Touch Screen Password Guessing by Fingerprint Trace

Question

After eating some garlic bread at a friend's who is not security-aware, she managed to quickly determine the PIN code to unlock the screen of my Samsung SIII.

She figured this out by simply holding the device against the light and looking at the grease pattern my thumb left on the screen. It only took her 2 attempts to unlock the screen.

I guess she would not have been able to access my phone if I had kept the screen cleaner, or if the device could only be unlocked by pressing numbers, rather than dragging the finger to form a pattern.

Is this a common means of attack? Are finger dragging pattern passwords really more insecure than number touch passwords?

Having a complex pattern might gives more protection ... having just simple line or a square like shapes reduces the possibilities for brute forcing . so so having a pattern like infinity sign is a good idea i think — HSN, May 16 '13 at 13:15
Thanks for sharing, it's always great to see how security can sometimes be defeated almost by accident. — AJ Henderson, May 16 '13 at 13:23
@HSN. Good point, specially because it becomes more difficult to trace where the pattern starts from. Though I am not sure how much this would actually deter someone from guessing as there is no such a thing as account lockout for multiple failed attempts. — Lex, May 16 '13 at 13:23
"My security keypad will actually be a fingerprint scanner. Anyone who watches someone press a sequence of buttons or dusts the pad for fingerprints then subsequently tries to enter by repeating that sequence will trigger the alarm system." - Evil Overlord List — Andrew Grimm, May 17 '13 at 01:19
My 8 year old did the same thing with my SIII; I hastily reverted to a PIN ;-) — noonand, May 17 '13 at 08:11
My Galaxy *was* stolen, and the guy who stole it *did* break into my phone exactly in this manner. Fortunately, he didn't manage to do further damage before I changed my Google passwords. — sq33G, May 17 '13 at 11:38
Related: I tried a pattern login for my Android device, but soon changed back to a PIN, not because of smudges but because it was much easier for a shoulder-surfer (our kids) to see and remember a shape than a series of taps on a number pad. — LarsH, May 17 '13 at 13:51
If I remember correctly, in some games, like Splinter Cell, smudge attack on door's security lock was used for protagonist to gain access — had to wait for the bodygoard to enter the code and pass through the door, then with the use of flashlight I was able to figure it out in three attempts. — Eugene Bujak, May 20 '13 at 18:38
Why was there a recent edit to this question? I looked at the edits and it feels unnecessary and a matter of stylistic preference over actually providing anything new here. — Frank B, Jul 12 '13 at 18:07
@Frank B Hmmm, I have no idea why he decided to change it. Although he stripped off my clumsy syntax and charming semantic foreignism, I must admit: it is better. — Lex, Jul 12 '13 at 21:03
Another reason to concentrate on your food while eating, instead of taking playing with Instagram! — Munim, Aug 31 '13 at 06:59
As an aside, this "attack" can work also fairly well on physical keypads whose code is not regularly changed. Where I used to live, it was quite easy to see which four keys on the entry-code keypad were used, which leaves only 24 possible guesses to brute-force. — Dolda2000, Apr 05 '14 at 19:45

score 63 · Accepted Answer · edited Apr 05 '18 at 13:43

63

This is known as a 'Smudge Attack'

It really depends on how much you've used your phone since you've last unlocked it, but the general principle still stands. If you use the pattern feature of Android phones, this can be particularly obvious.

The University of Pennsylvania published a research paper on the topic and basically concluded that they could figure out the password over 90 percent of the time.

The study also found that “pattern smudges,” which build up from writing the same password numerous times, are particularly recognizable.

Furthermore:

“We showed that in many situations full or partial pattern recovery is possible, even with smudge ‘noise’ from simulated application usage or distortion caused by incidental clothing contact,”

While this is a plausible risk, It is not a particularly practical vulnerability as an attacker needs physical access to your phone. Using a PIN Code over a pattern may reduce the chance of this presenting a threat but it still exists depending on the strength of your PIN and the cleanliness of your hands/screen. However, these same researchers postulate another possible attack using the heat residue left by contact between your fingers and the screen which would be another problem altogether.

Obviously, cleaning your screen after every use is a practical (and not too difficult) defense against this specific attack. I'd expect that if you have used your phone (say to make calls/send a message/any kind of web browsing) it would also sufficiently obfuscate the patterns/codes. From examining my screen this seems to be the case.

edited Apr 05 '18 at 13:43

Limit

3,236
1
16
35

answered May 16 '13 at 13:20

NULLZ

11,446
18
80
111

2

No worries. I remember this attack quite well from this research paper. I like @AJHenderson frequently wipe my screen as a result :) – NULLZ May 16 '13 at 13:28
"90 percent", that's worrying. And interesting: it also means that most people's patterns are probably not very complex and thus bruteforceable. – Luc May 16 '13 at 13:43
2

@Luc I've seen two patterns that are almost un-replicatable even when I've been told the code. You can actually get between the points for the pattern codes and as a result, can make codes quite tricky... – NULLZ May 16 '13 at 13:48
1

@Luc: I think it would be reduced if the patterns allowed a start and end point to be the same, thus increasing the number of possible patterns per smudge trace from 2 (forward-backward) to 2(N-1). Needless to say...not surprised. – Sébastien Renauld May 16 '13 at 14:15
2

"Obviously, cleaning your screen after every use is a practical (and not to difficult) defense against this specific attack"... especially after garlic bread. – AviD May 16 '13 at 17:43
Note that the smudge attack risk also varies with the type of cover the device has. Some devices have covers that contact the screen effectively obfuscating the residue – Jim B May 16 '13 at 18:19
1

@SébastienRenauld; I'm not sure how you reason here. Given a smudge trace it is quite easily detectable where the start/end points are. If they overlap, it would still only require two tries, even for circles and similar shapes. Also keep in mind that with smudge attacks, it is even possible to tell the direction in which the swipe was made leading to a single try that would be sufficient, given that the smudge trace is clear enough. – Mythio May 16 '13 at 20:43
@Mythio: This depends on the finger of the individual. I have nearly indiscernable traces on my TF300T due to naturally *very* greasy fingers. However, that's just me. My point was mostly a side point - they could add a couple of multiples in patterns by allowing overlaps. – Sébastien Renauld May 16 '13 at 20:47
I also challenge anyone to get the smudged code off my phone after its been in my pocket next to my sweaty balls for a few hours... – NULLZ May 17 '13 at 03:53
randomizing the onscreen password entry key positions would solve this, although it would make entering the password a bit trickier. – Dave Cousineau May 17 '13 at 07:02

score 40 · Answer 2 · edited Jul 12 '13 at 16:58

40

One way to mitigate smudge attacks on smart phones is with an application called WhisperCore. It arranges the numbers vertically and it then asks you to wipe the screen in order to unlock the phone, obfuscating the original smudges.

enter image description here

If you use a pattern to lock your phone, after you input the correct pattern, it a screen full of stars. Swipe the highlighted stars to unlock the phone, again obfuscating the original smudge pattern.

enter image description here

Of course, the application basically works as a mandatory reminder to wipe your screen, but it's doing it in a way that makes less annoying to wipe your screen every time you unlock your phone.

Image source: Android Police

edited Jul 12 '13 at 16:58

samthebrand

115
1
1
5

answered May 16 '13 at 13:42

Adi

43,953
16
137
168

1

I've personally had a lot of problems with WhisperCore and the associated tools. I tried getting it running on several Android devices a few months ago to no avail. Things might be different now however. – NULLZ May 16 '13 at 14:36
Nice to see someone already made the application I suggested in my answer. Will have to check it out. – AJ Henderson May 16 '13 at 15:00
8

Wait a second. Why not just shuffle the numbers on the first screen, and then ask to input a PIN? Then there's no need for the 2nd screen that requires a wipe. – Clayton Stanley May 16 '13 at 19:07
3

@ClaytonStanley Because we, human beings, suck at remembering meaningless combinations of letters and numbers. That's why after using your phone for a couple of weeks you stop _actually_ typing your PIN and you start performing a series of touches on the screen that your muscles has "remembered". Same happens with your Operating System's password, because you type it several times a day, you just make quick strikes on the keyboard without thinking about the actual characters of your password. Now imagine if someone switched your keyboard's layout settings (Google German or Nordic layout). – Adi May 16 '13 at 19:38
1

@Adnan Speak for yourself. Even with common long term passwords I enter them by repeating the mnemonic I memorized in lieu of something like "ASfy#wcltp13tbrtMIM". Having to hunt/peck on an Qwertz/Azerty/Dvorak/etc keyboard would slow me down; but what I memorize isn't the positions of the keys. – Dan Is Fiddling By Firelight May 16 '13 at 20:48
3

@DanNeely I don't have to, science speaks for me. It's inevitable, whether you believe in it or not, repetitive tasks create new connections in your brain. Combined with a process called 'implicit learning', you learn how to ride a bike, how to drive a car, martial arts, the position of the light switch when you enter a dark room in your house, and your password. The norm with complex passwords is muscle memory, the exception is people like you (This is, of course, not to see that we forget our passwords completely). http://bit.ly/NZDMbQ , http://bit.ly/184ztVn , http://bit.ly/13zMyFf . – Adi May 16 '13 at 21:35
3

Yeah - I use muscle memory for most of my passwords, especially the long ones. In fact for some on PC's I know I have typed them correctly because of the noise! – Rory Alsop May 16 '13 at 21:41
@RoryAlsop Same here. I can't recite many passwords, or even recognize them from sight. Muscle memory all the way. Seeing them for the first time is like "Oh so that's what kept my account safe over the past months... wait quickly get it off the screen before I remember it!" – Luc May 17 '13 at 08:33

Rory Alsop · Answer 3 · 2013-05-16T20:14:56.267

There was a paper (will try and find it) that gave a very good explanation of a security improvement:

Using one of the digits at least twice, in a pass code of more than 4 digits

Basically, the "swipe a pattern" option is very easy to see - even at a distance it can be shoulder surfed. Have a look at this paper for some interesting information on techniques.

A 4 digit pin is what most users end up choosing, if they use the pin option, so it is what most attackers will try, and holding the phone up to the light lets you see the pin quite clearly. If however you have a 6 digit pin where 2 of the digits are used twice, the attack space becomes quite challenging, as the attacker doesn't know whether you use a 4 digit pin, a 5 or even more - they are likely to start with a 4 and are more likely to lock the phone than get into it.

Gary S. Weaver · Answer 4 · 2013-05-16T20:04:44.007

12

This would be a good reason for another method of unlocking that made the unlocking action different every time. For example, instead of the numbers 0-9 being laid out as:

it might display them as:

Instead of numbers, you could use shapes. Instead of just hitting the shapes or numbers, you could rearrange them into the correct pattern, though that would be less secure as it would be displaying the correct pattern immediately before it is unlocked; However, if the goal were to put the numbers in the matrix into an order where sums, etc. of certain rows were correct, that might be even more secure/less obvious to those that saw or recorded you performing the unlocking sequence.

Possibly for those only visually impaired, it could read the numbers out loud (through their headphones). For those that are visually impaired and hearing impaired, the phone could vibrate in a certain way when they touch different parts of the phone to determine which number is which, then they touch something once they know which number is where to enter the code. You could also have it lock the numbers into a certain orientation and only change on a predetermined schedule to make it less difficult to have to remember the new orientation, or even lock it completely, even though that would be susceptible to smudge attack.

edited May 16 '13 at 20:04

answered May 16 '13 at 19:13

Gary S. Weaver

229
1
4

4

I like this idea, but it may reduce usability for impaired users. It could also be problematic for long passwords or larger input alphabets. Having this be optional with it turned on by default seems like a good feature. – jerry May 16 '13 at 19:36
1

It wouldn't be fair to have them more susceptible to attack. I'll update my answer, thanks. – Gary S. Weaver May 16 '13 at 19:48
1

+1 for how this could work for impaired people. – AJMansfield May 17 '13 at 00:04
2

There are a few companies that make keypads with LEDs in the keys that do exactly what you described. The first time I saw one was in the 1990s, so it's not a new thing. I have a friend who founded a (now-defunct) company called GrIDSure that, inspired by those locks, had a system where your PIN was a pattern and randomization of the keypad served turned it into a OTP. – Blrfl May 17 '13 at 10:50
3

Cyanogenmod actually has this feature where the layout of the numbers is randomized every time. Unfortunately it takes a lot longer to enter the pin.. – Jonas Czech Nov 10 '15 at 14:05

score 10 · Answer 5 · answered May 16 '13 at 13:22

10

I for one have always wiped my screen on my shirt after unlocking it specifically because of this (and because I find the finger swipe marks annoying.) But yes, this is very much a risk if you unlock it and don't at least continue to use it for a while to mess up the markings.

A pin code might help some, but you might still be able to see the spots touched which would greatly reduce the complexity of guessing the password. It's still a good idea to wipe the screen if there are visible markings.

Another good counter for this would be if they added a second quick step to trace another pattern that would make recognizing the pattern more difficult before unlocking.

answered May 16 '13 at 13:22

AJ Henderson

41,896
5
63
110

3

If available, a pinpad unlock screen that randomized the number layout each time would defeat a smudge attack. Where I work the badgereaders we have do this; it only takes an extra second or two to find where the numbers are this time and type the 6 digit pin. OTOH if all you have is a standard length pin an attacker could use brute force tools to break in and I suspect a scrambled layout would be a much larger impediment on an alphabetic keyboard if you were entering a password instead. – Dan Is Fiddling By Firelight May 16 '13 at 17:06
1

Someone needs to sell a line of shirts with built-in microfiber pads for wiping mobile device screens. :-) – LarsH May 17 '13 at 13:49
1

@LarsH - maybe they could make it like the little tag with the product information, you could just flip it out, use it and then put it away. Or we could bring back wearing a hankerchief in the breast pocket, but instead have a micro-fiber cloth. ;) – AJ Henderson May 17 '13 at 13:52

jerry · Answer 6 · 2013-05-17T02:23:52.213

I've wiped down my screen every time I turn it on for quite some time. It's partly due to this problem and partly to increase readability in the presence of glare. I was very interested to find out there is actual research out there on the topic.

While touch screens are especially prone to the problem of physical residue revealing secret information (despite the improvements that have been made in oleophobic screen coatings), the problem can also occur with other input methods. Fingerprints may be visible on the surface of (hardware) buttons, switches, or keypads, even without the use of specialized equipment.

Even if they're wiped down, however, there's a more permanent problem. I'm sure we've all seen text that has been rubbed off, membrane overlay that has ripped, or plating that is wearing down on a frequently used button:

worn keypad

In a security context, this type of problem likely means that the password is not being changed often enough, but I've seen real examples of it. Obviously it needs to be changed out before this degradation becomes visible to the naked eye. In higher security settings, though, that's probably not enough. Two possible remediations are to use very durable buttons and to even out the number of presses of every button either before or after entering the password.

score 4 · Answer 7 · answered May 16 '13 at 19:19

I use all ten digits exactly once in a ten-digit pin on my tablet, versus a pattern. I also don't keep anything of particular value on my tablet (the only reason the password is there as a PIN is mandatory to save VPN configuration details with Android -- not including my user password).

Note: using a permutation of all ten digits exactly once does significantly cut down on the entropy. The # of permutations: 10! = 3 628 800, which is roughly equivalent to a 6.56 character-long pin, or about 3000 times easier than a 10 digit random pin.

Also, I find its fairly easy to eavesdrop a PIN on a touchpad when I use my tablet commuting on a subway, but find that this is a reasonable defense against smudge attacks.

Touch Screen Password Guessing by Fingerprint Trace

7 Answers7