Smudge Attacks on Smartphone Touch Screens

Touch screens are an increasingly common feature on personal computing devices, especially smartphones, where size and user interface advantages accrue from consolidating multiple hardware components (keyboard, number pad, etc.) into a single software definable user interface. Oily residues, or smudges, on the touch screen surface, are one side effect of touches from which frequently used patterns such as a graphical password might be inferred. In this paper we examine the feasibility of such smudge attacks on touch screens for smartphones, and focus our analysis on the Android password pattern. We first investigate the conditions (e.g., lighting and camera orientation) under which smudges are easily extracted. In the vast majority of settings, partial or complete patterns are easily retrieved. We also emulate usage situations that interfere with pattern identification, and show that pattern smudges continue to be recognizable. Finally, we provide a preliminary analysis of applying the information learned in a smudge attack to guessing an Android password pattern.

[1]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[2]  J. Mantas,et al.  An overview of character recognition methodologies , 1986, Pattern Recognit..

[3]  S. Impedovo,et al.  Optical Character Recognition - a Survey , 1991, Int. J. Pattern Recognit. Artif. Intell..

[4]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[5]  Harry Wechsler,et al.  Automated face recognition , 1997, Defense + Security Symposium.

[6]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[7]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[8]  Julie Thorpe,et al.  Graphical Dictionaries and the Memorable Space of Graphical Passwords , 2004, USENIX Security Symposium.

[9]  Julie Thorpe,et al.  Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords , 2007, USENIX Security Symposium.

[10]  Kai Wang,et al.  Reconsidering physical key secrecy: teleduplication via optical decoding , 2008, CCS.

[11]  A. M. Burton,et al.  100% Accuracy in Automatic Face Recognition , 2008, Science.

[12]  Xiaoping Chen,et al.  YAGP: Yet Another Graphical Password Strategy , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[13]  Antonella De Angeli,et al.  Visual passwords , 2009, Commun. ACM.