Smudge attack


A smudge attack is a method to discern the password pattern of a touchscreen device such as a cell phone or tablet computer. The method was investigated by a team of University of Pennsylvania researchers and reported at the 4th USENIX Workshop on Offensive Technologies.
The smudge attack relies on detecting the oily smudges left behind by the user's fingers when operating the device using simple cameras and image processing software. Under proper lighting and camera settings, the finger smudges can be easily detected, and the heaviest smudges can be used to infer the most frequent user input pattern. The researchers were able to break the password up to 68% of the time under proper conditions.
The research was widely covered in the technical press, including reports on PC Pro, ZDNet, and Engadget.
Once the threat was recognized, at least one product was introduced by Whisper Systems to mitigate the risk.