smudge attack

English

WOTD – 21 May 2017

Etymology

An iPad used by children with its touchscreen covered with fingerprint smudges

smudge + attack; coined in 2010 by researchers from the University of Pennsylvania’s Department of Computer and Information Science in Philadelphia, Pennsylvania, USA: see the quotation.

Pronunciation

• (Received Pronunciation, General American) IPA^(key): /smʌdʒ əˈtæk/

• Audio (AU)

  (file)

• Hyphenation: smudge at‧tack

Noun

smudge attack (plural smudge attacks)

1. (computer security) A method used to crack the password of a touchscreen device by analysing the oily smears left on the device's screen by the user's fingers. [from 2010.]
   • 2010 August 9, Adam J. Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, Jonathan M. Smith, “Smudge Attacks on Smartphone Touch Screens”, in WOOT '10: 4th USENIX Workshop on Offensive Technologies, August 9, 2010, Washington, D.C.; USENIX‎^[1], archived from the original on 21 July 2016:

     Touch screens are touched, so oily residues, or smudges, remain on the screen as a side effect. Latent smudges may be usable to infer recently and frequently touched areas of the screen – a form of information leakage. This paper explores the feasibility of smudge attacks, where an attacker, by inspection of smudges, attempts to extract sensitive information about recent user input.

   • 2012, Yunlim Ku with Okkyung Choi, Kangseok Kim, Taeshik Shon, Manpyo Hong, Hongjin Yeh, and Jai-Hoon Kim, “Extended OTP Mechanism Based on Graphical Password Method”, in James J[ong Hyuk] Park, Victor C. M. Leung, Cho-Li Wang, Taeshik Shon, editors, Future Information Technology, Application, and Service: FutureTech 2012 Volume 1, Dordrecht: Springer, →DOI, →ISBN, →ISSN, page 204:

     The OTP [one-time password] mechanism that financial institutions adopted utilizes a one-time password displayed on OTP device, so it is vulnerable to shoulder surfing attacks (SSA) and smudge attacks.

   • 2013, “Information Security”, in Q. Ashton Acton, editor, Issues in Information Science—Information Technology, Systems, and Security, Atlanta, Ga.: ScholarlyEditions, published 2013, →ISBN, page 200:

     However, the fixed keypad lock can be easily unlocked by brute force attacks and the pattern lock is vulnerable to smudge attacks.

   • 2013 February 22, Alex Wawro, Marco Chiappetta, “Windows 8 picture passwords: Their great untapped potential”, in PC World‎^[2], San Francisco, Calif.: PCW Communications, →OCLC, archived from the original on 9 August 2016:

     [A]rguably, picture passwords are a little more secure on desktops than on touchscreen devices, because you don't have to worry about anyone guessing your gesture password by examining your monitor for greasy fingerprints. That last scenario may sound like something out of a trashy espionage thriller, but the threat of a "smudge attack" is real enough to warrant serious study. Researchers at the University of Pennsylvania coined the term in 2010 when they were able to successfully deduce gesture passwords used to unlock Android phones from smudge marks left on the screen.

Further reading

• smudge attack on Wikipedia.