Hold your phone up to the light. See that? It's finger grease, and it's an easily exploited hint at what your password or PIN might be. Don't become a victim of smudge attacks. The IT Security experts at Stack Exchange provide tips on keeping the contents of your phone your own.
After eating some garlic bread at a friend's house, she managed to quickly determine the PIN code to unlock the screen of my Samsung SIII. She figured this out by simply holding the device against the light and looking at the grease pattern my thumb left on the screen. It only took her two attempts to unlock the screen! I guess she wouldn't have been able to access my phone if I had kept the screen cleaner, or if the device could only be unlocked by pressing numbers, rather than dragging the finger to form a pattern. Is this a common means of attack? Are finger dragging pattern passwords really more insecure than number touch passwords?
See the original question.
Smudge Attack Basics (Answered by D3C4FF)
What you describe is known as a "smudge attack." It really depends on how much you've used your phone since you've last unlocked it, but the general principle still stands. If you use the pattern feature of Android phones, this can be particularly obvious. The University of Pennsylvania produced a research paper on the topic and basically concluded that they could figure out the password over 90 percent of the time. The study also found that ?pattern smudges,? which build up from writing the same password numerous times, are particularly recognizable. Furthermore: ?We showed that in many situations full or partial pattern recovery is possible, even with smudge ?noise? from simulated application usage or distortion caused by incidental clothing contact.?
While this is a plausible risk, it's not a particularly practical vulnerability as an attacker needs physical access to your phone. Using a PIN code over a pattern may reduce the chance of this presenting a threat but it still exists depending on the strength of your PIN and the cleanliness of your hands/screen. However, these same researches postulate another possible attack using the heat residue left by contact between your fingers and the screen which would be another problem altogether.
Obviously, cleaning your screen after every use is a practical (and not too difficult) defense against this specific attack. I'd expect that if you've used your phone (say to make calls/send a message/any kind of web browsing) it would also sufficiently obfuscate the patterns/codes. From examining my screen this seems to be the case.
WhisperCore (Answered by Adnan)
One way to mitigate smudge attacks on smart phones is with an application called WhisperCore. It arranges the numbers vertically and it then asks you to wipe the screen in order to unlock the phone, obfuscating the original smudges. If you use a pattern to lock your phone, after you input the correct pattern, it's a screen full of stars. Swipe the highlighted stars to unlock the phone, again obfuscating the original smudge pattern. Of course, the application basically works as a mandatory reminder to wipe your screen, but it's doing it in a way that makes less annoying to wipe your screen every time you unlock your phone.
More Digits, and Double Up (Answered by Rory Alsop)
A quick and easy security improvement: In any pass code of more than 4 digits, be sure to use one of the digits at least twice. The "swipe a pattern" option is very easy to see?even at a distance it can be shoulder surfed. As previously mentioned by D3C4FF, check out this paper from the University of Pennsylvania for interesting information on smudge attack techniques and how you might avoid becoming a victim.
One major takeaway from the paper: Use more than four digits. Most touchscreen users choose a 4-digit PIN (if they use the PIN option), so it's what most attackers will try. If, however, you use a 6-digit PIN where two of the digits are used twice, the attack space becomes quite challenging, as the attacker doesn't know whether you use a 4-digit PIN, or even more. They are likely to start with four, and it's more likely the attacker locks the phone than gets in.
Disagree with the answers above? Find more answers or leave your own at the original post. See more questions like this at the IT Security site at Stack Exchange. And of course, feel free to ask a question yourself.
delmon young amare stoudemire tallest building in the world the pitch brandon inge freedom tower freedom tower
No comments:
Post a Comment