A team of University of Pennsylvania researchers has discovered a threat to the password integrity of touch-screen devices using the oily residue left behind by fingertips.
In a paper delivered at this week's USENIX Security Symposium in Washington, D.C., the five security researchers described how an attacker could use different camera angles and lighting conditions to reveal smudge patterns that expose full or partial passwords on touch-screen Android devices.
The researchers admit that the attacker would have to be pretty "active" to carry out this "smudge attack." Aside from having the necessary equipment, the attacker would have to steal or "borrow" the device and then control the lighting and camera conditions just right to extract the information.
Assuming these things, the experiment's results were "extremely encouraging," the researchers wrote, noting smudge marks are hard to erase and that incidental contact with clothing—like pants pockets—doesn't eliminate the smudge marks.
"[I]n one experiment, the pattern was partially identifiable in 92 percent and fully in 68 percent of the tested lighting and camera setups," according to the paper, "Smudge Attacks on Smartphone Touch Screens" (.pdf). "Even in our worst performing experiment, under less than ideal pattern entry conditions, the pattern can be partially extracted in 37 percent of the setups and fully in 14 percent of them."