Research Claims Hackers Could Figure Out Your Smartphone Password Via Screen Smudges
from the oh-come-on dept
There's all sorts of interesting security research being done out there, but sometimes you just sort of shake your head. A new report has come out that folks with fancy new smartphones that have large touchscreens may face a threat because the smudges left on the screen could indicate passwords. It certainly makes for a good headline... but... seriously? Has this ever happened? Doubtful. How likely is it to happen? It seems exceptionally unlikely. I recognize the importance of exploring different potential security vulnerabilities, but this one seems a bit far-fetched.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: passwords, smartphones, smudges, touch screens
Reader Comments
Subscribe: RSS
View by: Time | Thread
O-O-O all they would see is O-O-O
i I I I
O O-O O-O-O
i I I I
O O O O O O
So the smudges just appera random. This is a non issue.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Doubt?
Try to compute the rainbow tables for 3 and 4 digits and see the difference in time.
[ link to this | view in thread ]
Doubt?
Try to compute the rainbow tables for 3 and 4 digits and see the difference in time.
[ link to this | view in thread ]
Re:
If you think about it, this is not a new "problem". You could theoretically dust the keys on an ATM for fingerprints to find out which digits the last customer pressed. Since you only get 3 attempts with most credit cards, you need a good deal of luck to guess the PIN number in the correct order.
[ link to this | view in thread ]
Duh
[ link to this | view in thread ]
Hollywood's School of Password Breaking
No way is this "research" accurate, but it's going to cause a panic nonetheless. Next, someone in Congress will grandstand and push a bill to demand automatic sprinklers be installed on all touchscreens so prints are removed.
This technology will be patented, so anything with a touch screen will skyrocket unnecessarily in price.
This will be the norm until holographic displays enter the market, and the process starts all over again.
*pulls out an easier solution called a tissue
[ link to this | view in thread ]
[ link to this | view in thread ]
Really Mike? An appeal to ignorance?
[ link to this | view in thread ]
Debit PINs
[ link to this | view in thread ]
Wait; I've seen this before...
Like MrWilson said above, smartphones have their screens pressed and smudged for a lot of things other than password entry.
[ link to this | view in thread ]
clean phone
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Underestimating the research . . .
They used pattern recognition on the smudges to determine which ones were used as part of a sequence, and further were able to discern which ones were used most, which were oldest, and which were re smudged . . . in the same order.
They were able to determine the directionality of all touches on the pad, which means that if they can tell the approximate age of the smudges, they are able to tell the order.
They experimented on phones with 'light' and 'normal' use, as well as ones that had been pressed to a face, (as after a phonecall). They also experimented with wiping the phone off, in which case they lost some, not all, of the directionality.
In the cases of heavy use, also stimulated, they found they were still able to reconstruct, with uncertainty, some parts of the pattern. By using multiple photographs from different angles, however, they found they were able to reconstruct the whole pattern, or to such an extent that the guessing threshold was below 20.
I just had to check out the paper itself, because it looked a lot to me like a paper I recently read about reconstructing images . . . from teapots. Not shiny metal teapots, either. Ceramics. The white ones that have a bit of a shine, and nothing else. They also studied other partially reflective objects, like eyeballs, polished wooden surfaces, spoons, (metal & plastic), and a lot of others. The image reconstruction was able to read 12 pt font of a computer screen from 15 metres with a normal digital camera & zoom lens. With the computer screen facing away from the camera, and reflected in the object they were studying.
[ link to this | view in thread ]
Re:
it's called "most people's passwords for non-enterprise devices tend to be saved on the device".
enter it once, never again.
etc.
[ link to this | view in thread ]
But, that's all besides the point - anytime someone has physical access to a device, a security breach is not a matter of if, but rather when.
[ link to this | view in thread ]
actually....
[ link to this | view in thread ]
Re: actually....
Yet you gave an example where it happened exactly in your little world. How cute.
[ link to this | view in thread ]
The govt uses touch screens for security entry points where you have to enter in the password to gain entry. To combat this form of breach they have the digits change location on the screen so even if you know where the last person touched on the screen the digits don't align with those locations anymore so it is useless information. This could easily be incorporated into smart phones for those people who are concerned.
[ link to this | view in thread ]
http://en.wikipedia.org/wiki/Trusted_paper_key
I don't have to remember them, they are easy to make I can change the password everyday if a choose too, and they are easy to secure think neckeless locket and you can use a distress password in case somebody coerces you to give it to them.
[ link to this | view in thread ]
Re:
That's because I hacked your computer using traces of Cheetoh smudges on your keyboard to make you look foolish....
[ link to this | view in thread ]
Can't see how this would work.
[ link to this | view in thread ]
Security
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Debit PINs
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
or you could wipe the screen clean periodically.
[ link to this | view in thread ]
I can also see how people could get directionality from smudges because of topology features that are created, which is somewhat like scratch holograms :)
[ link to this | view in thread ]
Re: Re: actually....
[ link to this | view in thread ]
Touchscreen.. but physical keyboard
As for the 3x3 grid for unlocking the phone, I always used a pattern that crossed over itself. I doubt anyone would be able to get it on the first try, even following the smudges. I don't use anything to lock the phone anymore, as it was too much of a hassle to re-swipe the code every minute after the screen went off when I was using it to send txts frequently.
My next phone shall have a physical keyboard, but I don't really think its necessary for the reasons presented here. After all, I only enter passwords once on the phone in any web apps or sites and the phone remembers them. So for me, its pretty much a non-issue. And I don't visit my bank website from my phone.
[ link to this | view in thread ]
Re:
that's the reason that number pads in general are terrible interfaces for password security: they are a small number of keys and they are usually not as sturdily made as computer keyboards.
it's pretty easy to guess the unlock code on a copier because those 4 keys see way more abuse than the others, so just look for the 3-4 keys that have been pressed more than the others and you have taken it from 5000+ key combinations to around 24.
[ link to this | view in thread ]
The above poster than mentioned a shifting on screen keyboard for passwords has the correct solution if you are worried about this happening to your phone.
[ link to this | view in thread ]
[ link to this | view in thread ]
Gestures
[ link to this | view in thread ]
Disappointed
[ link to this | view in thread ]
Anyway, it's not something a lot of people would have thought of, and something that could be easily fixed if they used a shifting system instead of a fixed pattern to unlock.
Also, I'm hoping to see this used by some clever spy in an upcoming Hollywood movie :)
[ link to this | view in thread ]
Re: Disappointed
That is the oddest sentence I've ever read....
[ link to this | view in thread ]
Really!
I hacked the lock to your front door by taking a picture of your house key then cutting the pattern by hand.
[ link to this | view in thread ]
Re: Touchscreen.. but physical keyboard
I suppose it isn't quite as bad as using the touchscreen, but you can still clearly see which letters are used more commonly than others if you don't wipe it off periodically.
[ link to this | view in thread ]
Hollywood!
For actually hacking or breaking into a phone in the real world? Good luck.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Wait; I've seen this before...
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Disappointed
While The Hill didn't go over the top about this paper I can guarantee that sites like ZDNet and CNET will go completely spare about it with their "security" bloggers writing up long and involved alerts without even looking at the actual reports. (They've done that enough that I don't believe a word from them any more.)
After reading the paper I'd suggest that the probability of a real world attack by fingertip grease through photography alone is low.
First off they used new sets which were used once, smudged then reused in ideal lighting conditions using unknown high end cameras and lenses. (Weak point guys!).
While the results are what I'd expect, actually, in real life the handset would also be scratched, have wear marks and other things which could cause false positives due to finger "grease" being caught and retained in imperfections on the screen after some use.
To do this remotely would require more than one photo, I'm sure, and probably the use of a telephoto lens or the "close up" button on less expensive cameras which immediately causes distortion on the resulting photo. Further pixilation would occur bringing that photo "close" enough by quick enlargement. You might get a readable pattern but, given the information provided I doubt it. Remember, now, that lighting and other conditions are far from ideal in the real world leading to the need for retakes and so on. (Taking the photo through a window, partially hidden behind a plant or some such thing, exposure length, aperture settings and a whole lot of other things.
It might serve as a good baseline but I can't see it now given what the report does and does not tell me. (Most importantly the brand and model of camera, the brand and model of lens, settings, resulting bit density of the resulting photo, time of day and exact information on the lighting used.)
As others have noted the paper hasn't been subject to peer review, as yet, which opens it's conclusions to further question. Though I can see people grabbing their cheap snapshot cameras and mid to high end SLRs to try to replicate at least some of this.
As others have noted cleaning the screen with wet eyeglass wipes would effectively stop this as well as one's child "breaking" in by following the interesting finger line on the phone. :-)
There's another drawback to this and that's that unless you're being targeted by someone actually looking for information on the set the vast, vast majority of wireless devices are stolen for quick sale to someone else, used for a very short period of time and then disposed of. (Classic pattern is drug addict steals phone -->sells it to dealer for a fix--->dealer uses phone until it's reported missing and is cut off---> dealer tosses the set into the nearest dumpster.)
The only reason I can see for cracking a cell phone is that you are in possession, or so the potential thief thinks, of some extremely valuable information they can use very quickly, say the alarm code for your house, some valuable commercial or government information and so on.
Thing is, of course, is that don't leave your life information on the not-so-smart phone! AKA don't be stupid.
As for what I'd do with Android is I'd override the requirement to use the pattern password and use a key or other password entry.
BTW, it's interesting that we're still told to hide our PINs as we use ATMs or debit/credit cards because of a fantastic weakness there. All machines give audio feedback every time a key is pressed. Guess what? Within a few Hz they're exactly the same on every machine. Should I try to muzzle them?!!!
[ link to this | view in thread ]
Re: Re: Touchscreen.. but physical keyboard
The ADP1 isn't true black, its a deep dark gunmetal color. Not sure if that is whats making me not see them.
Also, I've had this phone almost a year now, and from my perspective it doesn't look like any of the keys have been used more than others (Notwithstanding what I said above about only entering passwords once on this phone)
[ link to this | view in thread ]
No, this will work. I saw it in a movie!
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
Type an email, play a game, swipe a map. Just do the sort of things people naturally do when they log into a smartphone.
And then the hackers can try to log into your phone with your most recent Google Map swipes. Good luck.
[ link to this | view in thread ]
Re: Re:
Ever heard of side-channel attacks?
Nevermind that you could ice the memory, (Literally, cool down the physical memory with icecubes or something less likely cause a short), and restart the device with your own OS, and read the encryption algorithms and keys that should still be stored in the memory.
(Thus why militaries & gov'ts often have encryption devices and data storage devices in completely different locations.)
[ link to this | view in thread ]
[ link to this | view in thread ]
DROID LOCK
[ link to this | view in thread ]