 — the fourth Usenix Workshop on Offensive Technologies conference in Washington D.C. The researchers describe a method for uncovering the smart phone password based on the fingerprints on the touchscreen.

The research paper explains "Oily residues, or smudges, on the touch screen surface, are one side effect of touches from which frequently used patterns such as a graphical password might be inferred."

The bottom line, says the research, is because your fingers leave oily smudges, an attacker can possibly determine where your fingers have been on the touch screen and break your password.

The research team lists three reasons that smudge attacks are a threat to smart phone security. "First, smudges are surprisingly persistent in time. Second, it is surprisingly difficult to incidentally obscure or delete smudges through wiping or pocketing the device. Third and finally, collecting and analyzing oily residue smudges can be done with readily available equipment such as a camera and a computer."

According to a report by MSNBC, the security risk is present on all touchscreen smart phones to some extent, but it is a much bigger risk on Android devices that rely on a swipe pattern rather than the more traditional numeric or alphanumeric PIN. Android displays a pattern of nine circles and lets the user create a passcode based on how they connect the dots, the report says, but because the pattern is completed without lifting your finger off of the display, the oily smudges show which circles are part of the passcode, and also betray the order or pattern traced by the smart phone owner's finger.

In contrast, says the report, an attacker might be able to determine where an iPhone owner's fingers have touched the screen, but not which order the numbers or letters were entered. The attacker would also not necessarily be able to determine if the same number or letter is repeated within the password, or how many times it is repeated.

Pandemics, Recessions and Disasters: Insider Threats During Troubling Times

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Industrial Cybersecurity: What Every Food & Bev Executive Needs to Know

ON DEMAND: There's a lot at stake when it comes to cybersecurity. Reputation, productivity, quality. Join us to discuss the future of your global security strategy and a path forward with trusted partners Cisco and Rockwell Automation, and turn your Food & Bev security challenges into strategic advantages that drive business value.

Poll

Who has ownership or primary responsibility of video surveillance at your enterprise?

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

Fingerprint Smudges Can Jeopardize Smart Phone Security

The latest news and information

Content written for business-minded executives who manage enterprise risk and security

Fingerprint Smudges Can Jeopardize Smart Phone Security

Related Articles

The latest news and information

Content written for business-minded executives who manage enterprise risk and security