Smudge attackA smudge attack is an information extraction attack that discerns the password input of a touchscreen device such as a smartphone or tablet computer from fingerprint smudges. A team of researchers at the University of Pennsylvania were the first to investigate this type of attack in 2010.[1][2] An attack occurs when an unauthorized user is in possession or is nearby the device of interest. The attacker relies on detecting the oily smudges produced and left behind by the user's fingers to find the pattern or code needed to access the device and its contents.[2] Simple cameras, lights, fingerprint powder, and image processing software can be used to capture the fingerprint deposits created when the user unlocks their device. Under proper lighting and camera settings, the finger smudges can be easily detected, and the heaviest smudges can be used to infer the most frequent input swipes or taps from the user.[1] Smudge attacks are particularly successful when performed on devices that offer personal identification numbers (PINs), text-based passwords, and pattern-based passwords as locking options.[3] There are various proposed countermeasures to mitigate attacks, such as biometrics, TinyLock, and SmudgeSafe, all which are different authentication schemes.[4][5][6] Many of these methods provide ways to either cover up the smudges using a stroking method or implement randomized changes so previous logins are different from the current input. BackgroundThe smudge attack method against smartphone touch screens was first investigated by a team of University of Pennsylvania researchers and reported at the 4th USENIX Workshop on Offensive Technologies. The team classified the attack as a physical side-channel attack where the side-channel is launched from the interactions between a finger and the touchscreen. The research was widely covered in the technical press, including reports on PC Pro, ZDNet,[7] and Engadget.[8] The researchers used the smudges left behind on two Android smartphones and were able to break the password fully 68% of the time and partially 92% of the time under proper conditions.[1] Once the threat was recognized, Whisper Systems introduced an app in 2011 to mitigate the risk. The app provided their own versions of a pattern lock and PIN authentication that required users to complete certain tasks to cover up the smudges created during the authentication process. For the PIN verification option, the number options were vertically lined-up, and user were required to swipe downward over the smudged area. For the pattern lock, the app presented a 10x10 grid of stars the users had to swipe over and highlight before accessing the home screen.[9][10] DangersInterpreting the smudges on the screen requires less equipment, and there is less experience needed to be an attacker. In combination with the negative ramifications for victims of an attack, there is a lot of concern in relation to this type of attack. The smudge attack approach could also be applied to other touchscreen devices besides mobile phones that require an unlocking procedure, such as automatic teller machines (ATMs), home locking devices, and PIN entry systems in convenience stores. Those who use touchscreen devices or machines that contain or store personal information are at a risk of data breaches. The human tendency for minimal and easy-to-remember PINs and patterns also lead to weak passwords, and passwords from weak password subspaces increase the ease at which attackers can decode the smudges.[11] Smudge attacks are particularly dangerous since fingerprint smudges can be hard to remove from touchscreens, and the persistence of these fingerprints increases the threat of an attack. The attack does not depend on finding perfect smudge prints, and it is still possible for attackers to figure out the password even after cleaning the screen with clothing or with overlapping fingerprints.[2] Cha et al.[12] in their paper, "Boosting the Guessing Attack Performance on Android Lock Patterns with Smudge Attacks," tested an attack method called smug that combined smudge attacks and pure guessing attacks. They found that even after the users were asked to use the Facebook app after unlocking the device, 31.94% of the phones were cracked and accessed.[12] Another danger of smudge attacks is that the basic equipment needed to perform this attack, a camera and lights, is easily obtainable. Fingerprint kits are also an accessible and additional, but not required, piece of equipment ranging from $30-$200. These kits increase the ease with which an attacker can successfully break into a phone in possession.[13] Types of attackersThe team at the University of Pennsylvania identified and considered two types of attackers: passive and active. ActiveAn active attacker is classified as someone who has the device in hand and is in control of the lighting setup and angles. These attackers can alter the touchscreen in a way to better identify the PIN or pattern code by cleaning or using fingerprint powder.[2] A typical setup from an active attacker could include a mounted camera, the phone placed on a surface, and a single light source. Slight variations in the setup include the type and size of the light source and the distance between the camera and the phone. A more experienced attacker would pay closer attention to the angle of the light and camera, the lighting source, and the type of camera and lens used to get the best picture, taking into account the shadows and highlights when the light reflects.[1] PassiveA passive attacker is an observer who does not have the device in hand and instead has to perform an eavesdropping-type attack.[2] This means they will wait for the right opportunity to collect the fingerprint images until they can get in possession of the gadget. The passive attacker does not have control of the lighting source, the angle, the position of the phone, and the condition of the touchscreen. They are dependent on the authorized user and their location to get a good quality picture to crack the security code later on.[1] Methods and techniquesThere are different steps and techniques that attackers use to isolate the fingerprint smudges to determine the lock pattern or PIN. The attacker first has to identify the exact touch screen area, any relevant smudges within that area, and any possible combination or pattern segments.[12] PreprocessingIn the cases where the fingerprints are not super visible to the eye, preprocessing is used to identify the most intact fingerprints determined by the number of ridge details they have. Selecting the fingerprints with the most ridge details differentiates between the user's fingerprints and those with whom the device is shared.[13] When pressing a finger down on the touch screen surface to create a fingerprint, the liquid from the edges of the ridges fill in the contact region. This fingerprint liquid is made up of substances from the epidermis, the secretory glands, and extrinsic contaminants such as dirt or outside skin products. As the fingertip is lifted, the liquid also retracts, leaving behind the leftover traces.[14] Attackers are able to use fingerprint powder to dust over these oil smudges to unveil the visible fingerprint and their ridges. The powder can enhance the diffuse reflection, which reflects from rough surfaces and makes the dusted smudge more visible to the human eye. There are different powders to choose from based on the colors that best contrasts with the touchscreen and the environment. Examples of powders are aluminum, bronze, cupric oxide, iron, titanium dioxide, graphite, magnetic, and fluorescent powder. This dusting action also mimics the processes used in a crime scene investigation.[13] Preserving fingerprintsPreserving fingerprints utilizes a camera to capture multiple pictures of the fingerprint images or the keypad with different light variations. Generally, high-resolution cameras and bright lights work the best for identifying smudges. The goal is to limit any reflections and isolate the clear fingerprints.[13] Visibility of objectsThe visibility of the fingerprint relies on the light source, the reflection, and shadows. The touch screen and surface of a smart device can have different reflections that change how someone views the image of the fingerprint.[13]
Mapping fingerprints to keypadFingerprint mapping uses the photographed smudge images to figure out what keys were used by laying the smudge images over the keypad or by comparing the image with a reference picture. Mapping the positions of smudges helps the attacker figure out which tapped keys were used by the authorized user. First, the fingerprints and keypad images are resized and processed to find the areas the corresponding fingerprints and keys occupy. Next, the Laplace edge detection algorithm is applied to detect the edges of the ridges of a finger, sharpen the overall fingerprint, and eliminate any of the background smudges. The photo is then converted into a binary image to create a contrast between the white fingerprints and the black background. Using this image with grid divisions also helps clarify where the user has tapped based on the locations with the largest number of white dots in each grid area.[13] Differentiating between multiple fingerprintsIn the case that there are multiple users, grouping fingerprints can help classify which ones belong to each person. Fingerprints have both ridges and valleys, and differentiating them is determined by the overall and local ridge structure. There are three patterns of fingerprint ridges– arch, loop, and whorl– that represent the overall structure, and the ridge endings or bifurcation represent the local structure or minutiae points.[4] Different algorithms incorporate these fingerprint traits and structure to group the fingerprints and identify the differences. Some examples of algorithms used are Filterbank, adjacent orientation vector (AOV) system, and correlation-filter.[13]
Smudge-supported pattern guessing (smug)Smug is a specific attack method that combines image processing with sorting patterns to figure out pattern-based passwords. First, the attackers take a picture of the smudge area using an appropriate camera and lighting. Using an image-matching algorithm, the captured image is then compared to a reference picture of the same device to properly extract a cropped picture focused on the smudges. Next, the smudge objects are identified using binary, Canny edge detection, and Hough transformation to enhance the visibility of the fingerprint locations. Possible segments between the swipes and points are detected with an algorithm to form the target pattern. The segments are then filtered to remove unwanted and isolated edges to only keep the edges that follow the segment direction. These segments are identified by figuring out if the smudge between two grid points is part of a pattern after comparing the number of smudge objects against the set threshold. Lastly, these segments are used in a password model to locate potential passwords (e.g. n-gram Markov model). An experiment conducted found that this method was successful in unlocking 360 pattern codes 74.17% of the time when assisted by smudge attacks, an improvement from 13.33% for pure guessing attacks.[12][16] Types of vulnerable security methods
Smudge attacks can be performed on various smart device locking methods such as Android Patterns, PINs, and text-based passwords. All of these authentication methods require the user to tap the screen to input the correct combination, which leads to susceptibility to smudge attacks that look for these smudges.[17] Personal Identification Numbers (PINs)PINs are not only susceptible to smudge attacks but other attacks possible through direct observation like shoulder-surfing attacks or just pure guessing like brute-force attacks. They are also used heavily in electronic transactions or for using ATMs and other banking situations. If a PIN is shared or stolen, the device or machine cannot detect whether the user is the rightful owner since it only relies on if the correct number is inputted. In relation to smudge attacks, this allows attackers to easily steal information since there is no other way to authenticate the user for who they actually are.[18] Text-based passwordsTouchscreen devices that use text-based passwords will contain fingerprint smudges in the location of corresponding numbers or letters on the alphanumeric keypad. Attackers can use this to perform the smudge attack. The downfall to text-based passwords is not only its vulnerability to smudge attacks but also the tendency of users to forget the password. This causes many users to use something that is easy to remember or to reuse multiple passwords across different platforms. These passwords fall under what is called a weak password subspace within the full password space and makes it easier for attackers to break in through brute-force dictionary attacks.[11] A 2017 study reviewed 3289 passwords, and 86% of them had some sort of structural similarity such as containing dictionary words and being short.[19] Draw-a-Secret (DAS)Draw-a-Secret is a graphical authentication scheme that requires the users to draw lines or points on a two-dimensional grid. A successful authentication depends on if the user can exactly replicate the path drawn. Android Pattern Password is a version of Pass-Go that follows the concept of DAS.[20][21] Pass-GoPass-Go uses a grid so that there isn’t a need to store a graphical database and allows the user to draw a password as long as they want. Unlike DAS, the scheme relies on selecting the intersections on a grid instead of the cells on the screen, and users can also draw diagonal lines. Tao and Adam who proposed this method found that over their three month study, many people drew longer pattern passwords, which goes against the tendency to choose minimal and easy-to-remember passwords.[22] Android pattern passwordsAndroid pattern lock is a graphical password method introduced by Google in 2008 where users create a pattern on a line-connecting 3x3 grid.[16] About 40% of Android users use pattern lock to secure their phones.[16] There are 389,112 possible patterns that the user can draw up.[23] Each pattern must contain at least 4 points on the grid, use each contact point once, and cannot skip intermediate points between points unless it's been used earlier.[21] Touchscreen devices that use Android pattern lock will leave behind swipes that give away the right location and combination an attacker needs to unlock the phone as an unauthorized user. The security of Android pattern lock against smudge attacks was tested by researchers at the University of Pennsylvania, and from the swipes left behind from the drawn pattern, they were able to discern the code fully 68% of the time and partially 92% of the time under proper conditions.[1] CountermeasuresPhysiological biometrics such as Android Face Unlock, iPhone Touch ID and Face ID, and Trusted Voice have been recently implemented in mobile devices as the main or alternative method of validation. There are also other novel ways that have potential to be a future security scheme but haven't been implemented yet into mainstream usage.[24] Some of these ways avoid the requirement to input anything with their fingers and thus eliminating the ability for attackers to use smudges to determine the password lock. Strong passwordsAlthough there are many countermeasures that help protect against smudge attacks, creating secure passwords can be the first step to protecting a device. Some of the recommended steps are:[25]
Although these are the recommended tips for stronger passwords, users can run out of strong password options they will remember and later forget the passcode after frequent changes. To avoid this, users tend to choose short, weaker passwords to make it more convenient and shorten the unlocking time.[26] Anti-fingerprint protectionResearchers have looked into anti-fingerprint properties that can allow people to keep their current password schemes and not worry about the leftover smudges. Surfaces that are able to repel the water and oils from the finger are called lipophobic. Surfaces that have low surface energy and surface transparency (low roughness) are typically anti-smudge due to their higher contact angles and low molecular attraction. Low molecular attraction means that there is little to no adhesion for the oil and water molecules to bind to the surface and leave behind a trace. However, achieving these properties while still functioning as a touchscreen is hard as the low surface energy alters the durability and functionality of the touchscreen itself.[14] With this research, various anti-smudge screen protectors have been put on the market such as Tech Armor's anti-glare and anti-fingerprint film screen protector and ZAGG's InvisibleShield Premium Film and Glass Elite (tempered glass) antimicrobial screen protectors. ZAGG markets its InvisibleShield as smudge resistant, glare resistant, and scratch proof.[27] These phone accessories can range from 30 to 60 dollars.[28] There have also been various smartphones on the market that have been pitched as having an oleophobic coating, which resists oil to keep the touchscreen free from fingerprints. The oleophobic screen beads up any oil residuals, preventing them from sticking to the surface and making it easy to wipe finger residuals off without smearing.[29] In July 2016, Blackberry released the DTEK50 smartphone with an oleophobic coating.[30][28] Other phone developers have used this for the touchscreens of their devices such as Apple's many generations of iPhones,[31][32] Nokia, and Lumia. and HTC Hero.[33] BiometricsBiometrics is a type of authentication that identifies a user based on their behavior or physical characteristics, such as keystrokes, gait, and facial recognition rather than what one can recall or memorize.[4] A biometrics system takes the unique features from the individual and records them as a biometric template, and the information is compared with the current captured input to authenticate a user.[34] Biometrics is categorized as either physiological or behavioral by the US National Science and Technology Council’s Subcommittee (NSTC) on Biometrics.[35] This type of security can serve as a secondary protection to traditional password methods that are susceptible to smudge attacks on their own since it doesn't rely on entering a memorized number or pattern or recalling an image. Research conducted on biometric authentication found that a mix or hybrid of biometrics and traditional passwords or PINs can improve the security and usability of the original system.[36] One of the downsides to biometrics is mimicry attacks where the attackers mimic the user. This can increase the vulnerability of the device if attackers turn to methods that allow them to copy the victim’s behavior. Some of these methods include using a reality-based app that guide attackers when entering the victim’s phone or using transparent film with pointers and audio cues to mimic the victim’s behavior.[37] Another vulnerability is that the biometric template can be leaked or stolen through hacking or other various means to unauthorized people.[38][39] A possible solution to any theft, leak, or mimicry are fingerprint template protection schemes as they make it difficult for attackers to access the information through encryption and added techniques.[36][38] PhysiologicalPhysiological biometrics authenticates a user based on their human characteristics. Measuring the characteristics unique to each individual creates a stable and mostly consistent mechanism to authenticate a person since these features do not change very quickly. Some examples of physiological biometric authentication methods are listed below.[35] BehavioralBehavioral biometrics authenticates a user based on the behavior, habits, and tendencies of the true user. Some examples include voice recognition, gait, hand-waving, and keystroke dynamics.[35] The schemes listed below have been proposed to specifically protect from smudge attacks.
SmudgeSafeSmudgeSafe is another authentication method protected from smudge attacks that uses 2-dimension image transformations to rotate, flip, or scale the image at the login screen page. The user will draw a graphical password shaper created from the points on an image as usual, but the image will look different every time the user logs in. The changes done on the image are randomized, so previous login smudges do not give hints to attackers on what the input is. To ensure that the transformations applied will significantly change the locations of the password points, the area of these specific locations on the image is restricted. In a study comparing SmudgeSafe's graphical authentication method to lock patterns and PINs, SmudgeSafe performed the best with a mean of 0.51 passwords guessed per participant. The pattern lock had a mean of 3.50 and PINs had a mean of 1.10 passwords correctly guessed per participant.[6] TinyLockTinyLock was proposed by Kwon et al.[5] and uses two grids; the top one is for the pressed cells for the confirmation process, and the bottom one is a drawing pad for the authentication process.[5] The top grid is used to notify the user by flickering and vibrating if the user is on the correct initial dot before they start drawing. The bottom half of the screen contains a tiny 3 x 3 grid used for drawing the secret password. The grid is much smaller in size compared to traditional pattern locks, which forces the user to draw in a confined space to squeeze all the smudges in a small area. This method mitigates smudge attacks because the smudges are all smushed together, and the users are required to draw a circular virtual wheel in either direction after drawing the pattern password. However, this method is not completely free from shoulder-surfing attacks.[20] Also, another drawback is the grid dots are hard to visualize due to the small size, which makes it difficult to draw complex patterns and unlock without error.[16] ClickPatternClickPattern uses a 3 x 3 grid labeled one through nine, and the user has to click on the nodes that correlate with the end of a drawn line to prevent swiping on the screen. Doing this creates smudges that are harder to distinguish from normal screen usage. If anything, the smudges created will reveal the nodes used but not the pattern, thus being more protected from smudge attacks than Android pattern lock. On the lock screen, ClickPattern consists of these three components:[42]
The user is authenticated when the inputted pattern is the same as the original pattern and in the same exact order and direction. To create a valid pattern, the pattern must have at least 4 points and none of them can be used more than once. The pattern will also always contain dots in between a sequence, even though it does not necessarily need to be clicked. Users can also go through previously used dots to access an unused node.[42] Multi-touch authentication with Touch with Fingers Straight and Together (TSFT)This multi-touch authentication uses geometric and behavioral characteristics to verify users on a touch screen device. According to Song et al.,[43] this TFST gesture takes an average of 0.75 seconds to unlock, is very easy to use, and simple to follow. The user puts two to four fingers together in a straight position, decreasing the amount of surface compared to other multi-touch methods. With the fingers in this fixed hand posture, the user can choose to either trace a simple or complex pattern, and the screen will pick up the positions of the fingers and record each trace movement in the form of touch events. These touch events account for the X and Y-coordinates, the amount of pressure applied, the finger size, the timestamp, and the size of the touched area, and are compared to the template created during the registration process.[19] The physiological features or hand geometry include a measurement between possible strokes from the performed gesture. Horizontal strokes track the finger length differences, and vertical strokes track the finger width. Since the user always places their fingers in a straight position, the measurements of the finger will stay the same and provide consistent verification. Lastly, there are behavioral features that are traced, specifically the length of the stroke, the time it takes, the velocity of the stroke, the tool or the area for each touch point in relation to finger size, the touch area size, the pressure applied, and the angle of the stroke. For one stroke, there are 13 behavioral features, and this increases to 26, 39, and 52 for up to four strokes.[43] Bend passwordsWith new technology geared towards creating a flexible display for smartphone devices, there are more opportunities to create novel authentication methods. Bend passwords are an original type of password authentication used for flexible screens. It involves different bend gestures that the users perform by twisting or disfiguring the display surface, and there are a total of 20 gestures currently available. The bending can be a part of a single gesture by individually bending one of the four corners of the display or part of a multi-bend gesture by simultaneously bending pairs of corners.[44] Fractal-Based Authentication Technique (FBAT)A new proposed authentication method called Fractal-Based Authentication Technique (FBAT) uses Sierpinski’s Triangle to authenticate users. This process combines recognition-based and cued recall-based authentication as the users have to recognize and click on their personal pre-selected color triangles as the level of triangles increases. For smartphones, the level of triangles is set at 3 due to the limited size of the touch screen, but it can increase for bigger tablets. At level 3, the probability that an attacker will guess the password is 0.13%. Recognition-based requires users to recognize pre-selected images and cued recall-based graphical requires users to click on pre-selected points on an image. In the Sierpinski triangle, a selected colored pattern is created during the registration and is hidden in the device. To authenticate themselves, a user must select the correct pattern in each level while the triangles randomly shuffle. Since the colored triangles are randomly generated, they can be found in different locations for every authentication, thus leaving smudges behind that do not give any clues to potential attackers. This technique can be used on Android devices, ATM machines, laptops, or any device that uses authentication to unlock.[25] 2 x 2 and 1 x 2 Knock CodeKnock Code is authentication method introduced by LG Electronics that allows users to unlock a phone without turning it on by tapping the correct area in the right sequence. The screen is split into four sections, with the vertical and horizontal lines changing.[45] There are two variations of Knock Code that have been proposed—the 2 x 2 and 1 x 2 knock code. These variations can protect against smudge attacks due to the sliding operations that erase the knocking at the end after the taps are inputted. In a user study that compared the original Knock Code and the Android Pattern Lock, these variation schemes were more resistance to smudge attacks.[20]
FutureThere has been movement towards physiological biometric authentication in current smartphone security such as fingerprint and facial recognition that allow the user to replace their PINs and alphanumeric passcodes.[4] However, even new and advanced authentication methods have flaws and weaknesses that users can take advantage of. For example, in an examination of touch authentication, researchers observed similar swiping behavior and finger pressure in a large number of phone users, and this generic information can aid attackers in performing successful attacks.[39] Research on biometrics and multi-gesture authentication methods is continuing to help combat attacks on traditional passwords and eliminate the vulnerabilities of novel schemes as new trends and new technology are developed.[18] See alsoReferences
|