A clever feature of smartphones running Google's Android operating system is the gesture unlocking method, in which users choose a custom security pattern by selecting dots from a three-by-three grid entered via fingertip. But researchers recently showed how ordinary screen smudges that result from inputting the gesture can be used by a hacker to easily deduce the pattern.
"This is a known idea. Everyone really kind of knew something like this was possible, but we were really the first team to do a systematic analysis of how," said Adam J. Aviv, a doctoral candidate at the University of Pennsylvania, who presented the research at the Usenix Security Symposium in Washington last week.
"The more I used the [Android] phone, the more I noticed you could see my pattern. I'd go to bed in the evening, wake up, and you could see my smudge," Aviv said.
Aviv and his team decided to investigate what type of security risk the smudges might represent. In one test, they determined that 68 percent of password smudge patterns are fully detectable, and 92 percent are partially detectable.
With patience and good technique, a partial smudge is all that's needed for a determined hacker to unlock the phone. Close observation can even determine in which direction the smudges were marked.
Frequently cleaning an Android phone's screen, or using a clear plastic screen protector, are the obvious deterrents. Smudges could also be intentionally or inadvertently camouflaged by having an especially dirty
screen, resulting in primitive steganography, Aviv joked. (Steganography is the concept of disguising secrets in plain sight.)
"The practice of entering sensitive information via touch screens needs careful analysis in light of our results. The Android password pattern, in particular, should be strengthened," his research paper states.
A spokesperson for Google, which controls the Android project, did not respond to questions about informing their customers of this weakness, or improving or eliminating the gesture lock feature.
It's possible that companies such as Corning, which makes smartphone screens for Android vendors Motorola and Samsung, could themselves find ways to reduce smudges.
"To date, there are no true anti-smudge technologies. There are a number of coatings that claim to be anti-smudge but in fact only facilitate easy removal of fingerprints," Corning spokeswoman Anna Giambrone told TechNewsDaily in an email. "Corning also has further research and development efforts underway to address this challenge."
Aviv notes that Android screen-smudge attacks are just one of several recently studied physical hacking tactics. Other researchers are examining ways to determine messages by listening to a dot-matrix printer's sound, and how to remotely alter vehicle settings by intercepting equipment sensor signals, he said.
For Android specifically, the heat signature left by a finger swiping a security pattern on a screen could also leave signs, although this would likely dissipate quicker than visible smudges.
Aviv's team includes doctoral candidate Katherine Gibson, undergraduate Evan Mossup, and professors Matthew Blaze and Jonathan Smith, also of the University of Pennsylvania.