A recent paper from the University of Pennsylvania examined the issue of "smudge attacks" - a decidedly low tech security weakness with touchscreen cellphones - particularly Android phones.
Android phones feature a pattern lock screen, where instead of a PIN or password, a user traces a preset pattern to unlock their phone. However, the researchers were able to bypass the lock screen by simply taking photos of the phone (with the screen off) under a light, and then adjusting the photo in an image editing program to show finger smudges which revealed the pattern to unlock the lock screen.
The researchers found that even when a phone was wiped using clothing after entering the lock pattern, almost all of the smudge pattern remained.
This has implications for non-Android phone users as well. Consider the iPhone - if smudges are left in areas where there is frequent area, there are likely to be smudges over the numbers used to when entering an iPhone's PIN. And given that the iPhone PIN length is known (it's always four numbers), it wouldn't take very long to guess the correct number combination once when you know the numbers involved.
Gaining access to phones, particularly corporate and government phones, is a security weakness. An unauthorized user could look up the owner's contacts - which could reveal information about a company's clients, for example. An unlocked phone could also be used in social engineering attacks. An attacker could use the phone to send a text message to a colleague of the owner claiming to have forgotten a passcode or something.
Solutions to the issue could be as simple as entering tracing an incorrect pattern each time after unlocking the phone to create other smudge patterns to confuse or obfuscate the unlock pattern. Frequently changing password patterns could also reduce the issue. And finally, choosing more secure lock patterns can also reduce the likelihood of smudge attacks. For example, an open ended pattern, such as an L shape, would only have two possible combinations - upper left corner down to lower right corner or vice versa. But a pattern with intersecting lines and closed shapes (such as squares) can make it much more difficult to tell the start and end points of the pattern, as well as the direction of the pattern.
Over the summer, a friend and I took a lot of trips in his car. He owns a Motorola Droid, which we used as a GPS as well. Frequently, I had to unlock the phone's screen for him, and I was able to successful guess his password using smudge marks simply by holding the phone up so the sun reflected off the screen - and revealed the smudge marks in the unlock pattern. So a smudge attack doesn't even require the photography equipment used by the researchers in the above paper.
Posts
This sort of attack truly speaks to the human element of information security. An advanced piece of communications equipment is capable of operating sophisticated security measures. Especially with the kinds of information these devices can hold and the amount of information they can process, it is important that they are able to do so. However, with the advancement of people's desire for "fancy" cell phones comes the push for aesthetics and convenience that we encounter in the touch screen. While a Droid or other touchscreen device may be able to avoid most attacks from the network they run on, they are still no match for the humans who would attack them. It's as simple as taking a picture. This kind of attack truly stresses the need for security professionals to realize it is the people behind the attacks against whom they are protecting electronic devices. This in no way implies that they will do so via means of a network related attack. One could simply steal a phone and gain access courtesy of the oil in one's index finger.
ReplyDeleteWhile some cell phones are being used for very confidential purposes or store documents that most people should not have access to, most Android and iPhones are being used as personal cell phones that simply contain text messages, some personal e-mail that contains no earth-shattering information, a record of internet activity, and a call log. I believe that this problem needs to be assessed by using the steps of risk analysis. By valuing the assets on the phones (which most people do not have much that needs to be highly protected), identifying the risk to these assets (quite small for the average iPhone carrier), and determining the likelihood of the occurrence for the risks (also quite small for the average cell phone carrier), we can see that installing a more high tech security systems of Android systems and iPhones would be unnecessary. I think that those who do have sensitive material stored on their phones need to take the initiative to protect this material. I believe that the ease desired by the average phone carrier outweighs the protection needed by a few.
ReplyDeleteThis comment has been removed by the author.
ReplyDelete