Research Claims Hackers Could Figure Out Your Smartphone Password Via Screen Smudges

from the oh-come-on dept

Fri, Aug 13th 2010 1:06am — Mike Masnick

There's all sorts of interesting security research being done out there, but sometimes you just sort of shake your head. A new report has come out that folks with fancy new smartphones that have large touchscreens may face a threat because the smudges left on the screen could indicate passwords. It certainly makes for a good headline... but... seriously? Has this ever happened? Doubtful. How likely is it to happen? It seems exceptionally unlikely. I recognize the importance of exploring different potential security vulnerabilities, but this one seems a bit far-fetched.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: passwords, smartphones, smudges, touch screens

53 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Edward, 13 Aug 2010 @ 1:26am

Easy way around this. Just enter the wrong password a few times every time you log into your phone. So if your password was

O-O-O all they would see is O-O-O
i I I I
O O-O O-O-O
i I I I
O O O O O O

So the smudges just appera random. This is a non issue.
[ link to this | view in chronology ]
- Designerfx (profile), 13 Aug 2010 @ 5:22am
  
  Re:
  uh, you dont' even have to go that far.
  
  it's called "most people's passwords for non-enterprise devices tend to be saved on the device".
  
  enter it once, never again.
  
  etc.
  [ link to this | view in chronology ]
- chris (profile), 13 Aug 2010 @ 6:48am
  
  Re:
  Easy way around this. Just enter the wrong password a few times every time you log into your phone. So if your password was
  
  or you could wipe the screen clean periodically.
  [ link to this | view in chronology ]
  - Derek Kerton (profile), 14 Aug 2010 @ 12:46pm
    
    Re: Re:
    Or you could...i dunno, just USE the smartphone once you log in.
    
    Type an email, play a game, swipe a map. Just do the sort of things people naturally do when they log into a smartphone.
    
    And then the hackers can try to log into your phone with your most recent Google Map swipes. Good luck.
    [ link to this | view in chronology ]
Edward, 13 Aug 2010 @ 1:27am

Awww, crap, taht didn't appear right : P
[ link to this | view in chronology ]
- Dark Helmet (profile), 13 Aug 2010 @ 6:04am
  
  Re:
  "Awww, crap, taht didn't appear right : P"
  
  That's because I hacked your computer using traces of Cheetoh smudges on your keyboard to make you look foolish....
  [ link to this | view in chronology ]
MrWilson, 13 Aug 2010 @ 1:37am

This would only work if you only ever entered your password on the phone. If you used apps that require you to touch other places on the touchscreen, then you'd have smudges all over the place. If you used those apps as often as you type in the password, then you'd have smudge patterns from the repetitive use of those apps as well.
[ link to this | view in chronology ]
Anonymous Coward, 13 Aug 2010 @ 2:06am

In some cases it does reduce the number of digits you need to think about it for a brute force, which reduces the time it takes to get in dramatically.

Doubt?

Try to compute the rainbow tables for 3 and 4 digits and see the difference in time.
[ link to this | view in chronology ]
Anonymous Coward, 13 Aug 2010 @ 2:06am

In some cases it does reduce the number of digits you need to think about it for a brute force, which reduces the time it takes to get in dramatically.

Doubt?

Try to compute the rainbow tables for 3 and 4 digits and see the difference in time.
[ link to this | view in chronology ]
- cc (profile), 13 Aug 2010 @ 2:50am
  
  Re:
  Indeed, even if you can guess which digits were pressed, you'll have to brute-force the sequence. If the phone locks itself completely after a number of failed attempts, this is a pretty pointless exploit.
  
  If you think about it, this is not a new "problem". You could theoretically dust the keys on an ATM for fingerprints to find out which digits the last customer pressed. Since you only get 3 attempts with most credit cards, you need a good deal of luck to guess the PIN number in the correct order.
  [ link to this | view in chronology ]
- chris (profile), 13 Aug 2010 @ 7:01am
  
  Re:
  In some cases it does reduce the number of digits you need to think about it for a brute force, which reduces the time it takes to get in dramatically.
  
  that's the reason that number pads in general are terrible interfaces for password security: they are a small number of keys and they are usually not as sturdily made as computer keyboards.
  
  it's pretty easy to guess the unlock code on a copier because those 4 keys see way more abuse than the others, so just look for the 3-4 keys that have been pressed more than the others and you have taken it from 5000+ key combinations to around 24.
  [ link to this | view in chronology ]
Dementia (profile), 13 Aug 2010 @ 3:34am

Duh
Can't speak for anyone else, but I routinely clean my screen, and its not even a touch screen. I would think you would be more prone to cleaning it if you are routinely touching the screen to perform tasks, but since I don't have a touchscreen, what would I know, right?
[ link to this | view in chronology ]
R. Miles (profile), 13 Aug 2010 @ 3:43am

Hollywood's School of Password Breaking
This is right up there with "all passwords are of someone's name and birthday combination, or the hint is in the photo next to the monitor".

No way is this "research" accurate, but it's going to cause a panic nonetheless. Next, someone in Congress will grandstand and push a bill to demand automatic sprinklers be installed on all touchscreens so prints are removed.

This technology will be patented, so anything with a touch screen will skyrocket unnecessarily in price.

This will be the norm until holographic displays enter the market, and the process starts all over again.

*pulls out an easier solution called a tissue
[ link to this | view in chronology ]
Kari, 13 Aug 2010 @ 3:44am

There's a password entry on Android with a 3 by 3 circle 'connect the dots' password point. I can see how using smudges can pass that. I'm curious if he got paid for that research cause I need to be reimbursed for mine that determined: after password reenetry just smudge the screen.
[ link to this | view in chronology ]
- Anonymous Coward, 13 Aug 2010 @ 5:09am
  
  Re:
  Yep the connect the dots pattern unlock is vulnerable to this. I can sometimes see my pattern on my phone. It isn't much of a big deal because I mostly have my phone lock to stop pocket dialing. FroYo added a more traditional password mode.
  [ link to this | view in chronology ]
- Mike W (profile), 13 Aug 2010 @ 6:19am
  
  Re:
  I actually did that to get into my friend's phone. Most of those swipe patterns will be just 2 or 3 strokes, so they're particularly vulnerable.
  [ link to this | view in chronology ]
ReallyEvilCanine (profile), 13 Aug 2010 @ 3:47am

Really Mike? An appeal to ignorance?
Because you don't see how it could work or be used? Because you've never heard of it being used (no one ever does until long after a method has been discovered and used successfully)? WTF?
[ link to this | view in chronology ]
brianmd (profile), 13 Aug 2010 @ 4:05am

Debit PINs
It's easier to just watch the person in front of you in line enter their debit PIN at the register. I've always thought it would be smart to have the touch pad show the numbers in random order each time... maybe someone can patent that (and cut me in).
[ link to this | view in chronology ]
- Michael Witt (profile), 13 Aug 2010 @ 6:22am
  
  Re: Debit PINs
  A while ago I used ING Direct as my bank. They made you use a PIN instead of a password to log in, but to keep from having people be able to keylog the password, they assigned each number a letter at random, then you had to type in the letters. A bit of a hassle, but I would bet that the number of keylogger-related stolen passwords dropped to zero.
  [ link to this | view in chronology ]
mrtraver (profile), 13 Aug 2010 @ 4:22am

Wait; I've seen this before...
Did his research consist of watching them do this on "National Treasure" and then thinking "Hey, this might work on a smartphone"?

Like MrWilson said above, smartphones have their screens pressed and smudged for a lot of things other than password entry.
[ link to this | view in chronology ]
- Valkor, 13 Aug 2010 @ 9:46am
  
  Re: Wait; I've seen this before...
  I'm sure their research was more rigorous than that. I think they also watched a scene in "Entrapment" also.
  [ link to this | view in chronology ]
Jim L, 13 Aug 2010 @ 4:30am

clean phone
This research was done on a clean phone that was not used for anything else. I have no doubt it wouldn't work on my phone.
[ link to this | view in chronology ]
Freak, 13 Aug 2010 @ 5:16am

Underestimating the research . . .
Really, all of you, think about it. These are problems that you could think up in a second, why not the researchers?

They used pattern recognition on the smudges to determine which ones were used as part of a sequence, and further were able to discern which ones were used most, which were oldest, and which were re smudged . . . in the same order.
They were able to determine the directionality of all touches on the pad, which means that if they can tell the approximate age of the smudges, they are able to tell the order.

They experimented on phones with 'light' and 'normal' use, as well as ones that had been pressed to a face, (as after a phonecall). They also experimented with wiping the phone off, in which case they lost some, not all, of the directionality.

In the cases of heavy use, also stimulated, they found they were still able to reconstruct, with uncertainty, some parts of the pattern. By using multiple photographs from different angles, however, they found they were able to reconstruct the whole pattern, or to such an extent that the guessing threshold was below 20.

I just had to check out the paper itself, because it looked a lot to me like a paper I recently read about reconstructing images . . . from teapots. Not shiny metal teapots, either. Ceramics. The white ones that have a bit of a shine, and nothing else. They also studied other partially reflective objects, like eyeballs, polished wooden surfaces, spoons, (metal & plastic), and a lot of others. The image reconstruction was able to read 12 pt font of a computer screen from 15 metres with a normal digital camera & zoom lens. With the computer screen facing away from the camera, and reflected in the object they were studying.
[ link to this | view in chronology ]
KnownHuman (profile), 13 Aug 2010 @ 5:28am

I wouldn't exactly call my fellow employees "hackers," but several of them quickly identified the swipe lock on my Android phone as a pretty easy physical hack. Two went as far as to unlock my phone.

But, that's all besides the point - anytime someone has physical access to a device, a security breach is not a matter of if, but rather when.
[ link to this | view in chronology ]
- vivaelamor (profile), 14 Aug 2010 @ 3:23am
  
  Re:
  "But, that's all besides the point - anytime someone has physical access to a device, a security breach is not a matter of if, but rather when." Except in the case of encryption the when is probably going to be after you're dead.
  [ link to this | view in chronology ]
  - Freak, 15 Aug 2010 @ 7:25am
    
    Re: Re:
    If you have physical access to the device, it's very easy to break any encryption, except OTP carried by the owner in a different device/form, as long as you have access to the machine that encrypted the data, (or has the software necessary to decrypt it).
    
    Ever heard of side-channel attacks?
    
    Nevermind that you could ice the memory, (Literally, cool down the physical memory with icecubes or something less likely cause a short), and restart the device with your own OS, and read the encryption algorithms and keys that should still be stored in the memory.
    
    (Thus why militaries & gov'ts often have encryption devices and data storage devices in completely different locations.)
    [ link to this | view in chronology ]
Kerry Kaye (profile), 13 Aug 2010 @ 5:31am

actually....
We were talking about this at work last week. My boss has an android phone and his 7 year old daughter was able to "break into" his phone. When he asked her how she did it, her reply was "your greasy fingers left marks on the screen and I just followed them." I don't like having smudges on my screen so I always give it a wipe after I use to so that it doesn't have any smudges. Another solution to this "problem", as my coworker thought up, is to have a code that doubles over itself. So yes it can happen, but as for the likelihood? Pretty darn low. Looks like they wanted more grant money...
[ link to this | view in chronology ]
- Anonymous Coward, 13 Aug 2010 @ 5:36am
  
  Re: actually....
  "So yes it can happen, but as for the likelihood? Pretty darn low."
  
  Yet you gave an example where it happened exactly in your little world. How cute.
  [ link to this | view in chronology ]
  - eh, 13 Aug 2010 @ 6:59am
    
    Re: Re: actually....
    yeah but it was the dude's daughter at their house, not like he's leaving his phone on a bench at the bus stop.
    [ link to this | view in chronology ]
Chris Hoeschen (profile), 13 Aug 2010 @ 5:59am

Unless you ONLY use your smartphone's touch screen to enter in your password this is not possible. I have a smartphone with a touch screen and run the same app several times a day. If the location of that app lines up on the screen with a digit for my password it would make it look like that digit is frequently used. Not to mention multiple pages of frequently used apps, taps on the screen once that app is running, or on screen keyboards for typing in URLs or other non-password items. After a while you screen will look like nothing more then one large smudge.

The govt uses touch screens for security entry points where you have to enter in the password to gain entry. To combat this form of breach they have the digits change location on the screen so even if you know where the last person touched on the screen the digits don't align with those locations anymore so it is useless information. This could easily be incorporated into smart phones for those people who are concerned.
[ link to this | view in chronology ]
Anonymous Coward, 13 Aug 2010 @ 6:04am

That is why a like paper keys.

http://en.wikipedia.org/wiki/Trusted_paper_key

I don't have to remember them, they are easy to make I can change the password everyday if a choose too, and they are easy to secure think neckeless locket and you can use a distress password in case somebody coerces you to give it to them.
[ link to this | view in chronology ]
Anonymous Coward, 13 Aug 2010 @ 6:06am

Between apps with passwords, and a screen cover that I change whenever it gets to many scratches.

Can't see how this would work.
[ link to this | view in chronology ]
Spooked, 13 Aug 2010 @ 6:13am

Security
Thank goodness they can't hack smartphones yet. This would be disasters for so many people who like to put their whole life on there phone.
[ link to this | view in chronology ]
Anonymous Coward, 13 Aug 2010 @ 6:38am

honestly... I thought of this as soon as I finished entering my first password, made sure it worked then clicked my phone off. then could clearly see where my disgusting human flesh touched my beautiful capacitive touch screen. It would not take much trial an error to determine it... but seriously just clean your damn phone. I already lost my password to other people easily because I need to get into my phone and people won't look away!
[ link to this | view in chronology ]
Anonymous Coward, 13 Aug 2010 @ 6:51am

http://home.earthlink.net/~drestinblack/hologram.htm

I can also see how people could get directionality from smudges because of topology features that are created, which is somewhat like scratch holograms :)
[ link to this | view in chronology ]
Jeremy7600 (profile), 13 Aug 2010 @ 7:01am

Touchscreen.. but physical keyboard
My ADP1 (T-mobile G1) has a physical keyboard. I tend to stick to devices that have one, and this may be an even better reason to do so. I never use the touchscreen keyboard except for one handed SMS entry.

As for the 3x3 grid for unlocking the phone, I always used a pattern that crossed over itself. I doubt anyone would be able to get it on the first try, even following the smudges. I don't use anything to lock the phone anymore, as it was too much of a hassle to re-swipe the code every minute after the screen went off when I was using it to send txts frequently.

My next phone shall have a physical keyboard, but I don't really think its necessary for the reasons presented here. After all, I only enter passwords once on the phone in any web apps or sites and the phone remembers them. So for me, its pretty much a non-issue. And I don't visit my bank website from my phone.
[ link to this | view in chronology ]
- Anonymous Coward, 13 Aug 2010 @ 8:15am
  
  Re: Touchscreen.. but physical keyboard
  I also have a G1 and, in my experience, fingerprints show up particularly well on its keyboard.
  
  I suppose it isn't quite as bad as using the touchscreen, but you can still clearly see which letters are used more commonly than others if you don't wipe it off periodically.
  [ link to this | view in chronology ]
  - Jeremy7600 (profile), 13 Aug 2010 @ 1:41pm
    
    Re: Re: Touchscreen.. but physical keyboard
    I haven't had a G1 next to my ADP1 in a long time, and maybe the keyboards are painted/colored differently, but after taking a quick look at my keyboard after I was just texting with it on and off for the past hour and a half, I don't notice smudges on the keys themselves, but I do see fingerprints in the body of the keyboard around the keys.
    
    The ADP1 isn't true black, its a deep dark gunmetal color. Not sure if that is whats making me not see them.
    
    Also, I've had this phone almost a year now, and from my perspective it doesn't look like any of the keys have been used more than others (Notwithstanding what I said above about only entering passwords once on this phone)
    [ link to this | view in chronology ]
Anonymous Coward, 13 Aug 2010 @ 7:03am

I dont think they were examining just grease that can be cleaned off, but the wear patterns it leaves in the surface. This is probably no harder than recording the sound of keystrokes on a keyboard and recreating the pattern.

The above poster than mentioned a shifting on screen keyboard for passwords has the correct solution if you are worried about this happening to your phone.
[ link to this | view in chronology ]
harbingerofdoom (profile), 13 Aug 2010 @ 7:17am

here's a novel idea, dont use a touch screen device to enter your password...
[ link to this | view in chronology ]
- Anonymous Coward, 14 Aug 2010 @ 6:22am
  
  Re:
  The problem is that the key to an android phone is not characters you type but a three by three array of dots that you connect in a certain pattern on the touch screen. Plus half the new android phones do not have a keyboard.
  [ link to this | view in chronology ]
Anonymous Coward, 13 Aug 2010 @ 7:24am

Gestures
I use the Dolphin browser and all of the delicious gestures I can possibly use with it. It makes me more secure.
[ link to this | view in chronology ]
Mr. Block (profile), 13 Aug 2010 @ 7:37am

Disappointed
The paper has not been peer-reviewed or even published. This should not be getting the attention it deserves. I'm kind of disappointed you decided to do a write-up about this.
[ link to this | view in chronology ]
- Dark Helmet (profile), 13 Aug 2010 @ 7:55am
  
  Re: Disappointed
  "This should not be getting the attention it deserves."
  
  That is the oddest sentence I've ever read....
  [ link to this | view in chronology ]
- TtfnJohn (profile), 13 Aug 2010 @ 10:48am
  
  Re: Disappointed
  It's a valid write up for this site. After all it's called Tech and dirt!
  
  While The Hill didn't go over the top about this paper I can guarantee that sites like ZDNet and CNET will go completely spare about it with their "security" bloggers writing up long and involved alerts without even looking at the actual reports. (They've done that enough that I don't believe a word from them any more.)
  
  After reading the paper I'd suggest that the probability of a real world attack by fingertip grease through photography alone is low.
  
  First off they used new sets which were used once, smudged then reused in ideal lighting conditions using unknown high end cameras and lenses. (Weak point guys!).
  
  While the results are what I'd expect, actually, in real life the handset would also be scratched, have wear marks and other things which could cause false positives due to finger "grease" being caught and retained in imperfections on the screen after some use.
  
  To do this remotely would require more than one photo, I'm sure, and probably the use of a telephoto lens or the "close up" button on less expensive cameras which immediately causes distortion on the resulting photo. Further pixilation would occur bringing that photo "close" enough by quick enlargement. You might get a readable pattern but, given the information provided I doubt it. Remember, now, that lighting and other conditions are far from ideal in the real world leading to the need for retakes and so on. (Taking the photo through a window, partially hidden behind a plant or some such thing, exposure length, aperture settings and a whole lot of other things.
  
  It might serve as a good baseline but I can't see it now given what the report does and does not tell me. (Most importantly the brand and model of camera, the brand and model of lens, settings, resulting bit density of the resulting photo, time of day and exact information on the lighting used.)
  
  As others have noted the paper hasn't been subject to peer review, as yet, which opens it's conclusions to further question. Though I can see people grabbing their cheap snapshot cameras and mid to high end SLRs to try to replicate at least some of this.
  
  As others have noted cleaning the screen with wet eyeglass wipes would effectively stop this as well as one's child "breaking" in by following the interesting finger line on the phone. :-)
  
  There's another drawback to this and that's that unless you're being targeted by someone actually looking for information on the set the vast, vast majority of wireless devices are stolen for quick sale to someone else, used for a very short period of time and then disposed of. (Classic pattern is drug addict steals phone -->sells it to dealer for a fix--->dealer uses phone until it's reported missing and is cut off---> dealer tosses the set into the nearest dumpster.)
  
  The only reason I can see for cracking a cell phone is that you are in possession, or so the potential thief thinks, of some extremely valuable information they can use very quickly, say the alarm code for your house, some valuable commercial or government information and so on.
  
  Thing is, of course, is that don't leave your life information on the not-so-smart phone! AKA don't be stupid.
  
  As for what I'd do with Android is I'd override the requirement to use the pattern password and use a key or other password entry.
  
  BTW, it's interesting that we're still told to hide our PINs as we use ATMs or debit/credit cards because of a fantastic weakness there. All machines give audio feedback every time a key is pressed. Guess what? Within a few Hz they're exactly the same on every machine. Should I try to muzzle them?!!!
  [ link to this | view in chronology ]
William N (profile), 13 Aug 2010 @ 7:49am

It only needs to happen once to compromise a lot of information. And just speaking anecdotally from my Android phone, it would totally work.

Anyway, it's not something a lot of people would have thought of, and something that could be easily fixed if they used a shifting system instead of a fixed pattern to unlock.

Also, I'm hoping to see this used by some clever spy in an upcoming Hollywood movie :)
[ link to this | view in chronology ]
Sean T Henry (profile), 13 Aug 2010 @ 8:07am

Really!
The article is the same as saying if hackers steal your password protected computer they can access your data. If you have physical access to a device it usually can be accessed in one way or another.

I hacked the lock to your front door by taking a picture of your house key then cutting the pattern by hand.
[ link to this | view in chronology ]
Michael (profile), 13 Aug 2010 @ 8:34am

Hollywood!
This is a great idea for moving a plot forward in suspense/ thriller, craptastic, action flick.

For actually hacking or breaking into a phone in the real world? Good luck.
[ link to this | view in chronology ]
Anonymous Coward, 13 Aug 2010 @ 9:42am

Many people only have a short password on their smart-phones. Knowing what numbers people hit reduces the password effectiveness a lot-it seems best to side with caution here and reveal all potential dangers and let people make the choice as to whether to worry about it or not.
[ link to this | view in chronology ]
PrometheeFeu (profile), 13 Aug 2010 @ 10:08am

Actually it works. My boss during lunch a week ago asked to borrow my droid to test the theory and successfuly unlocked it. Not a scientific test, but it is feasible.
[ link to this | view in chronology ]
Mel, 13 Aug 2010 @ 7:48pm

No, this will work. I saw it in a movie!
The password is "valleyforge".
[ link to this | view in chronology ]
Emmanuel Carabott (profile), 19 Aug 2010 @ 2:16am

I think there might have been a misunderstanding in my opinion, Cause what the paper suggests is not far fetched at all, on the contrarary to me is obvious. The Android Authentication system is as people said before a 3x3 square of dots and you can create a pattern and use it as a password. In most cases you can bet for convenience it will be a flowing pattern and if you just log in to check a message or something trivial you can bet the pattern will be clearly visible on the screen. Guess that pattern will in most cases require two guesses, either starting from left or from the right. Its the first thing I notice on the first day I used the phone. In fact I dont think of it as a security feature at ll but rather as a mechanism to help avoid the phone unlocking and initiating a phone call while its in my pocket more then to secure my information.
[ link to this | view in chronology ]
fullcircle62, 24 Sep 2010 @ 2:06pm

DROID LOCK
Not a chance. If you are smart enough to use the same dot twice, the finger swipes will override the previous swipe. You can use a two dot combination up to 9 times. Taking that an using more than just the two dots, your finger prints will take logic out of the scenario. I have two locks on my ipod touch. First is the 3x3 lock, and also the stock ipod touch lock. So even if you get past the first one, you still have to deal with the other key in which only takes a few wrong answers to wipe it clean. If someone steals it, then they are not getting any of my information. I am safe enough with that. The thing that is getting me is the number of combinations. I cant find the answer anywhere. Can someone please email me the answer if you find it ?
[ link to this | view in chronology ]