Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Device's Pattern Lock Can Be Cracked Within Five Attempts, Researchers Show (phys.org)

Posted by msmash on from the security-woes dept.

The popular Pattern Lock system used to secure millions of Android phones can be cracked within just five attempts -- and more complicated patterns are the easiest to crack, security experts reveal. From a research paper: Pattern Lock is a security measure that protects devices, such as mobile phones or tablets, and which is preferred by many to PIN codes or text passwords. It is used by around 40 percent of Android device owners. In order to access a device's functions and content, users must first draw a pattern on an on-screen grid of dots. If this matches the pattern set by the owner then the device can be used. However, users only have five attempts to get the pattern right before the device becomes locked. New research from Lancaster University, Northwest University in China, and the University of Bath, which benefitted from funding from the Engineering and Physical Sciences Research Council (EPSRC), shows for the first time that attackers can crack Pattern Lock reliably within five attempts by using video and computer vision algorithm software. By covertly videoing the owner drawing their Pattern Lock shape to unlock their device, while enjoying a coffee in a busy cafe; for example, the attacker, who is pretending to play with their phone, can then use software to quickly track the owner's fingertip movements relative to the position of the device. Within seconds the algorithm produces a small number of candidate patterns to access the Android phone or tablet.

24 of 147 comments (clear)

  1. So it you watch someone draw the pattern... by Anonymous Coward · · Score: 5, Insightful

    You can break it?

    WOW!!!! Computers are so smart!!!

    1. Re:So it you watch someone draw the pattern... by tripleevenfall · · Score: 5, Funny

      Breaking: iPhones have a zero-day vulnerability that involves you watching someone enter their password. No ETA on a fix.

    2. Re:So it you watch someone draw the pattern... by Archangel+Michael · · Score: 4, Informative

      Here's the two biggest problems with fingerprint sensors. Those two are easily beat. Further, a fingerprint can be compelled by law enforcement to unlock phones, where a passphrase cannot.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    3. Re:So it you watch someone draw the pattern... by Pinky's+Brain · · Score: 2

      The PCB mold with silicone trick doesn't work any more?

    4. Re:So it you watch someone draw the pattern... by vux984 · · Score: 4, Interesting

      The biggest problem with a passphrase is that entering it every time you get a text message is obnoxious and intolerable from a usability standpoint.

      Your solution of turning it off before a possible event is a step in the right direction, but it's not reliable enough. It works ok when you get pulled over ... you have lots of time between the lights flashing and officer at your window. But for a lot of situations you don't have that luxury. For example, if it is lost or stolen it'll still be turned on, or if you are arrested just walking down the street...

      Stuff like samsung knox has the potential to be a good middle ground -- a secure container within your phone. So you can fingerprint/ short PIN to access your phone, GPS, SMS and your pay-by-phone parking app, etc but have your documents and pictures and work email still behind a passphrase.

      (I'm not sure how good knox is in particular, but the concept at least I think is a good idea.) And I realize for some people even the SMS and parking app they want behind the passphrase because it'll reveal who they talked to or where they parked etc... I get that. Security is always a trade off between convenience and security... for me always passphrase is too obnoxious to use -- I tried it, while only fingerprint or 4-digit PIN is far too weak to protect say, my email (more from theives than from law enforcement... ) the potential damage a theif could do with my phone is scary.

      The only reasonable solution with current phones is to not have much of anything on them. So for example, the email account I have have linked to the domain registrations and various other online services and resources I have access to is NOT on my phone. This is frequently inconvenient and bit ironic -- on the one hand I WANT the notifications of any activity on those accounts immediately notified to me, but the risk of someone getting into my phone (e.g. by observing me enter my PIN, and the stealing it) and being able to take control of those accounts via the linked email and 2FA which is tied to that number... is too great.

      Maybe knox type solutions would be a solution... i just haven't actually had the time to try it.

      It'd be nice though if various cloud service providers would let you register a separate notification email in addition to the admin email. So that I could receive notifications like 'a user has logged in from a new computer to your account..." on my phone without that being the email address being the one that can also be used to retrieve/reset login and password credentials.

    5. Re:So it you watch someone draw the pattern... by AmiMoJo · · Score: 4, Interesting

      There is actually a fix for that, at least on Android. For years now you have been able to get lockscreen apps that simply randomize the position of the numbers on the PIN entry pad. It doesn't matter if someone sees your finger movements because unless they can also see the text on the screen they still won't know what your pin is. Same with smudge attacks.

      Does iOS allow you to do this? If not then, joking aside, I would consider it a vulnerability.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:So it you watch someone draw the pattern... by flappinbooger · · Score: 2

      They can be beat, but it's not *easy*. Second, if you reset the phone, or shut just shut it off, it requires the passcode when it reboots.

      The the couple times I've been pulled over (speeding and a bad brake light), I've turned my iPhone off before the office came to my car. Nothing happened and they didn't ask or care about my phone, but it's a good idea anyway.

      excellent idea. Insightful and underrated.

      --
      Flappinbooger isn't my real name
    7. Re:So it you watch someone draw the pattern... by RubberDogBone · · Score: 2

      The PCB mold with silicone trick doesn't work any more?

      Yes it works. Moulded gummy bears and even photocopies also work in some cases.

      Fingerprint locks are generally trivial to defeat provided there is access to a suitable print to copy. Of course prints are a key people leave everywhere they go. You don't get that with PINs or passwords or passphrases, or metal locks and keys.

      --
      Sig for hire.
  2. Wow, they film the owner unlocking the device by Anonymous Coward · · Score: 2, Insightful

    What's next? Watching over someone's shoulder to snoop a password?

    Can I patent that?

    1. Re:Wow, they film the owner unlocking the device by glenebob · · Score: 2

      Yes, and then post it on slashdot, because it's such important news.

  3. From TFS by Rik+Sweeney · · Score: 4, Insightful

    coffee in a busy cafÃf©

    Come on, guys, it's 2017. Fix this already.

    --
    Summation 2
  4. Scratch patterns too will show the path by 140Mandak262Jamuna · · Score: 4, Interesting
    I don't use pattern. If you have the device, hold it at the correct angle and look at the scratches, you can see the pattern. With a little bit of image processing we can even detect the start and end by "fraying" of the pattern and the density of scratches can indicate the middle part of the path.

    If you have high speed camera then even pin can be cracked. People are now taking care to hide the pin in POS terminals and ATM. Soon they will develop ways to screen the screen with a palm or something to thwart video cameras in public setting.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Scratch patterns too will show the path by slimshady76 · · Score: 4, Funny

      If you leave scratches in your phone just by using it as intended, maybe look into getting a better phone.

      Hey, you have to take other possibilities into account. Maybe he's related to Wolverine...

    2. Re:Scratch patterns too will show the path by CaptainDork · · Score: 2

      On the TV show, "Ransom," the lead genius dusted the phone with a fine powder to reveal the four-digit passcode and then entered the person's birthday.

      It was on TV, so it was real just like, "Scorpion," and "MacGyver."

      --
      It little behooves the best of us to comment on the rest of us.
    3. Re:Scratch patterns too will show the path by gnick · · Score: 2

      On my phone there are no obvious scratches, but you could pretty easily guess my passcode by looking at the oil residue from my fingers. Not even that hard - Just angle it a little against the light.

      --
      He's getting rather old, but he's a good mouse.
  5. Thinking about it too hard by T.E.D. · · Score: 5, Insightful

    Why on earth do you need some complex setup involving surveillance equipment (which would defeat most schemes)?

    I have a phone with the "pattern" security. I noticed straighaway that its barely security at all. All you have to do to see the pattern is look at the phone at an oblique angle. Human fingerprints leave oils behind and in the right light the pattern is clear as day. Since that is the most commonly touched area, its really obvious.

    The only "trick" would be figuring out what order its done in. For most people (who aren't smart enough to use a spot twice), that'll take only 2 tries.

    1. Re:Thinking about it too hard by alvinrod · · Score: 4, Interesting

      You could improve the security by using different images (say pictures of different types of fruit) instead of just dots, and then changing the location of the images for every login. I know that my unlock pattern is grape > apple > cherry > grape > pear, but the pattern I happen to draw (or just tap on the shapes since there's no requirement to draw) changes every time.

      It's still not fool proof as anyone with a clear view will be able to see the exact images that were used and reproduce it, but it makes it more difficult for an attacker to rely on capturing hand movement and extrapolating the information from there. One could probably even improve on it a little more, perhaps by including useless information to throw off hackers. For example I could enter red square > blue circle > yellow triangle > green rhombus > red triangle, but I know that it's only the colors that matter and the shapes are meaningless data, but even that has limits to how much added security it brings.

      Even then, if someone really wants to get into your device that badly, there isn't any form of security that can't be broken with enough time or resources. I suppose you could implement a one time pad password system if you knew the hardware was completely safe, but woe be unto you should you forget the sequence or where you're at in it, and it still doesn't stop someone from getting the password with their $5 wrench.

    2. Re:Thinking about it too hard by nigelo · · Score: 2

      I have a V10 that moves the pattern sensor to wherever you first touch the screen, and it's not a problem at all to use, and actually helps to move the grease around on he screen somewhat.

      --
      *Still* negative function...
  6. Doesn't work on PINs for ... what reason again? by Opportunist · · Score: 2

    What's the big difference between watching someone type a PIN and watching someone smear finger grease all over his phone?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. More Non-News by LeftCoastThinker · · Score: 3, Funny

    TLDR: Some dude figures out that video recording someone entering their password lets you figure out the password...

    --
    If you disagree, please post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like
  8. Re:foiled!! by Oswald+McWeany · · Score: 3, Funny

    Steve Jobs would say "you're holding it wrong."

    --
    "That's the way to do it" - Punch
  9. LOL by rebelwarlock · · Score: 3, Funny

    So after recording someone entering the unlock combination, you still take multiple tries to figure it out?

  10. too many restrictions on the pattern by Khashishi · · Score: 3, Insightful

    It's not that the pattern lock is a bad idea for a lock system. It's just that the pattern is too restricted, so the space of patterns is just very small. Give us some options to increase the size of the grid, and allow us to hit a node multiple times in one pattern. Even let us use multiple fingers to do a chordal stroke pattern. There's a lot you can do to greatly increase the entropy without detracting from the simplicity. In my mind, the fact that you can't hit a node multiple times feels LESS simple to me, while also making it much less secure.

    I'm aggravated that it feels like Google is forcing a dumbed down solution to compete with Apple.

  11. Captain Obvious is a cracking expert. by geekmux · · Score: 2

    Shoulder surfing is now considered "cracking"?

    And here I thought we couldn't possibly get any worse than the media ass-raping the definition of "hacker".

    From the book of Captain Obvious, looking at smudges on the fucking phone glass will likely reveal the pattern lock password too.