BLOG: “Don’t ignore your phone after unlocking it.”

Kristina Hiraishi

If you are an active smartphone user like me, you may be switching between locking, unlocking, swiping, or tapping your phone screen for hours of the day. However, many of us (including me) don’t pay attention to the traces our fingers leave behind on the screen after texting our friends and browsing the internet or even know that there are ramifications of doing so. When a person interacts with a touchscreen, liquid traces made up of substances in the epidermis, the secretory glands, and outside contaminants adhere to the screen as the finger is pressed down. To everyday users, these oil residuals may be a normal sight or just a nuisance, but for unauthorized users, they are an essential piece of evidence for a successful smudge attack. 

What exactly is a smudge attack?

A smudge attack is an information extraction process that uses leftover fingerprint smudges on a screen to discern the password of the device of interest, such as a smartphone or tablet computer. If attackers have the device, they can use a camera and lights to capture the locations of the fingerprints. Under proper lighting and camera angles, the picture will pick up the fingerprint smudges which is then compared to a reference picture of the keypad or grid to figure out the pattern or numbers used. Experts may also use more complex procedures by involving fingerprint powder or image processing software. These tools help highlight the fingerprints even more against the dark background and better confirm their locations if the picture is ambiguous.

Why should you be concerned about this attack?

If you face a situation where your phone is stolen, you might imagine a scene where the attacker uses some crazy technology and software to hack into the phone. On the contrary, smudge attacks are a much easier option and also cheap with simple equipment. This should raise more concern since many people secure their devices with PINs and pattern locks. These authentication methods are highly vulnerable to smudge attacks because the users are required to perform a series of swipes or taps that can reveal the locations, numbers, or directions used to unlock a phone. 

The dangers of smudge attacks are also present in the fact that fingerprint smudges are hard to remove and are persistent to cleaning attempts. Attackers don’t need perfect smudges to discern the password, and even light or overlapping smears don’t make it impossible for attackers to find out the code.

In the paper "Boosting the Guessing Attack Performance on Android Lock Patterns with Smudge Attacks," the researchers proposed a smudge attack method called smug that utilizes image processing. They tested it on users who were instructed to use the Facebook app after unlocking the password, and they found that 31.94% of the phones were cracked. Swiping or using apps after inputting the code wasn’t enough to eliminate the possibility of an attack, and smartphone users should be encouraged to create habits or adopt a new authentication method that prevents their fingerprints from being used against them.

Screen Shot 2020-12-16 at 9.44.33 PM.png


Here are two pictures I took to help visualize the smudges that attackers can use to discern the PIN, password, or pattern used to lock the device. On the left, you can see the fingerprints left behind on the screen from inputting a 4-digit code with other swipes marks from using some apps. On the right is a picture of the same screen after wiping it for exactly 6 seconds with my jacket sleeve. There are still visible smear marks, and better cameras, lighting, and the addition of fingerprint powder can increase the feasibility of a successful attack.

How to protect your information?

It is not ideal to vigorously clean your screen each time you unlock your phone- it’s repetitive and inconvenient. However, there have been numerous attempts to mitigate the risk of smudge attacks- Whisper Systems created an app in 2011 and Blackberry developed the DTEK50 smartphone in 2016. The Whisper Systems app required users to swipe over the grid space to cover up the smears created in the verification period before being able to use the phone . Blackberry introduced the DTEK50 phone and promoted it as having an oleophobic coating, which stops oils from sitting and sticking to the touch screen. Recently, more and more smartphone developers are following suit and implementing this protective layer on touch screens. Unfortunately, the coating will wear over time. Despite the short lifespan, there are various screen protectors on the market, ranging from $30 to $60 that can be purchased. They can be placed upon an existing smartphone to help resist the presence of smudges and are perfect for screens whose coating has worn off. I would say this is the best choice for users so that people don’t need to buy a whole new device. Another solution would be to use biometrics, such as FaceID or TouchID from Apple. Biometrics uses one’s behavioral or physiological traits to authorize them, so users have to rely on their human features or mannerisms instead. Creating stronger passwords/patterns or using biometrics will also prevent other attacks like shoulder-surfing and brute-force dictionary attacks, a win-win situation!

What should you take from this?

Obviously, smudge attacks can only occur if the touch screen device is out of your possession. You may never think this is ever going to happen or have some doubts about the chance the attacker actually uses the smudge attack method. Although it doesn’t seem like a huge threat right now, it is still important to be aware that the smudges on your screen can make any lock worthless and know how to take the precautions to protect yourself. Remember, the decisions you make can only strengthen the security of your smart device!

Bibliography:

  1. Belhadjamor, M. et al. 2016. “Anti-fingerprint properties of engineering surfaces: a review.” Surface Engineering 34(2): 85-120. http://dx.doi.org/10.1080/02670844.2016.1258449

  2. Aviv, Adam J. et al. 2010. "Smudge attacks on smartphone touch screens.” USENIX Association: In Proceedings of the 4th USENIX conference on Offensive technologies 1-7. https://www.usenix.org/legacy/event/woot10/tech/full_papers/Aviv.pdf

  3. Cha, Seunghun et al. 2017. "Boosting the Guessing Attack Performance on Android Lock Patterns with Smudge Attacks". Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security 313–326. doi:10.1145/3052973.3052989

  4. Maqsood, Sana, Sonia Chiasson, and Audrey Girouard. 2016. “Bend Passwords: Using Gestures to Authenticate on Flexible Devices.” Personal and Ubiquitous Computing 20: 573–600.

  5. Summerson, C. 2011, June 2. [New App] WhisperCore Prevents Smudge Attacks On Android Phones - With The Sacrifice Of Convenience, That Is. Android Police. https://www.androidpolice.com/2011/06/02/new-app-whispercore-prevents-smudge-attacks-on-android-phones-with-the-sacrifice-of-convenience-that-is/

  6. Barrera-Hernandez, M. 2016, July 26. Hackers Can Steal Your Password via Your Smartphone’s Screen Smudges. The Smudge-Resistant DTEK50 Helps Prevent That. BlackBerry ThreatVector Blog. https://blogs.blackberry.com/en/2016/07/hackers-can-steal-your-password-via-your-smartphones-screen-smudges-the-smudge-resistant-dtek50-helps-prevent-that

  7.  Apple. 2020, October 22. Cleaning your iPhone. Apple Support. https://support.apple.com/en-us/HT207123