What are smudge attacks?

A smudge attack is a way of obtaining unauthorized access to a user’s system, such as a smartphone or a tablet, by identifying patterns through smudges or fingerprints on the touch screen. Fingerprints often reveal trails of user clicks or finger drags. These trails can reveal secret information, such as password patterns that can be used to unlock a user’s device.

A smart device needs to be physically available in the proximity of an attacker. Simple cameras, lights at specific angles, and image processing software can be used to recognize smudges on a screen. Repeated password unlock attempts can ultimately lead to unlocking the device.

The illustration below shows password patterns that can be revealed on a smartphone:

Smudge attacks were first discovered by a team of researchers at the University of Pennsylvania in 2010. They performed a series of experiments on two smartphones. They could unlock the smartphone completely 68% of the time and revealed partial information 92% of the time.

How attacks take place

Our fingers usually leave trails on screens. These trails are particularly evident if our fingers are oily, dirty, or wet. Light can be shone on the screens from different angles. Image processing software can be used to adjust the contrast and saturation. Trails become prominent after this processing. The illustration below shows an image of a smartphone screen after it has been processed using image processing software:

How to prevent smudge attacks

Smudge attacks require an attacker to have physical control of a smart device. Therefore, one mitigation involves not leaving a smart device unattended even if it is locked.

Smudge attacks are easier on passwords that involve patterns. The use of stronger passwords that are text or biometric-based can prevent smudge attacks.