Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Android Google

Android Device's Pattern Lock Can Be Cracked Within Five Attempts, Researchers Show (phys.org) 147

The popular Pattern Lock system used to secure millions of Android phones can be cracked within just five attempts -- and more complicated patterns are the easiest to crack, security experts reveal. From a research paper: Pattern Lock is a security measure that protects devices, such as mobile phones or tablets, and which is preferred by many to PIN codes or text passwords. It is used by around 40 percent of Android device owners. In order to access a device's functions and content, users must first draw a pattern on an on-screen grid of dots. If this matches the pattern set by the owner then the device can be used. However, users only have five attempts to get the pattern right before the device becomes locked. New research from Lancaster University, Northwest University in China, and the University of Bath, which benefitted from funding from the Engineering and Physical Sciences Research Council (EPSRC), shows for the first time that attackers can crack Pattern Lock reliably within five attempts by using video and computer vision algorithm software. By covertly videoing the owner drawing their Pattern Lock shape to unlock their device, while enjoying a coffee in a busy cafe; for example, the attacker, who is pretending to play with their phone, can then use software to quickly track the owner's fingertip movements relative to the position of the device. Within seconds the algorithm produces a small number of candidate patterns to access the Android phone or tablet.
This discussion has been archived. No new comments can be posted.

Android Device's Pattern Lock Can Be Cracked Within Five Attempts, Researchers Show

Comments Filter:
  • by Anonymous Coward on Monday January 23, 2017 @11:42AM (#53721101)

    You can break it?

    WOW!!!! Computers are so smart!!!

    • by tripleevenfall ( 1990004 ) on Monday January 23, 2017 @11:47AM (#53721143)

      Breaking: iPhones have a zero-day vulnerability that involves you watching someone enter their password. No ETA on a fix.

      • by AmiMoJo ( 196126 ) on Monday January 23, 2017 @01:18PM (#53721873) Homepage Journal

        There is actually a fix for that, at least on Android. For years now you have been able to get lockscreen apps that simply randomize the position of the numbers on the PIN entry pad. It doesn't matter if someone sees your finger movements because unless they can also see the text on the screen they still won't know what your pin is. Same with smudge attacks.

        Does iOS allow you to do this? If not then, joking aside, I would consider it a vulnerability.

    • Great, does this mean that some nutter is going to shoot out the video cameras before ordering coffee? At least he won't have a lineup to wait in...

    • I can do even better than their five attempts. Given nothing more than a couple of hard, pipe-hittin niggas with a pair of pliers and a blowtorch, I bet I can get any phone unlocked the first time what's left of the the owner is asked to do it.
    • Oh, I SEE! They keep using programmers were you need mathematicians! I really thought security and cryptography were one of those tight disciplines, you know, no matter how much you want to innovate, it all ends up in a saddle point and every move is unnecessary or weakening or counterproductive. Blowfish or Twofish was the last major cryptographic something we invented, right? And all we can do is wait for bigger prime factorizations and that is it... But the boys keep trying... good. I am yet to get my fi
  • by Anonymous Coward

    What's next? Watching over someone's shoulder to snoop a password?

    Can I patent that?

  • by Anonymous Coward

    In other news, Pin numbers and passwords can be cracked by videoing you entering them into your phone.

  • From TFS (Score:5, Insightful)

    by Rik Sweeney ( 471717 ) on Monday January 23, 2017 @11:45AM (#53721125) Homepage

    coffee in a busy cafÃf©

    Come on, guys, it's 2017. Fix this already.

  • Give me a $5 pipe wrench and I can get the pattern out of practically anybody.

  • by 140Mandak262Jamuna ( 970587 ) on Monday January 23, 2017 @11:48AM (#53721149) Journal
    I don't use pattern. If you have the device, hold it at the correct angle and look at the scratches, you can see the pattern. With a little bit of image processing we can even detect the start and end by "fraying" of the pattern and the density of scratches can indicate the middle part of the path.

    If you have high speed camera then even pin can be cracked. People are now taking care to hide the pin in POS terminals and ATM. Soon they will develop ways to screen the screen with a palm or something to thwart video cameras in public setting.

    • On the TV show, "Ransom," the lead genius dusted the phone with a fine powder to reveal the four-digit passcode and then entered the person's birthday.

      It was on TV, so it was real just like, "Scorpion," and "MacGyver."

    • With a little bit of image processing we can even detect the start/quote

      Too hard. I have an easier way, if the person is right handed the start is usually either on the left or the top. Intrinsically people swipe things they don't want to drop towards their hand rather than trying to flick it away.

    • by Alok ( 37687 )

      The biggest issue that is the terminal and inputs are both visible to the public. Maybe future ATMs can just have a VR headset that will only display the screen to the user, and have a virtual keyboard or other randomized unlock mechanism. One problem is making a non-contact headset as it has to be used by multiple people, and dealing with lice issues etc.

  • If you are nervous enough all you have to do is act like you are making contact for a portion of the unlock.
  • by T.E.D. ( 34228 ) on Monday January 23, 2017 @11:49AM (#53721161)

    Why on earth do you need some complex setup involving surveillance equipment (which would defeat most schemes)?

    I have a phone with the "pattern" security. I noticed straighaway that its barely security at all. All you have to do to see the pattern is look at the phone at an oblique angle. Human fingerprints leave oils behind and in the right light the pattern is clear as day. Since that is the most commonly touched area, its really obvious.

    The only "trick" would be figuring out what order its done in. For most people (who aren't smart enough to use a spot twice), that'll take only 2 tries.

    • I can immediately think of a couple of things that can be done to make the pattern lock MORE secure:

      1. Allow the user to move to non-adjacent spots.
      2. Allow the user to double-back along the pattern.
      • Wouldn't work, people wouldn't think to do #2 and doing #1 would make it take longer to unlock your phone. At that point there is no advantage over pin entry.
        • by nigelo ( 30096 )

          I have a V10 that moves the pattern sensor to wherever you first touch the screen, and it's not a problem at all to use, and actually helps to move the grease around on he screen somewhat.

      • The better solution is removable screens. When you want to get into the phone, take the screen out of your pocket, lay it over the phone, and return to your pocket afterwards.

        I'll patent it and go on Shark Tank for funding and awareness and then submit the fucking article to /. for more click bait.

    • by alvinrod ( 889928 ) on Monday January 23, 2017 @12:09PM (#53721315)
      You could improve the security by using different images (say pictures of different types of fruit) instead of just dots, and then changing the location of the images for every login. I know that my unlock pattern is grape > apple > cherry > grape > pear, but the pattern I happen to draw (or just tap on the shapes since there's no requirement to draw) changes every time.

      It's still not fool proof as anyone with a clear view will be able to see the exact images that were used and reproduce it, but it makes it more difficult for an attacker to rely on capturing hand movement and extrapolating the information from there. One could probably even improve on it a little more, perhaps by including useless information to throw off hackers. For example I could enter red square > blue circle > yellow triangle > green rhombus > red triangle, but I know that it's only the colors that matter and the shapes are meaningless data, but even that has limits to how much added security it brings.

      Even then, if someone really wants to get into your device that badly, there isn't any form of security that can't be broken with enough time or resources. I suppose you could implement a one time pad password system if you knew the hardware was completely safe, but woe be unto you should you forget the sequence or where you're at in it, and it still doesn't stop someone from getting the password with their $5 wrench [xkcd.com].
      • Pen Pineapple Apple Pen ... UGHHHH

      • by cdrudge ( 68377 )

        You could improve the security by using different images (say pictures of different types of fruit) instead of just dots, and then changing the location of the images for every login. I know that my unlock pattern is grape > apple > cherry > grape > pear, but the pattern I happen to draw (or just tap on the shapes since there's no requirement to draw) changes every time.

        Or instead of images, how about we show them a series of glyphs. We could use say 0-9 if you wanted a lower number of permutat

  • by Opportunist ( 166417 ) on Monday January 23, 2017 @11:55AM (#53721205)

    What's the big difference between watching someone type a PIN and watching someone smear finger grease all over his phone?

  • New research from my basement shows for the first time that attackers can force a user to reveal their password by beating them up with a hard stick.

    The attack does not depend on the authentication technology or device used. Billions of devices can be cracked within just one or two attempt.
    • This is especially troubling, I wouldn't be surprised if variations on this technique couldn't also be used to acquire a user's secondary authentication device.
      • Thanks for your suggestions. We will start investigating this possibility as soon as our NSF checks get cleared.
  • If the camera system is watching the gestures from the blind side of the phone and making a guess based on the gestures that is can see. IE the camera's vision is occluded by the phone itself but it can see some of the gestures operating the phone and can make a guess from there. Somehow I think this would be more than 5 candidates.
  • During tests, researchers were able to crack all but one of the patterns categorised as complex within the first attempt

    What was the uncrackable pattern? They should release this info so security-minded users can switch over to that one.

  • by LeftCoastThinker ( 4697521 ) on Monday January 23, 2017 @12:17PM (#53721377)

    TLDR: Some dude figures out that video recording someone entering their password lets you figure out the password...

    • Thanks for the fucking spoiler.

      I saw a movie with a similar plot involving credit card skimmers with hidden cameras.

      Formulaic plot.

  • by Anonymous Coward

    BAIT

  • LOL (Score:4, Funny)

    by rebelwarlock ( 1319465 ) on Monday January 23, 2017 @12:33PM (#53721537)
    So after recording someone entering the unlock combination, you still take multiple tries to figure it out?
  • by Khashishi ( 775369 ) on Monday January 23, 2017 @12:35PM (#53721545) Journal

    It's not that the pattern lock is a bad idea for a lock system. It's just that the pattern is too restricted, so the space of patterns is just very small. Give us some options to increase the size of the grid, and allow us to hit a node multiple times in one pattern. Even let us use multiple fingers to do a chordal stroke pattern. There's a lot you can do to greatly increase the entropy without detracting from the simplicity. In my mind, the fact that you can't hit a node multiple times feels LESS simple to me, while also making it much less secure.

    I'm aggravated that it feels like Google is forcing a dumbed down solution to compete with Apple.

  • This is a good argument for the fingerprint unlock. I rarely enter my PIN. Sure there are downsides (somebody could cut off my finger) but it's probably still more secure than a PIN or pattern. If somebody was serious about cutting off my finger, I would unlock the phone for them regardless of what authentication method I might be using. I don't have anything valuable enough to risk injury over. If I did, I wouldn't be unlocking my phone at all somewhere like a coffee shop with horrible physical securi
    • by T.E.D. ( 34228 )

      The only reason I put a lock on the phone at all is that I was trying out Android Pay, and it requires a lock. Since I keep my cards in my phone case, a lock provides me 0 extra security, but whatever.

      I tried out the fingerprint unlock. It is very rare that it unlocks for me on the first try, and not at all uncommon that it fails all tries and forces me to use the passcode. By the time that I've gone through all that, whatever tidbit of info I wanted from opening the phone has long since ceased to be wort

      • That's too bad. I have the iPhone 6S and the unlock works pretty reliably. Doesn't work well for my wife. That being said, it is a good unlock technique for use in public spaces since you don't risk revealing your PIN. Hopefully the technology will improve so it will work for more people. I do Apple Pay the same way you do. Store the chip card with the phone and use the card!
        • by T.E.D. ( 34228 )

          I have family members with iThings that use fingerprint, so I know it works OK there (for some people anyway). So it could be that it just sucks on Android, or (more likely) just sucks on the old Note 5 I have, or sucks just for me.

    • Cut off your finger? No they don't need to do that, unless they want to.

      No, a fingerprint lock is great except it's a lock where you leave the keys everywhere you go. Your prints. It is basically simple to lift prints from anything you have touched, copy them in a suitable manner and material, and boom the device is unlocked.

      So no, they don't need your finger. A lucky one would be to lift your own print off the phone itself and use that to get in. But you touch many other things all day long so it's n

      • This is certainly true, but to pull this off I have to be an *intended* target rather than a target of opportunity. If you are somebody who is worth specifically targeting, you will have much different security needs. And those probably start with having an (armed) bodyguard who will ensure that they never get possession of your device. For ordinary people who might be targets of opportunity, a fingerprint is quite reasonable. Even if you unlock your phone in the coffee shop and throw out your cup, by t
  • And this is why the only reason you would use it is to keep the young kids from being able to play with the phone.
  • ... that allows for licking the lock screen?

    The mouth would cover a large area while the tongue makes hidden movements.

    Hell, people won't eat a bagel that someone else has licked, amiright?

    Less abrasion and the screens could come in strawberry, chocolate, and cherry.

    I will be patenting this idea and appear on Shark Tank for funding and exposure and then I'll be posting the article here on /. for more click bait.

    • There is probably a kink for eating things other people have eaten.

      um

      My unfortunately not imaginary ex-girlfriend, whom facebook insists I really still want to refriend, may have dumped me and moved on, but every guy after me is, well, going after me. I was the first to enjoy eating there.

      I doubt that has discouraged any of the guys she has been with since me.

      This is a bit of a crude example that people regularly DO put their mouths on things other people have had in their mouths. And other places. So I

  • Just hold the phone up to the light and angle it til you see the smear pattern. Usually facial oils make a nice even coating on it leaving a pretty clear smudge pattern of the unlock slime dragging pattern.

    Now to eat lunch!

  • by geekmux ( 1040042 ) on Monday January 23, 2017 @01:18PM (#53721871)

    Shoulder surfing is now considered "cracking"?

    And here I thought we couldn't possibly get any worse than the media ass-raping the definition of "hacker".

    From the book of Captain Obvious, looking at smudges on the fucking phone glass will likely reveal the pattern lock password too.

  • If you can record someone unlocking the phone, then you can unlock it as well. And it seems that it could work with hires photos of finger prints. So, no news!
  • An easy fix might be to steal ideas from a secure pin pad that I used to use. Long before modern RF badges existed, entry to my office was guarded by a devilish PIN pad designed to prevent stealing of PINs in the manner described. There were several things making it secure:

    First - a computer chose my PIN for me. I had to (keep printed PIN in wallet ^H^H^H^H) memorize, I mean memorize !! the ....
    10 digit long PIN...that was a random series of numbers.
    One had to stand immediately in front of keypad to see

  • Just by looking at the cheeto-grease smears on the screen

  • So someone has to video me unlocking my phone, then gain possession of my phone? Seems an unlikely scenario.
  • msmash, you should be ashamed of yourself. This headline comes across as an actual vulnerability, but it's not. At all. Of course if you have line of sight to your target, you can do things like this, just as you can for a numeric pin or password. I'm not even quite sure what the point of this "research" was... Perhaps that with patterns, there is a slightly larger array of observation angles from which an attack can reliably succeed? That's the only thing that I can think of, and if so it's not very

  • If someone (generally meaning someone I don't or shouldn't trust) has my phone, I consider it compromised. Finger smudges are the easiest way to get into a pattern-locked device; this demonstrates that there are others. As JWZ says,

    And if the screen locker is not secure, then it's better to not lock the screen at all: giving the impression of security when there is no actual security is far worse than having no security at all. It's a matter of expectations: if people don't expect to be able to lock their screens, they'll log out. But if they expect to be able to lock their screens and it doesn't actually work, then they're screwed.

    [from https://www.jwz.org/xscreensav... [jwz.org]

    I use pattern lock to stop my phone auto-dialling Aunt Sarah when its in my pocket, not to keep other people out. If I had a flip phone, I wouldn't have a lock screen at all.

  • I can usually get it in two tries...

    A reasonably bright light source and picking up the phone and holding it at an angle can usually show the long smudge trail left by people using one of those lock screens... Z type patterns seem to be the most popular.

    Unless they just finished playing a game of Angry birds or something.... Then you gotta wait :(

  • One of Uri Geller's shitty party tricks was to invite people to draw a shape, looking away while they did it and then guess what they drew. And to the astonishment of all he was right.

    The trick of course was he was looking and had memorized the most common shapes people drew and could give a fair guess. House, boat etc. This seems like a glorified version of that with little use in the real world.

  • Comment removed based on user account deletion

news: gotcha

Working...