Smudge attack

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

A smudge attack is a method to discern the password pattern of a touchscreen device such as a cell phone or tablet computer. The method was investigated by a team of University of Pennsylvania researchers[1] and reported at the 4th USENIX Workshop on Offensive Technologies.[1]

The smudge attack relies on detecting the oily smudges left behind by the user's fingers when operating the device using simple cameras and image processing software. Under proper lighting and camera settings, the finger smudges can be easily detected, and the heaviest smudges can be used to infer the most frequent user input pattern (the password). The researchers were able to break the password up to 68% of the time under proper conditions.[1]

The research was widely covered in the technical press, including reports on PC Pro,[2] ZDNet,[3] and Engadget.[4]

Once the threat was recognized, at least one product was introduced by Whisper Systems to mitigate the risk.[5]


  1. ^ a b c Aviv, Adam J.; Gibson, Katherine; Mossop, Evan; Blaze, Matt; Smith, Jonathan M. Smudge Attacks on Smartphone Touch Screens (PDF). 4th USENIX Workshop on Offensive Technologies.
  2. ^ Kobie, Nicole (11 August 2010). "Touchscreens open to smudge attacks". PC Pro. Retrieved 20 June 2012.
  3. ^ Danchev, Dancho (16 August 2010). "Researchers use smudge attack, identify Android passcodes 68 percent of the time". ZDNet. Retrieved 20 June 2012.
  4. ^ Lai, Richard (16 August 2010). "Shocker: Touchscreen smudge may give away your Android password pattern". Engadget. Retrieved 20 June 2012.
  5. ^ "Android and data loss protection (archived web page)". Whisper Systems. Archived from the original on June 28, 2012. Retrieved 28 June 2012.CS1 maint: unfit url (link)