Smudges left on Android touch screens leave tell-tale signs that can often be used to recover password pattens used to lock the phones, according to research presented earlier this week. The smudge attacks work by photographing Android handsets from a variety of angles using standard cameras and lights. The oily residues from …
Way to make a physical hardware trait somehow OS-specific.
Maybe they could randomise the keypad layout?
Nope, can't be done for a path-tracing input method, as it's possible (even likely) that the randomization would put on the next item in the sequence in a non-adjacent position.
If they randomised the position on screen, size and orientation the device had to be held in, then over time the smears would cancel each other out. Not sure if that would be enough to defeat this though
right........ and ?
Their point is ?
Well at least my constant screen cleaning is now a security consideration.
Next watch out for....
*Norton Total Defence Screen Wipes (TM) Standard version!!!*
Standard version available in XS, S, M, L, XL and XXL sizes, in a variety of colours that can be renewed using home laundry equipment (subscription required)
*Norton Total Defence Screen Wipes (TM) Professional version with added antiviral and anti-bacterial features!!!*
Professional version available in handy pocket-sized packs, not to be confused with products by Huggies or Kleenex.
Because they'll try to badge anything as a security tool.
...they would need to come in a box 12ftx12ft with addtional trial Norton rubbish bags and Norton Pocket edition wipe. Once you use them they will leave a sticky residue that eventually will have to been cleaned with an industrial strength cleaner die to the fact it takes 5 seconds per key stroke to remove your fingers.
Hollywood had this sussed a decade ago...
Fed up with idiocy like "GRANT ACCESS TO SECRET FILES"? Well, the "look for smudges on a touchscreen entry panel" was a quick and effective method to enter the bank vault/nuclear silo/etc...
This was the first thing I thought when I saw this pattern lock system.
I have one on mine, but that's only really to stop it unlocking itself while in my pocket!
>Simple clothing contact does not play a large role in removing smudges
No but the cloth wallet that the Nexus One comes with cleans the screen when you put it away to carry in pocket or bag. Likewise using the phone to answer a call creates smudges which cross the same points as the password - and most other actions involving a swipe will at least interfere.
Seems like all their testing was done in ideal circumstances to me.
Very similar attack
To those against keypad entry systems. Simply check which keys show the greatest wear and then try all possible combinations (usually about 30 keystrokes). This works >80% of the time in my experience.
Or instead of a computer and camera
...you could use your eyes. Obvious research alert!
I've noticed some fairly obvious patterns on my screen so this research comes as no surprise. I treat the lock pattern merely as something to slow somebody down for long enough for me to send a lock and erase message to my phone via WaveSecure.
Why not do passwords the way they do it in Caprica
You know, with that cool spinny circle of symbols.
Or if that's too cool, just a symbol-based entry system, where the symbols appear in random places.
Point out the obvious..
Anyone could of told you that.. you don't even need a camera, just hold phone at various angles and you can see the smudges.
Announcing my new invention: the Android Glove!
Is that ...
... a right handed glove or a left handed antenna friendly glove ?
Dear Mr Jobs
After seeing the videos of other phones with reception issues on your site, we would also like to produce a glove for your iphones.
Can we have written permission and an agreement you won't bring out something similar, steal the iglove name from us, sue us, patent it after we create it, and charge more for it in the UK?
easy fix for that then
just randomise the numbers on the screen each time, so that the smudge has no resemblence to fixed number positions, making the smudge worthless even if captured...
that said, the android lock screen doesnt use numbers, perhaps it should?
Not only, but also ...
Randomising the keyboard layout would be one step, but ideally I'd like to see the (randomised) keys also slowly floating around the screen at random.
It'd also be a nice solution to texting-whilst-drunk syndrome.
It's a good point really.
I do like androids way of drawing an unlock pattern on the screen, once you get the hang of it its certainly quicker than having to tap in a four digit code. You just fall into a habit of scribbling on the screen a bit like everyone used to pick up a nokia phone and instinctively hit menu + *. The pattern does seem more easily readable though, I've had several friends who are able to pick up my phone and unlock it without issues thanks to the smear on the screen, it stands out like a sore thumb against the smears left by general usage, especially when you've only unlocked your phone to say peek at a widget before turning it off again.
Delicious Slice of Smudgecake
What about all the other smudges?
- Smudge to swipe down the notification bar
- Smudge to write using Swype
- Smudge to move tabs in Opera Mini
- Smudge to move between homescreens
Right now on my Hero there are hundreds of smudges in all directions, most of which are over the unlock pattern. Don't see how this would be feasible under real conditions.
This is a title
Smudges are the reason I dislike touch screens. The old resistive one with a stylus (a la P800) was OK, but had the inconvenience of a stylus (although I never actually lost one), but had the advantage of reading handwriting. I remember an early touch-screen HP oscilloscope where any time someone attempted to point to some feature of the trace, a menu would pop up to obscure it.
I have an E71 phone, keyboard safely separate from the screen, although wear and tear on the keys would probably give away passwords on that.
Scientific experiment? Photographing from multiple angles? No. Try just looking at it.
I've seen a range of android smartphones that all have easily visible smudges from entry of the lock pattern. (Mine included!) The owners of these phones have agreed with me that this makes the otherwise nice idea of an unlock pattern pretty useless as a security measure.
Apparently (as is so often the case) this will be fixed in the next release - 2.2. And by fixed I mean they'll add a PIN code unlock option as an alternative to the easily-compromised pattern method.
Really though. People spent time 'studying' this? They could've just asked anyone in the street that they saw with an android smartphone.
I don't bother with that stuff on my Desire. I have quite oily fingers and you don't need complicated software to break into my phone. What would be nice is a PIN pad (possibly using symbols rather than numbers) that uses a random layout each time, with some sort of timeout (ie. you only need to type the PIN after 5 minutes or whatever).
Pint because I couldn't find an image to represent "meh".
These features are in the Froyo release of Android - a move to make the devices more acceptable to company security policy, with remote wipe, PIN, variable timeout etc alongside the older unlock methods.
If you can get the OTA upgrade, these things will be with you soon.
Sherlock will return to BBC
Once Sherlock has told us abotu smudges on phones....
Oh and there he goes.
they say that randomised number positions are available in android 2.2...
still, if your photographed with the screen turned on, then no better than before really.
Perhaps some sort of accelerometer based 'signature' could be utilised aswell on compatible devices?
Further still, how about multi touch without the swiping, that way the 'smears' do not indicate a sequence of numbers, making the smears even more worthless. So instead of CTRL+ALT+DEL to unlock, its 3 + 4 + 7, but the numbers are different locations each time? still, someone snapping you whilst unlocking would reveal the relative numbers. Would blend in more with the 'noise' from normal phone usage aswell.
more research needed!
OS Bias in Tagline?
Seriously this is the most rediculous bias I think I've seen.
"Attack reads smudges to retrieve smartphone password patterns" would have been a better tag line.
All you have done is stop those people with an iPhone/ a nother OS) from reading an article which may highlight a security risk that applies to them.
Not such a problem on iPhone, as you can change from a simple password (4 digit number) to a more complicated password (full keypad available, letters, numbers and symbols)
>Not such a problem on iPhone
Unless the thief owns a USB cable.....on the whole if you own a SmartPhone its probably best not to lose it. Any security is an illusion and the potential consequences of loss seem to be getting worse month by month.
I noticed this pretty much as soon as I took to using my 'droid phone- it really is pretty obvious what the pattern is if you just hold the phone at an angle to the light because you tend to leave a trail of grease across the screen.
I guess the ideal solution would be to always carry a spare screen protector, apply it before using the phone and then take it off and destroy it immediately after signing in. I'm surprised everyone isn't doing this already. Admittedly it would get through a lot of screen protectors and be deeply inconvenient, but we all have to make compromises for security.
maybe time to install the swipe keyboard
The lad over in the corner with the itchy-head showed me a keyboard on his Desire where you don't tap the screen, you simply slide your fingers all over it. Cool.
Added benefit is obviously "more smudges" which will go some way to disguising my unlock-pattern.
The unlock pattern is a really good, simple way of unlocking your phone, but I have to agree with the other users - the pattern is obvious from the smudges that form. I suppose that means they'd need two tries to unlock my phone. But I'm pretty sure if someone got their mitts on my phone they'd be able to break into it somehow no matter what method of locking I used.
If they already have physical access to your device, even a pattern unlock is a token measure.
A non-issue, really.
I don't really mind about the handset, I'm concerned about the data that's on it. If they can't unlock the phone they'll have to factory-reset it to use it, and that will wipe my data anyway.
Unless of course we're dealing with the sort of thieves who are going to use data recovery on the device, or some sort of advanced cracking to circumvent the lock function and get to my information. In which case I hopefully will have noticed the phone's absence and gone and changed all my passwords in the time it'll take them to do it.
People are going to steal your phone for one of two reasons:
1.) They want to sell it to someone else/reset it for their own use. In this case they don't care about your password, they're just going to reset it.
2.) (Which is very very very unlikely) They want to steal data off your phone. Unfortunately, very few people, if anyone at all, are cool enough to be targeted for data theft via stealing a phone. No matter how special mommy told you you were, no one wants to read your texts or see pictures of your junk you send to the ladies. In this situation, they're going to rip the phone open and remove the data storage to implant into another device.
Password is irrelevant. All it is going to do is stop your friends from playing with your phone if you leave it laying around (probably while drinking).
In the kingdom of the.....
In a time when touchscreen rule the roost the man with at least one wooden hand is laughing the most. No smear marks to give his password away, unless he has recently varnished his hand and hasn't let it dry enough.
Coat: As the pinch to zoom will be a total let down.
In the kingdom of the capacative touchscreen....
....the man with wooden hand is royally fucked.
...who cares? As said, if someone has your phone then it doesn't matter if they can analyze smudges. And your average mugger isn't going to do that. All the pattern does is prevent casual nosey parkers, and it will stop someone long enough for me to contact the network and report the handset stolen.
Frankly, "no shit". Anyone just looking at my phone could guess my unlock pattern in 2 tries (left-right or right-left?)
Cute as it is, something with symbols that appear in different places would be better. A PIN-based replacement is little better unless the numbers move around.
A PIN-based approach would be fine for me.
The bottom half of my phone screen is covered in finger-grease 'dots' from typing anyway. The code dots would blend in.
anyone else notice ?
How much anti Android press there is this week.
Another example of how crap the glorious Android is.
Yup, Android, that wonderful iPhone killer, seems less and less safe by the day.
Yesterday. dodgy software doing dodgy things to unsuspecting Android phones.
Today, Android's security system turns out to be anything but secure.
Gotta love Android - keep it up, chaps, I'm enjoying my daily laugh :-)
Were you abused by an android as a child?
The title is required, and must contain letters and/or digits.
Why yes, yes I was.
What's your excuse?
Public Warning For Android Users
If you own an Android based phone watch out for gangs of data theives. If you see a herd of morons carrying cameras, lights and software following you around report it immediatly, but DON'T use your own phone (keep that out of sight), borrow someone elses iPhone and call for help (signal strength permitting)
no-one ever wipes their screen to clean it so we're all screwed
Reading oily smudges?
Never thought my oily face would be a security device :D
White glove test
Though for any phones there are anti-smudge screen protectors out.
But iPhone 4 is a smudge magnet:
“The glass front and back surfaces feel great, although we noticed plenty of fingerprints after I and other journalists had spent just a few minutes playing with it.
Then naturally with the iPud
"With all the use, it goes without saying, my iPad is now covered with lots of finger prints and plenty of smudges. The dirty screen is not as noticeable when I’m using it in soft indoor lighting; however, when I move to a room with bright lights or outside on the patio, the smudge covered screen is much more obvious. (I know I’m not this only one with this problem. We’ve had many readers contact us about what to do for smudged screens.)"
It amuses me when people have to jailbreak a phone to be able to have perceived freedom and choice only to have it taken away with the next OS update and always be told what they are allowed to do.
Written by Apple fanbois
I have various hand-held devices and all of them are protected by screen overlays and they don't smudge. Besides, having chubby fingers I honestly prefer a stylus which leave no smudges.
Several are tethered to my belt and these crazy ideas are unlikely to be very practical.
I hope any government funding for these types of stupid studies are cut, soon.
Swipe, Wipe, Mask, and Hide
Just exhale on the screen and wipe across cotton pants or shirts. Repeat. Then exhale again, looking for signs of oil. Rub vigorously if in doubt. It's what *I* do. Also, mask your phone when swiping passwords on trains or crowded areas
Also, make sure that Wi-Fi/Bluetooth and phone announcing are turned off. I get suspicious when peoplel near me point their phones at odd angles but then aren't really *reading* their phone.
And, as for USB cables... be warned that one of the automount apps in the Market changes the way the phone responds to being plugged into a computer. I installed the warez and now it seems that only a factory wipe might fix the problem. The problem? Plugging into a computer AUTOMATICALLY mounts, and even if on occasion it appears to NOT mount, "unmount" still shows up as the first option.
- Hi-torque tank engines: EXTREME car hacking with The Register
- Review What's MISSING on Amazon Fire Phone... and why it WON'T set the world alight
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Product round-up Trousers down for six of the best affordable Androids
- Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...