Clean Your Touchscreens for Security's Sake

At the Usenix security conference, an "unusual" but still useful study was discussed. It involved using the smudges on touch screens to break into smartphones, among other devices.

The study from researchers at the University of Pennsylvania focused on smartphone touch screens, but researchers added that such "smudge attacks" could be applied to "a significantly larger set of devices, ranging from touch screen ATMs and DRE voting machines to touch screen PIN entry systems in convenience stores."

Indeed, while the idea of a "smudge attack" may first seem arcane, touching the screen with your finger leaves behind an oily residue that is pretty persistent, as those that have tried to rub it off sans a screen cleaner can attest to. This makes it something that could be used to break into certain lock sequences, in particular the "pattern lock" used to secure many Android phones.

Researchers were able to use various lighting and camera angles to enhance the appearance of smudges, such that they were able to figure out the sequence of patterns used to unlock Android smartphones. In fact, the researchers were successful at unlocking the Android phones more than 90 percent of the time.
We believe smudge attacks based on reflective properties of oily residues are but one possible attack vector on touch screens. In future work, we intend to investigate other devices that may be susceptible, and varied smudge attack styles, such as heat trails caused by the heat transfer of a finger touching a screen.

The practice of entering sensitive information via touch screens needs careful analysis in light of our results. The Android password pattern, in particular, should be strengthened.

There are some ways to minimize that issue on Android, such as using a pattern that crosses itself to make it more difficult to determine the actual pattern. Additionally, Android 2.2 adds the ability to use a PIN-lock instead of a pattern, and some manufacturers have customized their Android builds to allow PIN-locking of earlier builds. For example, the Droid X with Android 2.1 has PIN-locking.

Still, one has to wonder if this suddenly the sale of screen cleaning wipes will rise as a result of this. That's the obvious way to keep this from being a security hole of your own: keep your screen clean.