A person in a black hoodie crouches in a dark room with a bright light shining over a phone. As the light hits the phone screen, finger smudges are illuminated, revealing the owner’s password. And just like that, the hacker has complete access to the device.
You’ve seen it in the movies and on TV – but can finger smudges really last on your touch-screen device long enough to be easily collected, and then used to access your private information?
Surprisingly, yes, and yes.
In 2010, a team of researchers from the University of Pennsylvania presented a study called “Smudge Attacks on Smartphone Touch Screens” that described how the oily residue from our fingers left on phone screens can be used to steal passwords and other sensitive information.
Smudge attacks, the study outlines, are a threat to smartphones for three reasons: “First, smudges are surprisingly persistent in time. Second, it is surprisingly difficult to incidentally obscure or delete smudges through wiping or pocketing the device. Third and finally, collecting and analyzing oily residue smudges can be done with readily available equipment such as a camera and a computer.”
The researchers examined smudges in different lighting and camera orientations, and found that partial patterns of passwords were distinguishable in 92% of all lighting and camera setups tested and fully distinguishable in 68%. In the “less-than-ideal” lighting and camera orientation conditions, the pattern could still be partially obtained in 37% of cases and fully in 14% of them.
Wiping Your Screen Isn’t the Solution
With partial smudges, the researchers say, hackers can still easily steal passwords and private information. “This partial retrieval is still extremely encouraging for an attacker, who has learned a good deal about which patterns are likely, e.g., it could be each isolated part uniquely, the two parts connected, etc.”
So, just wipe off the smudges with the edge of your shirt, right? Not quite, as the study revealed that simple clothing contact – for example putting your device in a pocket or actively wiping – did not play a large role in removing smudges. “One smartphone in our study retained a smudge for longer than a month without any significant deterioration in an attacker’s collection capabilities.”
Of course, with the plethora of tools at their disposal, it’s unclear how often criminals and hackers actually use smudges to break into stolen phones. Police aren’t exactly prioritizing this line of questioning. Still, the threat was widely covered by the tech media, and it spawned discussion of prevention methods, including a fingerprint-resistant screen protector (ranging from $30 to $60), microfiber cloth to wipe down screens after every use (impractical and unlikely that you’ll remember every time), or purchasing a finger glove (honestly, I dare you).
Better yet, choose a device with an oleophobic layer on the screen, like BlackBerry’s new DTEK50 device. The oleophobic coating on the DTEK50’s 5.2-inch HD screen helps prevent the oily residue from fingers to adhering to the glass.
When water droplets fall on a screen protected with an oleophobic layer like on the DTEK50, the droplets will bead up quickly (like on the left), making them easy to wipe off, instead of spreading and attaching to the screen. Like the water droplets, oil droplets on a oleophobic screen bead up quickly, making it easy to clean up without smearing instead of spreading and creating an oily mess. (Watch oil and water droplets in action on an oleophobic screen here.)
With this protective coating on your DTEK50, however, you can help keep your passwords and sensitive information safe, while eating all the garlic bread you want without the hassle of constantly wiping down your screen or wearing a (very hip) finger glove.
DTEK50 is now available to buy in a growing number of countries – from local carriers and retailers in the U.S., Canada, and the UK – and on ShopBlackBerry.com in these and other countries for $299 USD ($429 CDN, €339, and £275). To keep up with additional global channels and countries as they’re announced, stay tuned to our DTEK50 availability blog.