Android Device's Pattern Lock Can Be Cracked Within Five Attempts, Researchers Show

The popular Pattern Lock system used to secure millions of Android phones can be cracked within just five attempts -- and more complicated patterns are the easiest to crack, security experts reveal. From a research paper: Pattern Lock is a security measure that protects devices, such as mobile phones or tablets, and which is preferred by many to PIN codes or text passwords. It is used by around 40 percent of Android device owners. In order to access a device's functions and content, users must first draw a pattern on an on-screen grid of dots. If this matches the pattern set by the owner then the device can be used. However, users only have five attempts to get the pattern right before the device becomes locked. New research from Lancaster University, Northwest University in China, and the University of Bath, which benefitted from funding from the Engineering and Physical Sciences Research Council (EPSRC), shows for the first time that attackers can crack Pattern Lock reliably within five attempts by using video and computer vision algorithm software. By covertly videoing the owner drawing their Pattern Lock shape to unlock their device, while enjoying a coffee in a busy cafe; for example, the attacker, who is pretending to play with their phone, can then use software to quickly track the owner's fingertip movements relative to the position of the device. Within seconds the algorithm produces a small number of candidate patterns to access the Android phone or tablet.

So it you watch someone draw the pattern...

You can break it?

WOW!!!! Computers are so smart!!!

Re:So it you watch someone draw the pattern...

[tripleevenfall]

Breaking: iPhones have a zero-day vulnerability that involves you watching someone enter their password. No ETA on a fix.

Re: So it you watch someone draw the pattern...

what is the world comming to. jezzus this is a no shiet moment.

Re:So it you watch someone draw the pattern...

Here is a fix: Fingerprint sensor

Re:So it you watch someone draw the pattern...

In a world where "hacking" is dumbed down to phishing for Podesta's email password...

This *is* some new and amazing technological breakthrough!

Re:So it you watch someone draw the pattern...

[Archangel+Michael]

Here's the two biggest problems with fingerprint sensors. Those two are easily beat. Further, a fingerprint can be compelled by law enforcement to unlock phones, where a passphrase cannot.

Re:So it you watch someone draw the pattern...

Yeah, I was expecting something a little more technologically advance than looking over the owner's shoulder. Does the 'attacker' then walk by the owner and say, "Hey! Is that Tom Cruise?" and grab their phone off the table when they look?

Re:So it you watch someone draw the pattern...

They can be beat, but it's not *easy*. Second, if you reset the phone, or shut just shut it off, it requires the passcode when it reboots.

The the couple times I've been pulled over (speeding and a bad brake light), I've turned my iPhone off before the office came to my car. Nothing happened and they didn't ask or care about my phone, but it's a good idea anyway.

Re:So it you watch someone draw the pattern...

[CaptainDork]

My wife and her brother don't have fingerprints that are good enough for passports or license to carry a weapon [there are other ways to pass muster] or biometric entry into iPhones.

Also, the elasticity of skin decreases with age, so a lot of senior citizens have prints that are difficult to capture. The ridges get thicker; the height between the top of the ridge and the bottom of the furrow gets narrow, so there's less prominence. So if there's any pressure at all [on the scanner], the print just tends to smear.

Re:So it you watch someone draw the pattern...

[Pinky's+Brain]

The PCB mold with silicone trick doesn't work any more?

Re:So it you watch someone draw the pattern...

[vux984]

The biggest problem with a passphrase is that entering it every time you get a text message is obnoxious and intolerable from a usability standpoint.

Your solution of turning it off before a possible event is a step in the right direction, but it's not reliable enough. It works ok when you get pulled over ... you have lots of time between the lights flashing and officer at your window. But for a lot of situations you don't have that luxury. For example, if it is lost or stolen it'll still be turned on, or if you are arrested just walking down the street...

Stuff like samsung knox has the potential to be a good middle ground -- a secure container within your phone. So you can fingerprint/ short PIN to access your phone, GPS, SMS and your pay-by-phone parking app, etc but have your documents and pictures and work email still behind a passphrase.

(I'm not sure how good knox is in particular, but the concept at least I think is a good idea.) And I realize for some people even the SMS and parking app they want behind the passphrase because it'll reveal who they talked to or where they parked etc... I get that. Security is always a trade off between convenience and security... for me always passphrase is too obnoxious to use -- I tried it, while only fingerprint or 4-digit PIN is far too weak to protect say, my email (more from theives than from law enforcement... ) the potential damage a theif could do with my phone is scary.

The only reasonable solution with current phones is to not have much of anything on them. So for example, the email account I have have linked to the domain registrations and various other online services and resources I have access to is NOT on my phone. This is frequently inconvenient and bit ironic -- on the one hand I WANT the notifications of any activity on those accounts immediately notified to me, but the risk of someone getting into my phone (e.g. by observing me enter my PIN, and the stealing it) and being able to take control of those accounts via the linked email and 2FA which is tied to that number... is too great.

Maybe knox type solutions would be a solution... i just haven't actually had the time to try it.

It'd be nice though if various cloud service providers would let you register a separate notification email in addition to the admin email. So that I could receive notifications like 'a user has logged in from a new computer to your account..." on my phone without that being the email address being the one that can also be used to retrieve/reset login and password credentials.

Re:So it you watch someone draw the pattern...

[AmiMoJo]

There is actually a fix for that, at least on Android. For years now you have been able to get lockscreen apps that simply randomize the position of the numbers on the PIN entry pad. It doesn't matter if someone sees your finger movements because unless they can also see the text on the screen they still won't know what your pin is. Same with smudge attacks.

Does iOS allow you to do this? If not then, joking aside, I would consider it a vulnerability.

Re:So it you watch someone draw the pattern...

[danomac]

Great, does this mean that some nutter is going to shoot out the video cameras before ordering coffee? At least he won't have a lineup to wait in...

Re:So it you watch someone draw the pattern...

I think the ‘news’ is supposed to be that this is a password which is a) easier to spy when entered (or when looking at the fingerprints on the phone) and b) more often entered in public places, where even regular passwords are sensitive to e.g. camera recordings.
Interestingly, the whole thing reminds me of a book I read as a kid in the late 80s called On the Trail of the Cheetah, wherein the characters figured out that if you can make sure that a PIN keypad is slightly greasy, you can look at the prints on the keypad and then there are only 24 combinations left. Almost thirty years have passed, but we're no wiser.

Re:So it you watch someone draw the pattern...

[itsme1234]

on the one hand I WANT the notifications of any activity on those accounts immediately notified to me, but the risk of someone getting into my phone (e.g. by observing me enter my PIN, and the stealing it) and being able to take control of those accounts via the linked email and 2FA which is tied to that number... is too great.

It'd be nice though if various cloud service providers would let you register a separate notification email in addition to the admin email. So that I could receive notifications like 'a user has logged in from a new computer to your account..." on my phone without that being the email address being the one that can also be used to retrieve/reset login and password credentials.

I'm sure for each provider there's a trivial pattern you can use and have only the "user has logged in from a new computer to your account..." notifications forwarded to your phone. Don't tell me your "secure email" where you receive the "2FA" mail allows forwarding but without even basic filters.

Re:So it you watch someone draw the pattern...

[vux984]

That's a neat idea; i presume you are talking about a mail handling rule/filter on my 'secure email' that forwards the messages to my 'regular email'.

It would be a fair bit of work to setup and test and I worry it would be much too brittle -- I mean how often do i reset passwords or login from new computer; and the vendor could change the message template at anytime, resulting in the notifications not coming through, or the wrong ones coming through.

On the otherhand, it does suggest an idea... to have it forward my phone a generic notification when i get email to the secure email from certain domains. That could work. Not perfect I'd have no way of telling without logging into the secure mail whether it was important or just some marketing blather. Hmm... I could have it preserve the subject line though... and strip the body.

We might have something workable as a strategy here... although getting it to run server side will be a hassle. Looks like server-side mail rules in outlook aren't robust enough; I might be able to do something with exchange/office365 though... but that's a bit of a PITA. For the other mail I'd want this for, its a personal account, but IMAP, hosted by a hosting company ( i ran my own mail server for years, but its more of a pain than I care for; and just not worth my time for one or two accounts anymore) anyhow -- I doubt I'll be able to get any robust server side message scripting for that either.

a simple "Forward subject line only" would be so trivial to have too... I'm almost surprised it doesn't seem to already exist as one of the canned options.

Re:So it you watch someone draw the pattern...

They can be beat, but it's not *easy*. Second, if you reset the phone, or shut just shut it off, it requires the passcode when it reboots.

Yes, that's how it works on an Android as well, regardless of whether you use pattern unlock or fingerprint.

This whole article is a big "Well no shit" moment. It's actually the exact same method used to "guess" or "crack" a PIN code.
It's far more difficult to crack a password simply because your finger movements are much smaller when typing on the tiny keypad, but you theoretically could guess a passphrase by watching how someone moves their hands as well.

Re: So it you watch someone draw the pattern...

[Jbcarpen]

This is why I push all the buttons before putting my card in.

Re:So it you watch someone draw the pattern...

There is actually a fix for that, at least on Android. For years now you have been able to get lockscreen apps that simply randomize the position of the numbers on the PIN entry pad.

We're talking about pattern lock, not PIN lock. There are no numbers to randomize.
The post you're replying to is talking about entering a passcode, which is entered on the keyboard not a PIN pad.
So STFU about things you obviously don't know about, AmiMojo.

Re:So it you watch someone draw the pattern...

[phantomfive]

Your solution of turning it off before a possible event is a step in the right direction, but it's not reliable enough. It works ok when you get pulled over ... you have lots of time between the lights flashing and officer at your window. But for a lot of situations you don't have that luxury. For example, if it is lost or stolen it'll still be turned on, or if you are arrested just walking down the street...

Or if you are grabbed when your phone is open, like dread pirate robert's.........

Re:So it you watch someone draw the pattern...

I thought it was gonna be something like "most people use 1 of these 5 patterns". Which is basically the reason I don't use the pattern lock, as I am sure I would pick a pattern that is easy to guess.

Re:So it you watch someone draw the pattern...

Seems like the "Look for the smudge on the screen" approach works in the first attempt.

Re:So it you watch someone draw the pattern...

[networkBoy]

I don't know, but I'm working on configuring my phone to use fingerprints, but perma lock the print sensor and require only a passphrase after 5 bad attempts (so just bounce on it with an unregistered finger if in danger of compromise).

Haven't quite gotten there yet, but trying.

Re:So it you watch someone draw the pattern...

The whole "well there's an app for that" line of reasoning is a fail for me. If the fix is relegated to an app, that simply means that millions of people will never get that app and never be protected. Indeed, how would a naïve user even know there is a problem? How would a busy person, or a kid more concerned with their friends, find the app? What process or procedure makes this a priority for them?

Oh I know the usual responses. "If they don't care or are clueless, they deserve what's coming." I reject this. Basic phone security ought to be a universal service, baked into the OS. None of this "well, all you have to do is browse though the 100,000 apps, find the 400 that relate to secure login, evaluate 20, and hopefully find one you are happy with and doesn't turn out to have a bushel of zero day exploits."

Re:So it you watch someone draw the pattern...

[flappinbooger]

They can be beat, but it's not *easy*. Second, if you reset the phone, or shut just shut it off, it requires the passcode when it reboots.

The the couple times I've been pulled over (speeding and a bad brake light), I've turned my iPhone off before the office came to my car. Nothing happened and they didn't ask or care about my phone, but it's a good idea anyway.

excellent idea. Insightful and underrated.

Re:So it you watch someone draw the pattern...

[flappinbooger]

I think the parent post is eluding to the concept of LEO interrogating people's phones for no reason which is BS. His idea of turning the phone off so that the phone requires passphrase and not just fingerprint is a good idea.

Re: So it you watch someone draw the pattern...

What's funny is I saw the fall coming for him long before, but only reading after did I see the solution.

Re:So it you watch someone draw the pattern...

[arglebargle_xiv]

I can do even better than their five attempts. Given nothing more than a couple of hard, pipe-hittin niggas with a pair of pliers and a blowtorch, I bet I can get any phone unlocked the first time what's left of the the owner is asked to do it.

Re:So it you watch someone draw the pattern...

[vux984]

I think the parent post is eluding to the concept of LEO interrogating people's phones for no reason which is BS. His idea of turning the phone off so that the phone requires passphrase and not just fingerprint is a good idea.

Yes, exactly. But that only works if you KNOW you are about to be interacting with LEO. In the event you are pulled over you do, but most other scenarios you don't have that kind of warning.

I mentioned theft etc because that is the other major threat to a phone. The issue for most people is that the risks to them from theft are quite different to the threats from LEO.

A fingerprint is with password on reboot is a reasonable deterrent to most theives getting at your data. but its not enough for LEO (as they to be able to compel it from you). A passphrase all the time is good enough for both LEO and Theives makes it too inconvenient to use the phone.

That was my point.

PS eluding should be alluding

Re:So it you watch someone draw the pattern...

[gl4ss]

the pattern lock is just pincodes - where you have to select the next number to be next to the previous(in whatever size grid you got).

and there is a fix for that, don't use pattern and use pin.

the article is fucking stupid though, that you can watch someone enter the pattern then lets you deduce the pattern is WILDY different than cracking it in 5 attempts cold.

Re:So it you watch someone draw the pattern...

[RubberDogBone]

The PCB mold with silicone trick doesn't work any more?

Yes it works. Moulded gummy bears and even photocopies also work in some cases.

Fingerprint locks are generally trivial to defeat provided there is access to a suitable print to copy. Of course prints are a key people leave everywhere they go. You don't get that with PINs or passwords or passphrases, or metal locks and keys.

Re:So it you watch someone draw the pattern...

[syntotic]

Oh, I SEE! They keep using programmers were you need mathematicians! I really thought security and cryptography were one of those tight disciplines, you know, no matter how much you want to innovate, it all ends up in a saddle point and every move is unnecessary or weakening or counterproductive. Blowfish or Twofish was the last major cryptographic something we invented, right? And all we can do is wait for bigger prime factorizations and that is it... But the boys keep trying... good. I am yet to get my first such device, it is good to know it is not only you need a credit line but also that it is made with feet ups and hands underneath.

Re:So it you watch someone draw the pattern...

[michael_wojcik]

The biggest problem with a passphrase is that entering it every time you get a text message is obnoxious and intolerable from a usability standpoint.

It's never bothered me.

"Man, every time I get a telegram, I have to open the envelope. Intolerable! How do people live under these brutal conditions?"

Re:So it you watch someone draw the pattern...

[vux984]

It's never bothered me.

How long and complicated is your passphrase. A four digit pin doesn't bother me. A long multiword phrase with punctuation is a lot more painful to enter into a touchscreen keyboard over and over again.

"Man, every time I get a telegram, I have to open the envelope. Intolerable! How do people live under these brutal conditions?"

Ah I see the issue here. You get text messages as often as you get telegrams. If I had to enter my passphrase once every 3 decades it wouldn't bother me either. 200x a day gets pretty tedious -- Hell, if I had to open that many envelopes a day i'd perhaps see the value in owning a letter opener (simplifying the task); I'd also relegate all envelope opening two one or two periods a day and just slog through it... but that's not really how text messaging tends to work.

Wow, they film the owner unlocking the device

What's next? Watching over someone's shoulder to snoop a password?

Can I patent that?

Re:Wow, they film the owner unlocking the device

[glenebob]

Yes, and then post it on slashdot, because it's such important news.

Re:Wow, they film the owner unlocking the device

Pics or it didn't happen

Oops!

In other news, Pin numbers and passwords can be cracked by videoing you entering them into your phone.

Whaat

While I get high value targets could well suffer from this who's going to want to film the average Joe's screen lock pattern?

From TFS

[Rik+Sweeney]

coffee in a busy cafÃf©

Come on, guys, it's 2017. Fix this already.

Re:From TFS

[Archangel+Michael]

It WON'T be fixed, thanks to Trolls using Unicode. But thanks for trying.

Re:From TFS

You're right that it won't be fixed any time soon, but it isn't (primarily) thanks to trolls.
Trolls just do what they do, they're utterly predictable and easily taken care off. Why do you think we aren't inundated with ASCII goatse?
No, the real issue is that the site's devs and/or administration had an autistic hatred against Unicode from the get go. All they needed was an excuse.
And now /. is pretty much the only reasonably high-profile site left that regularly experiences mojibake.

Re:From TFS

[fisted]

Maybé you'ré just incompétént?

Re:From TFS

[fisted]

Duly notéd.

Fuck that, I don't need software

[CajunArson]

Give me a $5 pipe wrench and I can get the pattern out of practically anybody.

Re:Fuck that, I don't need software

If I could find a $5 pipe wrench these days, I'd help you in that endeavor.

Re:Fuck that, I don't need software

ocean state job lot, $4.88 for 10' pipe wrench

Re:Fuck that, I don't need software

That's a good price for a 10" pipe wrench, but completely amazing price for a 10 foot (10') pipe wrench...

Yeah, I'm just commenting to highlight the difference between ' (foot) and " (inches) that is so commonly misused - even on a site such as this where people should know better.

I'm from Canada with the metric system - I shouldn't even have to catch this shit.

iPhone

Once again iPhone is superior

Re:iPhone

[Falos]

Poe's Law: A parody of an oblivious fanboy is indistinguishable from an oblivious fanboy.

Re: iPhone

In Afrikaans a "poes" is a c*nt.

Re: iPhone

I don't recommend immediately leaping to that when meeting a Poe offline.

omg nowai!

You can "crack" someone's password by watching them type it in?!? Someone call CNN!

Scratch patterns too will show the path

[140Mandak262Jamuna]

I don't use pattern. If you have the device, hold it at the correct angle and look at the scratches, you can see the pattern. With a little bit of image processing we can even detect the start and end by "fraying" of the pattern and the density of scratches can indicate the middle part of the path.

If you have high speed camera then even pin can be cracked. People are now taking care to hide the pin in POS terminals and ATM. Soon they will develop ways to screen the screen with a palm or something to thwart video cameras in public setting.

Re:Scratch patterns too will show the path

If you leave scratches in your phone just by using it as intended, maybe look into getting a better phone.

Re:Scratch patterns too will show the path

[slimshady76]

If you leave scratches in your phone just by using it as intended, maybe look into getting a better phone.

Hey, you have to take other possibilities into account. Maybe he's related to Wolverine...

Re:Scratch patterns too will show the path

Or stop using those gloves with sandpaper on the fingertips.

Re:Scratch patterns too will show the path

[CaptainDork]

On the TV show, "Ransom," the lead genius dusted the phone with a fine powder to reveal the four-digit passcode and then entered the person's birthday.

It was on TV, so it was real just like, "Scorpion," and "MacGyver."

Re:Scratch patterns too will show the path

Yes, and you have to respect Nokia. They know the way of the Samurai!

Re:Scratch patterns too will show the path

Or clean the crusty, dried jizz out from under your fingernails.

Re:Scratch patterns too will show the path

[gnick]

On my phone there are no obvious scratches, but you could pretty easily guess my passcode by looking at the oil residue from my fingers. Not even that hard - Just angle it a little against the light.

Re:Scratch patterns too will show the path

[thegarbz]

With a little bit of image processing we can even detect the start/quote

Too hard. I have an easier way, if the person is right handed the start is usually either on the left or the top. Intrinsically people swipe things they don't want to drop towards their hand rather than trying to flick it away.

Re:Scratch patterns too will show the path

[Alok]

The biggest issue that is the terminal and inputs are both visible to the public. Maybe future ATMs can just have a VR headset that will only display the screen to the user, and have a virtual keyboard or other randomized unlock mechanism. One problem is making a non-contact headset as it has to be used by multiple people, and dealing with lice issues etc.

Re:Scratch patterns too will show the path

Wouldn't that only work if you barely touch the phone after unlocking it?
I see the pattern right after unlocking as well, but after a few minutes of browsing, a bit of gaming and chatting, there are dots and line all over the places and actually my initial unlock isn't even identifiable even when I know where to look for it.

Re:Scratch patterns too will show the path

[gnick]

I get a lot of dots and lines after use, but very few seem to line up with the test pattern grid. It stays readily apparent (at least where I've swiped.)

not just pattern

Couldn't this same 'crack' work with PINs / passwords? If you are recording their touches, you can get any info

Just fake some inputs.

[Anonymous_Coward_No1]

If you are nervous enough all you have to do is act like you are making contact for a portion of the unlock.

Thinking about it too hard

[T.E.D.]

Why on earth do you need some complex setup involving surveillance equipment (which would defeat most schemes)?

I have a phone with the "pattern" security. I noticed straighaway that its barely security at all. All you have to do to see the pattern is look at the phone at an oblique angle. Human fingerprints leave oils behind and in the right light the pattern is clear as day. Since that is the most commonly touched area, its really obvious.

The only "trick" would be figuring out what order its done in. For most people (who aren't smart enough to use a spot twice), that'll take only 2 tries.

Re:Thinking about it too hard

[freeze128]

I can immediately think of a couple of things that can be done to make the pattern lock MORE secure:

1. Allow the user to move to non-adjacent spots.
2. Allow the user to double-back along the pattern.

Re:Thinking about it too hard

This isn't a problem if you use a swipe keyboard - the blurry tangle of swipe lines will obscure at least the bottom half of your lock pattern quite effectively.

Re:Thinking about it too hard

[alvinrod]

You could improve the security by using different images (say pictures of different types of fruit) instead of just dots, and then changing the location of the images for every login. I know that my unlock pattern is grape > apple > cherry > grape > pear, but the pattern I happen to draw (or just tap on the shapes since there's no requirement to draw) changes every time.

It's still not fool proof as anyone with a clear view will be able to see the exact images that were used and reproduce it, but it makes it more difficult for an attacker to rely on capturing hand movement and extrapolating the information from there. One could probably even improve on it a little more, perhaps by including useless information to throw off hackers. For example I could enter red square > blue circle > yellow triangle > green rhombus > red triangle, but I know that it's only the colors that matter and the shapes are meaningless data, but even that has limits to how much added security it brings.

Even then, if someone really wants to get into your device that badly, there isn't any form of security that can't be broken with enough time or resources. I suppose you could implement a one time pad password system if you knew the hardware was completely safe, but woe be unto you should you forget the sequence or where you're at in it, and it still doesn't stop someone from getting the password with their $5 wrench.

Re:Thinking about it too hard

My S7 Edge lets you double-back

Re:Thinking about it too hard

Not to mention that patterns are extremely limited in the type of patterns you can do.

Suppose you notice that there is a horizontal smear across the top row. This only has two possible interpretations: it is either a right-to-left swipe, or a left-to-right swipe.

You can't have a pattern like "right-to-left swipe, left-to-right swipe (back to the starting point) and then right-to-left swipe again", for example, which severely decreases the search space to break the pattern.

Re:Thinking about it too hard

If you are worried about your phone being hacked, just use a dumbphone instead.

Before you go all knee-jerk about how stupid that is....take a breath. You can call, text, and use a calendar all from a dumbphone. If you really, honestly, analyze your life, you will find that is more than enough connectivity for those brief periods when you don't otherwise have a means of accessing the Internet.

If someone steals your dumbphone, they really don't get much.

If you just can't live without 24/7 access to the web (you can, of course, but just in case you think you can't), you could exert a modicum of self-control and only use your data plan to browse the web. No social networking, no shopping, no managing your finances, and no work. Do all that on a non-mobile device. You will find you have plenty of opportunity.

Then, if someone gets in your phone, they can't use it to steal all your money or ruin your life.

It's not hard. Really it's not. You just have to get over the stupidity that the western world has accepted as fact.

Re:Thinking about it too hard

[Zontar+The+Mindless]

Or if you're like me and make frequent use of a Chinese character trainer app on your phone.

Re:Thinking about it too hard

[shaitand]

Wouldn't work, people wouldn't think to do #2 and doing #1 would make it take longer to unlock your phone. At that point there is no advantage over pin entry.

Re:Thinking about it too hard

> Allow the user to move to non-adjacent spots.

Could we number the spots, just to make clear which is which?

Re:Thinking about it too hard

[Archangel+Michael]

Pen Pineapple Apple Pen ... UGHHHH

Re:Thinking about it too hard

[cdrudge]

You could improve the security by using different images (say pictures of different types of fruit) instead of just dots, and then changing the location of the images for every login. I know that my unlock pattern is grape > apple > cherry > grape > pear, but the pattern I happen to draw (or just tap on the shapes since there's no requirement to draw) changes every time.

Or instead of images, how about we show them a series of glyphs. We could use say 0-9 if you wanted a lower number of permutations, or if you wanted a higher number, a-zA-z0-9 etc.

IOW, what you describe is just using a pin or password, just with different symbols.

Re:Thinking about it too hard

[CaptainDork]

The better solution is removable screens. When you want to get into the phone, take the screen out of your pocket, lay it over the phone, and return to your pocket afterwards.

I'll patent it and go on Shark Tank for funding and awareness and then submit the fucking article to /. for more click bait.

Re:Thinking about it too hard

[nigelo]

I have a V10 that moves the pattern sensor to wherever you first touch the screen, and it's not a problem at all to use, and actually helps to move the grease around on he screen somewhat.

Re:Thinking about it too hard

You could improve the security by using different images (say pictures of different types of fruit) instead of just dots, and then changing the location of the images for every login. I know that my unlock pattern is grape > apple > cherry > grape > pear, but the pattern I happen to draw (or just tap on the shapes since there's no requirement to draw) changes every time.

What about a pointed stick?

Re: Thinking about it too hard

I tried that, and after some weeks there was one app that I was missing to much: the city parking app.. yes, you can laugh, but I never have f# coins and the machines are always allow with cards, so the parking app that works all over the city where I live is just awesome. but unfortunately they don't do it for dumbphones.... yes I guess in some ways all this connectivity does make our lives easier, if you manage to stay away from this digital media BS (and these apps I didn't miss them at all!)

Re:Thinking about it too hard

[T.E.D.]

If you are worried about your phone being hacked, just use a dumbphone instead.

No, I'm kinda with you. The only reason I put on a lock screen at all is because Android forced me to in order to try out Android Pay. Yes, this means somebody who steals my phone can now use it to steal money from me (using the process I outlined in the GP). However, my phone case is a wallet case containing my bank cards, so they can do that anyway regardless of any security on the phone.

Give that the cards are already right there anyway, I've yet to be convinced that this Android pay thing is worth putting up with the security theater. I also use my phone as the head unit to my car stereo, and having to unlock it when it sleeps is a major issue.

Re:Thinking about it too hard

Try this pattern yourself: https://i2.wp.com/www.droidtipstricks.com/wp-content/uploads/2014/06/Hardest-coolest-pattern-lock-android-2.png

I think the problem of observing oily residue is that you have to do it immediately after the user entered the pattern, otherwise the oils will be messed up.

Re:Thinking about it too hard

All the pattern locks that I've used won't allow you to use a spot twice.

so?

In other news, your kid can steal your password by looking at your hands when you type it on the keyboard.

this is no different than meta data

metadata
meddd,meddad/
noun
a set of data that describes and gives information about other data.

what the fuck???? record them doing it?????

What a bullshit non "story" - yea lets record them entering their pattern

Why the fuck do I keep coming back to this pussy whipped brady bunch version of Slashdot for?

Re:what the fuck???? record them doing it?????

I don't know about you, but I keep coming back for the GNAA trolls.

Doesn't work on PINs for ... what reason again?

[Opportunist]

What's the big difference between watching someone type a PIN and watching someone smear finger grease all over his phone?

Re:Doesn't work on PINs for ... what reason again?

One way to make PINs safer against indirect observation is to use a randomized number pad on each login. I find it requires no conscious attention in daily use, but I'm not sure how many people have it enabled.

Brute force method

[lucaiaco]

New research from my basement shows for the first time that attackers can force a user to reveal their password by beating them up with a hard stick.

The attack does not depend on the authentication technology or device used. Billions of devices can be cracked within just one or two attempt.

Re:Brute force method

[shaitand]

This is especially troubling, I wouldn't be surprised if variations on this technique couldn't also be used to acquire a user's secondary authentication device.

Re:Brute force method

[lucaiaco]

Thanks for your suggestions. We will start investigating this possibility as soon as our NSF checks get cleared.

Related: AI Predicts If Users Read Article

I feel like is just a test to see if people actually read the contents of an article, or if they're just jumping through headlines. Whatever. This just in: the sky is blue.

well

there is a fix for this you do a snowden.

me i have voice password not voice recognition but i have to say my pass to unlock it but no one is listening so its ok.

foiled!!

...i hold my phone upside down when unlocking.

Re:foiled!!

[Oswald+McWeany]

Steve Jobs would say "you're holding it wrong."

I would be interested if.....

[Elfich47]

If the camera system is watching the gestures from the blind side of the phone and making a guess based on the gestures that is can see. IE the camera's vision is occluded by the phone itself but it can see some of the gestures operating the phone and can make a guess from there. Somehow I think this would be more than 5 candidates.

all but what one?

[magarity]

During tests, researchers were able to crack all but one of the patterns categorised as complex within the first attempt

What was the uncrackable pattern? They should release this info so security-minded users can switch over to that one.

Re:all but what one?

[wonkey_monkey]

Top left, bottom right, middle bottom, bottom left, middle, middle-right? That's the combination to my ah screw it.

More Non-News

[LeftCoastThinker]

TLDR: Some dude figures out that video recording someone entering their password lets you figure out the password...

Re:More Non-News

[CaptainDork]

Thanks for the fucking spoiler.

I saw a movie with a similar plot involving credit card skimmers with hidden cameras.

Formulaic plot.

Click

BAIT

Phone locked after 5 attempts?

Not my wife's phone. After 10 attempts it WIPES THE FUCKING PHONE. This "feature" was enabled by default.

Somebody decided leave that enabled by default. You know what that person doesn't have? KIDS.

My four year old handed mommy's phone back to her twice totally erased before I figured out what was happening.

Re:Phone locked after 5 attempts?

[Oswald+McWeany]

I have bad news for you.

Your four year old is Russian.

Re:Phone locked after 5 attempts?

[Elfich47]

Normally there is a pretty long lag with the retries after retry 5 or six. The kid must have been playing with the phone for hours for that to occur.

Re:Phone locked after 5 attempts?

I have bad news for you.

Your four year old is Russian.

It's when they tell you that they're adopted that you have to start worrying.

Re:Phone locked after 5 attempts?

Not with whatever Android version this is. 9 attempts with no delay, then the 10th shows a warning that one more try will cause a wipe. It took the kid less than 30 seconds to do it.

Hacking?

Let me get this straight...according to these "security" guys, if I video record someone putting in their pattern, I can hack their phone in five moves.

I'm pretty sure if I video record someone entering their password, pin, or pattern, I can hack their phone in one move.

I have observed dozens of pin and swipes

I have observed dozens of pin and swipes with enough scrutiny to *temporarily deduce the phone unlocking procedure. This includes friends and family (which I admit are harder to forget). I suggest that busy check outlines and bus stops are even better locations than a coffee shop for peering over shoulders... Where can I publish my amazing research? For my next trick, I will beat someone over the head in the parking lot and steal their phone, demonstrating another vulnerability in personal security! Perhaps I can apply for grant funding ?

I usually cleanse my mind of this extraneous data, but some stay with me for whatever reason...

LOL

[rebelwarlock]

So after recording someone entering the unlock combination, you still take multiple tries to figure it out?

Re:LOL

Computers are smart!

too many restrictions on the pattern

[Khashishi]

It's not that the pattern lock is a bad idea for a lock system. It's just that the pattern is too restricted, so the space of patterns is just very small. Give us some options to increase the size of the grid, and allow us to hit a node multiple times in one pattern. Even let us use multiple fingers to do a chordal stroke pattern. There's a lot you can do to greatly increase the entropy without detracting from the simplicity. In my mind, the fact that you can't hit a node multiple times feels LESS simple to me, while also making it much less secure.

I'm aggravated that it feels like Google is forcing a dumbed down solution to compete with Apple.

Re:too many restrictions on the pattern

[nevermore94]

This is one of the best responses on this whole thread. Unfortunately, no mod points today.

Re:too many restrictions on the pattern

Exactly. I am baffled as to why they don't allow you to use the same spot multiple times. I always looked at it like losing someone in the snow...you have to go over the same tracks at least twice to lose them. If you go over the same portion of a pattern more than once, it's much, much harder to figure out what that pattern actually is, even if you're recording it. If you trace a pattern, then backtrack on part of it, then go forward again, shift over one spot and repeat, etc. the odds of finding the true pattern are much lower.

Fingerprint Unlock

[edtice1559]

This is a good argument for the fingerprint unlock. I rarely enter my PIN. Sure there are downsides (somebody could cut off my finger) but it's probably still more secure than a PIN or pattern. If somebody was serious about cutting off my finger, I would unlock the phone for them regardless of what authentication method I might be using. I don't have anything valuable enough to risk injury over. If I did, I wouldn't be unlocking my phone at all somewhere like a coffee shop with horrible physical security. Information security, lest we forget, starts with physical security.

Re:Fingerprint Unlock

Agreed. I do have a swipe requirement when powering on. Every once in a while my phone will require a swipe (new location that is not in my regular destinations? Not sure).

I also like it because my wife and I have set up our fingerprints on each other's phones so we can check a message real fast if the other is in dispose. We've added ours on the kids' phones as well, which makes doing weekly family discussions and checks for appropriate cell phone use easier.

Re:Fingerprint Unlock

[T.E.D.]

The only reason I put a lock on the phone at all is that I was trying out Android Pay, and it requires a lock. Since I keep my cards in my phone case, a lock provides me 0 extra security, but whatever.

I tried out the fingerprint unlock. It is very rare that it unlocks for me on the first try, and not at all uncommon that it fails all tries and forces me to use the passcode. By the time that I've gone through all that, whatever tidbit of info I wanted from opening the phone has long since ceased to be worth the trouble.

The main person locked out of my phone by my fingerprint unlock was me.

Re:Fingerprint Unlock

[edtice1559]

That's too bad. I have the iPhone 6S and the unlock works pretty reliably. Doesn't work well for my wife. That being said, it is a good unlock technique for use in public spaces since you don't risk revealing your PIN. Hopefully the technology will improve so it will work for more people. I do Apple Pay the same way you do. Store the chip card with the phone and use the card!

Re:Fingerprint Unlock

[T.E.D.]

I have family members with iThings that use fingerprint, so I know it works OK there (for some people anyway). So it could be that it just sucks on Android, or (more likely) just sucks on the old Note 5 I have, or sucks just for me.

Re:Fingerprint Unlock

[RubberDogBone]

Cut off your finger? No they don't need to do that, unless they want to.

No, a fingerprint lock is great except it's a lock where you leave the keys everywhere you go. Your prints. It is basically simple to lift prints from anything you have touched, copy them in a suitable manner and material, and boom the device is unlocked.

So no, they don't need your finger. A lucky one would be to lift your own print off the phone itself and use that to get in. But you touch many other things all day long so it's not hard to find something.

Re:Fingerprint Unlock

[edtice1559]

This is certainly true, but to pull this off I have to be an *intended* target rather than a target of opportunity. If you are somebody who is worth specifically targeting, you will have much different security needs. And those probably start with having an (armed) bodyguard who will ensure that they never get possession of your device. For ordinary people who might be targets of opportunity, a fingerprint is quite reasonable. Even if you unlock your phone in the coffee shop and throw out your cup, by the time a lone operator retrieves the cup and lifts the print, you are long gone. If, OTOH, they are stalking you at the coffee shop, you may need a bigger defense. But in that case, we are talking about threats of violence and a much different scenario.

False security

[dauvis]

And this is why the only reason you would use it is to keep the young kids from being able to play with the phone.

How about a new technology ...

[CaptainDork]

... that allows for licking the lock screen?

The mouth would cover a large area while the tongue makes hidden movements.

Hell, people won't eat a bagel that someone else has licked, amiright?

Less abrasion and the screens could come in strawberry, chocolate, and cherry.

I will be patenting this idea and appear on Shark Tank for funding and exposure and then I'll be posting the article here on /. for more click bait.

Re:How about a new technology ...

[RubberDogBone]

There is probably a kink for eating things other people have eaten.

um

My unfortunately not imaginary ex-girlfriend, whom facebook insists I really still want to refriend, may have dumped me and moved on, but every guy after me is, well, going after me. I was the first to enjoy eating there.

I doubt that has discouraged any of the guys she has been with since me.

This is a bit of a crude example that people regularly DO put their mouths on things other people have had in their mouths. And other places. So I don't think it would work as a discouragement.

Equally true though, I once worked in a very small office of a very big tech company. That location had a lot of temps and a lot of thefts of lunch from the break room. It was a freeforall in there. One of my coworkers, who was openly gay, got very fed up with his lunches being stolen and began marking them with "Go ahead and steal my lunch. I SPAT IN IT! YUM!" The building was unsure whether he had any diseases or not, but it DID keep his lunches from being stolen again.

Re:How about a new technology ...

[CaptainDork]

It's a shame (for him) science didn't support him and a shame for the hungry who don't bother with science.

Easier than that.

[CODiNE]

Just hold the phone up to the light and angle it til you see the smear pattern. Usually facial oils make a nice even coating on it leaving a pretty clear smudge pattern of the unlock slime dragging pattern.

Now to eat lunch!

Re:Easier than that.

You are unlocking your phone by smushing it against... YOUR FACE??

Captain Obvious is a cracking expert.

[geekmux]

Shoulder surfing is now considered "cracking"?

And here I thought we couldn't possibly get any worse than the media ass-raping the definition of "hacker".

From the book of Captain Obvious, looking at smudges on the fucking phone glass will likely reveal the pattern lock password too.

Also pin and voice pattern

[aglider]

If you can record someone unlocking the phone, then you can unlock it as well. And it seems that it could work with hires photos of finger prints. So, no news!

Easy fix - Reminds me of secure pinpad

[ripvlan]

An easy fix might be to steal ideas from a secure pin pad that I used to use. Long before modern RF badges existed, entry to my office was guarded by a devilish PIN pad designed to prevent stealing of PINs in the manner described. There were several things making it secure:

First - a computer chose my PIN for me. I had to (keep printed PIN in wallet ^H^H^H^H) memorize, I mean memorize !! the ....
10 digit long PIN...that was a random series of numbers.
One had to stand immediately in front of keypad to see the digits (and boy do I mean In Front).

And to make it extra user friendly !! (not) --- the digit location was dynamic, meaning the digits appeared in random locations each time it was turned on. 10 digits of hunting and pecking. The hack was they could just tailgate with everyone else and wait for the designated PIN "enterer" to open the door ("hi I'm the new guy"). Each morning it was a "race" to see who could walk the slowest across the parking lot and Not Be First!! Entering a PIN was slow so usually 5+ people would collect by the time the door was opened.

Now - if the Android Pattern shifted each time you turned it on - this video attack wouldn't work as well. It would also mean that your passcode couldn't be "the figure 8." Of course there might be an attack vector related to watching people pause to figure out how to connect their dots.

oh - and if you didn't punch your passcode fast enough it would timeout and shutoff. Forcing you to start over again. Yeah this system was despised by everyone. Later they put one on the data center door.

In Other News

the exact same attack can be used for a pin or any other lock mechanism that requires gestures.

Don't use weak security measures for things that really matter.

I can do it in one

[Stavr0]

Just by looking at the cheeto-grease smears on the screen

unlikely scenario

[beevobedobo]

So someone has to video me unlocking my phone, then gain possession of my phone? Seems an unlikely scenario.

Re:unlikely scenario

I think the scenario is more likely your mate or your girlfriend wants to install some software on your phone to make sure you don't have an affair with someone!
This is a way to do it without raising your suspicion.

two things...

.... once in a new phone I forgot my pattern, just had to look at the screen carefully and follow the path of dirt/fat/Pringles on the screen and voila :)
two. as when typing you card pin you should hide it, pattern can easily be hidden by some random movements before and after drawing the real pattern on the screen...

Extremely misleading headline

[hackel]

msmash, you should be ashamed of yourself. This headline comes across as an actual vulnerability, but it's not. At all. Of course if you have line of sight to your target, you can do things like this, just as you can for a numeric pin or password. I'm not even quite sure what the point of this "research" was... Perhaps that with patterns, there is a slightly larger array of observation angles from which an attack can reliably succeed? That's the only thing that I can think of, and if so it's not very convincing.

Security theatre

[gringer]

If someone (generally meaning someone I don't or shouldn't trust) has my phone, I consider it compromised. Finger smudges are the easiest way to get into a pattern-locked device; this demonstrates that there are others. As JWZ says,

And if the screen locker is not secure, then it's better to not lock the screen at all: giving the impression of security when there is no actual security is far worse than having no security at all. It's a matter of expectations: if people don't expect to be able to lock their screens, they'll log out. But if they expect to be able to lock their screens and it doesn't actually work, then they're screwed.

[from https://www.jwz.org/xscreensav...

I use pattern lock to stop my phone auto-dialling Aunt Sarah when its in my pocket, not to keep other people out. If I had a flip phone, I wouldn't have a lock screen at all.

That seems over complicated...

[JDeane]

I can usually get it in two tries...

A reasonably bright light source and picking up the phone and holding it at an angle can usually show the long smudge trail left by people using one of those lock screens... Z type patterns seem to be the most popular.

Unless they just finished playing a game of Angry birds or something.... Then you gotta wait :(

Worst. Article. Ever.

I'm even taking Junis/Katz into account...

The Uri Geller approach to hacking

[DrXym]

One of Uri Geller's shitty party tricks was to invite people to draw a shape, looking away while they did it and then guess what they drew. And to the astonishment of all he was right.

The trick of course was he was looking and had memorized the most common shapes people drew and could give a fair guess. House, boat etc. This seems like a glorified version of that with little use in the real world.

Nothing to see here.

If i record someone entering their pin in a bank machine I can crack their PIN for their debit card. If I video someone typing their password into a computer I can "guess" their password. Of course if someone records any type of secure system they can crack it.

why does it take five attempts?

It is able to successfully crack 87.5 per cent of median complex patterns and 60 per cent of simple patterns with the first attempt.
Refer https://youtu.be/2fagM6sQD8Y?t=153

Comment removed

[account_deleted]

Comment removed based on user account deletion

Just automating Old School stuff

There's an old stage "mentalist" trick that, shorn of the presentation that makes the audience go "Wow!", consists of (a) getting someone to write a number or letter on a piece of paper that's facing away from you, and then (b) telling them what they wrote. It definitely relies on skill, but also on keeping the possibilities limited and the movements nice and visible. Done right, a performer can "read" what is written from way across a stage, just by watching the hand and pencil movements. It's no surprise to me that someone has worked out how to automate something that is, ultimately, very similar.