The attack vector is similar to that used on early touch screen PINpads in the 1960s, Infosecurity notes, and is one of the reasons why touch screen PINpads were quickly abandoned in the early days of security access systems.
According to the research paper, hackers could read the smudges on a smart phone to infer a password, either by taking photos of the screen from multiple angles, or by gaining physical control of the handset.
The researchers apparently took digital photos of phone screens and used an analytical program to develop 3D versions of the images, a process that allowed them to work out the password on the handset in around 90% of cases.
Infosecurity notes that the researchers focused their efforts on Google Android smartphones, although the iPhone and other handsets may also be subject to the process.
Researchers note that `pattern smudges' – which are built up from writing the same password a number of times – are especially recognisable.
"We showed that in many situations full or partial pattern recovery is possible, even with smudge noise from simulated application usage or distortion caused by incidental clothing contact", says the research paper.
Infosecurity notes that the 'smudge attack' can be avoided using clear screen protectors, although this may not be infallible, as researchers say they are looking at whether heat trails left on touch screens could be used to extrapolate the unlock codes.