Android Device's Pattern Lock Can Be Cracked Within Five Attempts, Researchers Show

The popular Pattern Lock system used to secure millions of Android phones can be cracked within just five attempts -- and more complicated patterns are the easiest to crack, security experts reveal. From a research paper: Pattern Lock is a security measure that protects devices, such as mobile phones or tablets, and which is preferred by many to PIN codes or text passwords. It is used by around 40 percent of Android device owners. In order to access a device's functions and content, users must first draw a pattern on an on-screen grid of dots. If this matches the pattern set by the owner then the device can be used. However, users only have five attempts to get the pattern right before the device becomes locked. New research from Lancaster University, Northwest University in China, and the University of Bath, which benefitted from funding from the Engineering and Physical Sciences Research Council (EPSRC), shows for the first time that attackers can crack Pattern Lock reliably within five attempts by using video and computer vision algorithm software. By covertly videoing the owner drawing their Pattern Lock shape to unlock their device, while enjoying a coffee in a busy cafe; for example, the attacker, who is pretending to play with their phone, can then use software to quickly track the owner's fingertip movements relative to the position of the device. Within seconds the algorithm produces a small number of candidate patterns to access the Android phone or tablet.

Scratch patterns too will show the path

[140Mandak262Jamuna]

I don't use pattern. If you have the device, hold it at the correct angle and look at the scratches, you can see the pattern. With a little bit of image processing we can even detect the start and end by "fraying" of the pattern and the density of scratches can indicate the middle part of the path.

If you have high speed camera then even pin can be cracked. People are now taking care to hide the pin in POS terminals and ATM. Soon they will develop ways to screen the screen with a palm or something to thwart video cameras in public setting.

Re:Thinking about it too hard

[alvinrod]

You could improve the security by using different images (say pictures of different types of fruit) instead of just dots, and then changing the location of the images for every login. I know that my unlock pattern is grape > apple > cherry > grape > pear, but the pattern I happen to draw (or just tap on the shapes since there's no requirement to draw) changes every time.

It's still not fool proof as anyone with a clear view will be able to see the exact images that were used and reproduce it, but it makes it more difficult for an attacker to rely on capturing hand movement and extrapolating the information from there. One could probably even improve on it a little more, perhaps by including useless information to throw off hackers. For example I could enter red square > blue circle > yellow triangle > green rhombus > red triangle, but I know that it's only the colors that matter and the shapes are meaningless data, but even that has limits to how much added security it brings.

Even then, if someone really wants to get into your device that badly, there isn't any form of security that can't be broken with enough time or resources. I suppose you could implement a one time pad password system if you knew the hardware was completely safe, but woe be unto you should you forget the sequence or where you're at in it, and it still doesn't stop someone from getting the password with their $5 wrench.

Re:So it you watch someone draw the pattern...

[vux984]

The biggest problem with a passphrase is that entering it every time you get a text message is obnoxious and intolerable from a usability standpoint.

Your solution of turning it off before a possible event is a step in the right direction, but it's not reliable enough. It works ok when you get pulled over ... you have lots of time between the lights flashing and officer at your window. But for a lot of situations you don't have that luxury. For example, if it is lost or stolen it'll still be turned on, or if you are arrested just walking down the street...

Stuff like samsung knox has the potential to be a good middle ground -- a secure container within your phone. So you can fingerprint/ short PIN to access your phone, GPS, SMS and your pay-by-phone parking app, etc but have your documents and pictures and work email still behind a passphrase.

(I'm not sure how good knox is in particular, but the concept at least I think is a good idea.) And I realize for some people even the SMS and parking app they want behind the passphrase because it'll reveal who they talked to or where they parked etc... I get that. Security is always a trade off between convenience and security... for me always passphrase is too obnoxious to use -- I tried it, while only fingerprint or 4-digit PIN is far too weak to protect say, my email (more from theives than from law enforcement... ) the potential damage a theif could do with my phone is scary.

The only reasonable solution with current phones is to not have much of anything on them. So for example, the email account I have have linked to the domain registrations and various other online services and resources I have access to is NOT on my phone. This is frequently inconvenient and bit ironic -- on the one hand I WANT the notifications of any activity on those accounts immediately notified to me, but the risk of someone getting into my phone (e.g. by observing me enter my PIN, and the stealing it) and being able to take control of those accounts via the linked email and 2FA which is tied to that number... is too great.

Maybe knox type solutions would be a solution... i just haven't actually had the time to try it.

It'd be nice though if various cloud service providers would let you register a separate notification email in addition to the admin email. So that I could receive notifications like 'a user has logged in from a new computer to your account..." on my phone without that being the email address being the one that can also be used to retrieve/reset login and password credentials.

Re:So it you watch someone draw the pattern...

[AmiMoJo]

There is actually a fix for that, at least on Android. For years now you have been able to get lockscreen apps that simply randomize the position of the numbers on the PIN entry pad. It doesn't matter if someone sees your finger movements because unless they can also see the text on the screen they still won't know what your pin is. Same with smudge attacks.

Does iOS allow you to do this? If not then, joking aside, I would consider it a vulnerability.