[SOUND]. >> So let's take a look now at a case study we're doing, on a paper that has been assigned to you, on smudge attacks. The paper is by Adam Aviv, and in the next video we'll actually see an interview with him. For now, please read the assigned smudge attacks paper, that's linked in this week's page, before you get into this video. So, smudge attacks, are attacks that take the finger prints that a person leaves when the do a gesture based authentication on a mobile device, and it uses those finger prints to identify what their gesture based password is. Let's take a look at one of these mobile devices just to, remind ourselves of what these passwords should look like. So, remember, this is my Android device and I was able to create this nine point gesture based password, in the shape of an N, and we saw that in the previous video. In this paper the researchers were concerned with identifying whether or not these smudges could be seen, and how much information that gave about passwords. They did a set-up where they had lighting sources at a few different angles and a camera, and they would use that to take pictures of the screen. Here is an example of one of the phones from the study, and you can see pretty clearly from this picture. That you can pick out where the fingers went when they stopped and what paths they followed. And just so you can see that this wasn't their researchy prototype making it look worse than it actually was. Here's the device that I've been using, and if you remember, I had set up a gesture based password on this. In this pic frame, just holding it in front of the window, and you can see the N shaped pattern of my password pretty clearly. If I tweak the image a bit, increase the contrast and adjust the exposure, that becomes extremely clear, and this is something a computer could do quite easily. So, the researchers used multiple phones in their study. They had two phones that started off clean, one the password was entered with a normal touch and on the other it was entered with a light touch. They also had a dirty phone that had smudges from being held up to someone's face as though they had been on a call. So that would get some oils from the face and potentially other fingerprints on the phone, and then password was entered on top of that. What did they find? Not too surprisingly, it was pretty easy to retrieve at least some information about passwords from those smudges. The clean phones obviously worked better, and as we saw in the photographic examples, you can pull a lot off of a clean screen with some good lighting and a camera. The dirty phones, were less easy to pull information of, off but even on the this very dirty screens, that have been touching peoples faces, they have been manhandled and not cleaned they were still able to pull a lot of password information. So, they may not have been able to see every finger touched and path that was followed, but they could see a lot of it and that would be a good step towards actually retrieving someone's password. So in conclusion, this paper shows an interesting attack on non-traditional authentication. Normally when we think of someone breaking in to a secure system, we either think of them hacking or cracking the password, or maybe circumventing the authentication system altogether. In this case we have a human based password attack with a twist. It's not human's social engineering one another to ask for the password or, guess it or find where it's hidden. It's doing some analysis that requires a little bit more sneakiness than we normally think of with human attacks, and a little bit of analysis in order to recover password information. It's also pretty effective. And that's an interesting thing to look at, especially when we're used to thinking of combinatorial issues with respect to the types of characters, that appear in a password. That's not to say that gesture based authentication isn't secure. As we've discussed in previous videos, someone still needs to gain access to your device, and once they get there they need to figure out what your password is. This shows that there are ways for people to guess that. And it's just something to keep in mind when you're thinking about the security of a system, and what ways you want to allow users to authenticate.
