Android Device's Pattern Lock Can Be Cracked Within Five Attempts, Researchers Show (phys.org) 147
The popular Pattern Lock system used to secure millions of Android phones can be cracked within just five attempts -- and more complicated patterns are the easiest to crack, security experts reveal. From a research paper: Pattern Lock is a security measure that protects devices, such as mobile phones or tablets, and which is preferred by many to PIN codes or text passwords. It is used by around 40 percent of Android device owners. In order to access a device's functions and content, users must first draw a pattern on an on-screen grid of dots. If this matches the pattern set by the owner then the device can be used. However, users only have five attempts to get the pattern right before the device becomes locked. New research from Lancaster University, Northwest University in China, and the University of Bath, which benefitted from funding from the Engineering and Physical Sciences Research Council (EPSRC), shows for the first time that attackers can crack Pattern Lock reliably within five attempts by using video and computer vision algorithm software. By covertly videoing the owner drawing their Pattern Lock shape to unlock their device, while enjoying a coffee in a busy cafe; for example, the attacker, who is pretending to play with their phone, can then use software to quickly track the owner's fingertip movements relative to the position of the device. Within seconds the algorithm produces a small number of candidate patterns to access the Android phone or tablet.
So it you watch someone draw the pattern... (Score:5, Insightful)
You can break it?
WOW!!!! Computers are so smart!!!
Re:So it you watch someone draw the pattern... (Score:5, Funny)
Breaking: iPhones have a zero-day vulnerability that involves you watching someone enter their password. No ETA on a fix.
Re:So it you watch someone draw the pattern... (Score:5, Interesting)
There is actually a fix for that, at least on Android. For years now you have been able to get lockscreen apps that simply randomize the position of the numbers on the PIN entry pad. It doesn't matter if someone sees your finger movements because unless they can also see the text on the screen they still won't know what your pin is. Same with smudge attacks.
Does iOS allow you to do this? If not then, joking aside, I would consider it a vulnerability.
Re: (Score:2)
the pattern lock is just pincodes - where you have to select the next number to be next to the previous(in whatever size grid you got).
and there is a fix for that, don't use pattern and use pin.
the article is fucking stupid though, that you can watch someone enter the pattern then lets you deduce the pattern is WILDY different than cracking it in 5 attempts cold.
Re:So it you watch someone draw the pattern... (Score:5, Informative)
Here's the two biggest problems with fingerprint sensors. Those two are easily beat. Further, a fingerprint can be compelled by law enforcement to unlock phones, where a passphrase cannot.
Re:So it you watch someone draw the pattern... (Score:5, Interesting)
The biggest problem with a passphrase is that entering it every time you get a text message is obnoxious and intolerable from a usability standpoint.
Your solution of turning it off before a possible event is a step in the right direction, but it's not reliable enough. It works ok when you get pulled over ... you have lots of time between the lights flashing and officer at your window. But for a lot of situations you don't have that luxury. For example, if it is lost or stolen it'll still be turned on, or if you are arrested just walking down the street...
Stuff like samsung knox has the potential to be a good middle ground -- a secure container within your phone. So you can fingerprint/ short PIN to access your phone, GPS, SMS and your pay-by-phone parking app, etc but have your documents and pictures and work email still behind a passphrase.
(I'm not sure how good knox is in particular, but the concept at least I think is a good idea.) And I realize for some people even the SMS and parking app they want behind the passphrase because it'll reveal who they talked to or where they parked etc... I get that. Security is always a trade off between convenience and security... for me always passphrase is too obnoxious to use -- I tried it, while only fingerprint or 4-digit PIN is far too weak to protect say, my email (more from theives than from law enforcement... ) the potential damage a theif could do with my phone is scary.
The only reasonable solution with current phones is to not have much of anything on them. So for example, the email account I have have linked to the domain registrations and various other online services and resources I have access to is NOT on my phone. This is frequently inconvenient and bit ironic -- on the one hand I WANT the notifications of any activity on those accounts immediately notified to me, but the risk of someone getting into my phone (e.g. by observing me enter my PIN, and the stealing it) and being able to take control of those accounts via the linked email and 2FA which is tied to that number... is too great.
Maybe knox type solutions would be a solution... i just haven't actually had the time to try it.
It'd be nice though if various cloud service providers would let you register a separate notification email in addition to the admin email. So that I could receive notifications like 'a user has logged in from a new computer to your account..." on my phone without that being the email address being the one that can also be used to retrieve/reset login and password credentials.
Re: (Score:2)
Re: (Score:2)
That's a neat idea; i presume you are talking about a mail handling rule/filter on my 'secure email' that forwards the messages to my 'regular email'.
It would be a fair bit of work to setup and test and I worry it would be much too brittle -- I mean how often do i reset passwords or login from new computer; and the vendor could change the message template at anytime, resulting in the notifications not coming through, or the wrong ones coming through.
On the otherhand, it does suggest an idea... to have it fo
Re: (Score:2)
Your solution of turning it off before a possible event is a step in the right direction, but it's not reliable enough. It works ok when you get pulled over ... you have lots of time between the lights flashing and officer at your window. But for a lot of situations you don't have that luxury. For example, if it is lost or stolen it'll still be turned on, or if you are arrested just walking down the street...
Or if you are grabbed when your phone is open, like dread pirate robert's.........
Re: (Score:2)
I think the parent post is eluding to the concept of LEO interrogating people's phones for no reason which is BS. His idea of turning the phone off so that the phone requires passphrase and not just fingerprint is a good idea.
Re: (Score:2)
I think the parent post is eluding to the concept of LEO interrogating people's phones for no reason which is BS. His idea of turning the phone off so that the phone requires passphrase and not just fingerprint is a good idea.
Yes, exactly. But that only works if you KNOW you are about to be interacting with LEO. In the event you are pulled over you do, but most other scenarios you don't have that kind of warning.
I mentioned theft etc because that is the other major threat to a phone. The issue for most people is that the risks to them from theft are quite different to the threats from LEO.
A fingerprint is with password on reboot is a reasonable deterrent to most theives getting at your data. but its not enough for LEO (as they t
Re: (Score:1)
The biggest problem with a passphrase is that entering it every time you get a text message is obnoxious and intolerable from a usability standpoint.
It's never bothered me.
"Man, every time I get a telegram, I have to open the envelope. Intolerable! How do people live under these brutal conditions?"
Re: (Score:2)
It's never bothered me.
How long and complicated is your passphrase. A four digit pin doesn't bother me. A long multiword phrase with punctuation is a lot more painful to enter into a touchscreen keyboard over and over again.
"Man, every time I get a telegram, I have to open the envelope. Intolerable! How do people live under these brutal conditions?"
Ah I see the issue here. You get text messages as often as you get telegrams. If I had to enter my passphrase once every 3 decades it wouldn't bother me either. 200x a day gets pretty tedious -- Hell, if I had to open that many envelopes a day i'd perhaps see the value in owning a letter opener (simplifying th
Re: (Score:3)
The PCB mold with silicone trick doesn't work any more?
Re: (Score:2)
I don't know, but I'm working on configuring my phone to use fingerprints, but perma lock the print sensor and require only a passphrase after 5 bad attempts (so just bounce on it with an unregistered finger if in danger of compromise).
Haven't quite gotten there yet, but trying.
Re: (Score:3)
The PCB mold with silicone trick doesn't work any more?
Yes it works. Moulded gummy bears and even photocopies also work in some cases.
Fingerprint locks are generally trivial to defeat provided there is access to a suitable print to copy. Of course prints are a key people leave everywhere they go. You don't get that with PINs or passwords or passphrases, or metal locks and keys.
Re: (Score:3)
They can be beat, but it's not *easy*. Second, if you reset the phone, or shut just shut it off, it requires the passcode when it reboots.
The the couple times I've been pulled over (speeding and a bad brake light), I've turned my iPhone off before the office came to my car. Nothing happened and they didn't ask or care about my phone, but it's a good idea anyway.
excellent idea. Insightful and underrated.
Re: (Score:2)
My wife and her brother don't have fingerprints that are good enough for passports or license to carry a weapon [there are other ways to pass muster] or biometric entry into iPhones.
Also, the elasticity of skin decreases with age, so a lot of senior citizens have prints that are difficult to capture. The ridges get thicker; the height between the top of the ridge and the bottom of the furrow gets narrow, so there's less prominence. So if there's any pressure at all [on the scanner], the print just tends to smear.
Re: (Score:2)
Great, does this mean that some nutter is going to shoot out the video cameras before ordering coffee? At least he won't have a lineup to wait in...
Re: (Score:2)
Re: (Score:1)
Re: So it you watch someone draw the pattern... (Score:2)
Wow, they film the owner unlocking the device (Score:2, Insightful)
What's next? Watching over someone's shoulder to snoop a password?
Can I patent that?
Re: (Score:3)
Yes, and then post it on slashdot, because it's such important news.
Oops! (Score:1)
In other news, Pin numbers and passwords can be cracked by videoing you entering them into your phone.
From TFS (Score:5, Insightful)
coffee in a busy cafÃf©
Come on, guys, it's 2017. Fix this already.
Re: (Score:2)
It WON'T be fixed, thanks to Trolls using Unicode. But thanks for trying.
Re: (Score:2)
Duly notéd.
Re: (Score:2)
Maybé you'ré just incompétént?
Fuck that, I don't need software (Score:1, Insightful)
Give me a $5 pipe wrench and I can get the pattern out of practically anybody.
Re: (Score:1)
Scratch patterns too will show the path (Score:5, Interesting)
If you have high speed camera then even pin can be cracked. People are now taking care to hide the pin in POS terminals and ATM. Soon they will develop ways to screen the screen with a palm or something to thwart video cameras in public setting.
Re: (Score:3)
On the TV show, "Ransom," the lead genius dusted the phone with a fine powder to reveal the four-digit passcode and then entered the person's birthday.
It was on TV, so it was real just like, "Scorpion," and "MacGyver."
Re: (Score:2)
With a little bit of image processing we can even detect the start/quote
Too hard. I have an easier way, if the person is right handed the start is usually either on the left or the top. Intrinsically people swipe things they don't want to drop towards their hand rather than trying to flick it away.
Re: (Score:1)
The biggest issue that is the terminal and inputs are both visible to the public. Maybe future ATMs can just have a VR headset that will only display the screen to the user, and have a virtual keyboard or other randomized unlock mechanism. One problem is making a non-contact headset as it has to be used by multiple people, and dealing with lice issues etc.
Re:Scratch patterns too will show the path (Score:4, Funny)
If you leave scratches in your phone just by using it as intended, maybe look into getting a better phone.
Hey, you have to take other possibilities into account. Maybe he's related to Wolverine...
Re: (Score:1)
Or stop using those gloves with sandpaper on the fingertips.
Re: (Score:3)
On my phone there are no obvious scratches, but you could pretty easily guess my passcode by looking at the oil residue from my fingers. Not even that hard - Just angle it a little against the light.
Re: (Score:2)
I get a lot of dots and lines after use, but very few seem to line up with the test pattern grid. It stays readily apparent (at least where I've swiped.)
Just fake some inputs. (Score:1)
Thinking about it too hard (Score:5, Insightful)
Why on earth do you need some complex setup involving surveillance equipment (which would defeat most schemes)?
I have a phone with the "pattern" security. I noticed straighaway that its barely security at all. All you have to do to see the pattern is look at the phone at an oblique angle. Human fingerprints leave oils behind and in the right light the pattern is clear as day. Since that is the most commonly touched area, its really obvious.
The only "trick" would be figuring out what order its done in. For most people (who aren't smart enough to use a spot twice), that'll take only 2 tries.
Re: (Score:2)
1. Allow the user to move to non-adjacent spots.
2. Allow the user to double-back along the pattern.
Re: (Score:2)
Re: (Score:3)
I have a V10 that moves the pattern sensor to wherever you first touch the screen, and it's not a problem at all to use, and actually helps to move the grease around on he screen somewhat.
Re: (Score:2)
The better solution is removable screens. When you want to get into the phone, take the screen out of your pocket, lay it over the phone, and return to your pocket afterwards.
I'll patent it and go on Shark Tank for funding and awareness and then submit the fucking article to /. for more click bait.
Re:Thinking about it too hard (Score:5, Interesting)
It's still not fool proof as anyone with a clear view will be able to see the exact images that were used and reproduce it, but it makes it more difficult for an attacker to rely on capturing hand movement and extrapolating the information from there. One could probably even improve on it a little more, perhaps by including useless information to throw off hackers. For example I could enter red square > blue circle > yellow triangle > green rhombus > red triangle, but I know that it's only the colors that matter and the shapes are meaningless data, but even that has limits to how much added security it brings.
Even then, if someone really wants to get into your device that badly, there isn't any form of security that can't be broken with enough time or resources. I suppose you could implement a one time pad password system if you knew the hardware was completely safe, but woe be unto you should you forget the sequence or where you're at in it, and it still doesn't stop someone from getting the password with their $5 wrench [xkcd.com].
Re: (Score:2)
Pen Pineapple Apple Pen ... UGHHHH
Re: (Score:2)
Or instead of images, how about we show them a series of glyphs. We could use say 0-9 if you wanted a lower number of permutat
Re: (Score:2)
Or if you're like me and make frequent use of a Chinese character trainer app on your phone.
Re: (Score:2)
If you are worried about your phone being hacked, just use a dumbphone instead.
No, I'm kinda with you. The only reason I put on a lock screen at all is because Android forced me to in order to try out Android Pay. Yes, this means somebody who steals my phone can now use it to steal money from me (using the process I outlined in the GP). However, my phone case is a wallet case containing my bank cards, so they can do that anyway regardless of any security on the phone.
Give that the cards are already right there anyway, I've yet to be convinced that this Android pay thing is worth put
Doesn't work on PINs for ... what reason again? (Score:3)
What's the big difference between watching someone type a PIN and watching someone smear finger grease all over his phone?
Brute force method (Score:1)
The attack does not depend on the authentication technology or device used. Billions of devices can be cracked within just one or two attempt.
Re: (Score:2)
Re: (Score:1)
Re:foiled!! (Score:4, Funny)
Steve Jobs would say "you're holding it wrong."
I would be interested if..... (Score:2)
all but what one? (Score:2)
During tests, researchers were able to crack all but one of the patterns categorised as complex within the first attempt
What was the uncrackable pattern? They should release this info so security-minded users can switch over to that one.
Re: (Score:2)
Top left, bottom right, middle bottom, bottom left, middle, middle-right? That's the combination to my ah screw it.
More Non-News (Score:4, Funny)
TLDR: Some dude figures out that video recording someone entering their password lets you figure out the password...
Re: (Score:2)
Thanks for the fucking spoiler.
I saw a movie with a similar plot involving credit card skimmers with hidden cameras.
Formulaic plot.
Click (Score:1)
BAIT
LOL (Score:4, Funny)
too many restrictions on the pattern (Score:4, Insightful)
It's not that the pattern lock is a bad idea for a lock system. It's just that the pattern is too restricted, so the space of patterns is just very small. Give us some options to increase the size of the grid, and allow us to hit a node multiple times in one pattern. Even let us use multiple fingers to do a chordal stroke pattern. There's a lot you can do to greatly increase the entropy without detracting from the simplicity. In my mind, the fact that you can't hit a node multiple times feels LESS simple to me, while also making it much less secure.
I'm aggravated that it feels like Google is forcing a dumbed down solution to compete with Apple.
Re: (Score:2)
This is one of the best responses on this whole thread. Unfortunately, no mod points today.
Fingerprint Unlock (Score:2)
Re: (Score:2)
The only reason I put a lock on the phone at all is that I was trying out Android Pay, and it requires a lock. Since I keep my cards in my phone case, a lock provides me 0 extra security, but whatever.
I tried out the fingerprint unlock. It is very rare that it unlocks for me on the first try, and not at all uncommon that it fails all tries and forces me to use the passcode. By the time that I've gone through all that, whatever tidbit of info I wanted from opening the phone has long since ceased to be wort
Re: (Score:2)
Re: (Score:2)
I have family members with iThings that use fingerprint, so I know it works OK there (for some people anyway). So it could be that it just sucks on Android, or (more likely) just sucks on the old Note 5 I have, or sucks just for me.
Re: (Score:2)
Cut off your finger? No they don't need to do that, unless they want to.
No, a fingerprint lock is great except it's a lock where you leave the keys everywhere you go. Your prints. It is basically simple to lift prints from anything you have touched, copy them in a suitable manner and material, and boom the device is unlocked.
So no, they don't need your finger. A lucky one would be to lift your own print off the phone itself and use that to get in. But you touch many other things all day long so it's n
Re: (Score:2)
False security (Score:1)
How about a new technology ... (Score:2)
... that allows for licking the lock screen?
The mouth would cover a large area while the tongue makes hidden movements.
Hell, people won't eat a bagel that someone else has licked, amiright?
Less abrasion and the screens could come in strawberry, chocolate, and cherry.
I will be patenting this idea and appear on Shark Tank for funding and exposure and then I'll be posting the article here on /. for more click bait.
Re: (Score:2)
There is probably a kink for eating things other people have eaten.
um
My unfortunately not imaginary ex-girlfriend, whom facebook insists I really still want to refriend, may have dumped me and moved on, but every guy after me is, well, going after me. I was the first to enjoy eating there.
I doubt that has discouraged any of the guys she has been with since me.
This is a bit of a crude example that people regularly DO put their mouths on things other people have had in their mouths. And other places. So I
Re: (Score:2)
It's a shame (for him) science didn't support him and a shame for the hungry who don't bother with science.
Easier than that. (Score:2)
Just hold the phone up to the light and angle it til you see the smear pattern. Usually facial oils make a nice even coating on it leaving a pretty clear smudge pattern of the unlock slime dragging pattern.
Now to eat lunch!
Captain Obvious is a cracking expert. (Score:3)
Shoulder surfing is now considered "cracking"?
And here I thought we couldn't possibly get any worse than the media ass-raping the definition of "hacker".
From the book of Captain Obvious, looking at smudges on the fucking phone glass will likely reveal the pattern lock password too.
Also pin and voice pattern (Score:2)
Easy fix - Reminds me of secure pinpad (Score:2)
An easy fix might be to steal ideas from a secure pin pad that I used to use. Long before modern RF badges existed, entry to my office was guarded by a devilish PIN pad designed to prevent stealing of PINs in the manner described. There were several things making it secure:
First - a computer chose my PIN for me. I had to (keep printed PIN in wallet ^H^H^H^H) memorize, I mean memorize !! the ....
10 digit long PIN...that was a random series of numbers.
One had to stand immediately in front of keypad to see
I can do it in one (Score:1)
Just by looking at the cheeto-grease smears on the screen
unlikely scenario (Score:1)
Extremely misleading headline (Score:2)
msmash, you should be ashamed of yourself. This headline comes across as an actual vulnerability, but it's not. At all. Of course if you have line of sight to your target, you can do things like this, just as you can for a numeric pin or password. I'm not even quite sure what the point of this "research" was... Perhaps that with patterns, there is a slightly larger array of observation angles from which an attack can reliably succeed? That's the only thing that I can think of, and if so it's not very
Security theatre (Score:2)
If someone (generally meaning someone I don't or shouldn't trust) has my phone, I consider it compromised. Finger smudges are the easiest way to get into a pattern-locked device; this demonstrates that there are others. As JWZ says,
And if the screen locker is not secure, then it's better to not lock the screen at all: giving the impression of security when there is no actual security is far worse than having no security at all. It's a matter of expectations: if people don't expect to be able to lock their screens, they'll log out. But if they expect to be able to lock their screens and it doesn't actually work, then they're screwed.
[from https://www.jwz.org/xscreensav... [jwz.org]
I use pattern lock to stop my phone auto-dialling Aunt Sarah when its in my pocket, not to keep other people out. If I had a flip phone, I wouldn't have a lock screen at all.
That seems over complicated... (Score:2)
I can usually get it in two tries...
A reasonably bright light source and picking up the phone and holding it at an angle can usually show the long smudge trail left by people using one of those lock screens... Z type patterns seem to be the most popular.
Unless they just finished playing a game of Angry birds or something.... Then you gotta wait :(
The Uri Geller approach to hacking (Score:2)
The trick of course was he was looking and had memorized the most common shapes people drew and could give a fair guess. House, boat etc. This seems like a glorified version of that with little use in the real world.
Re: (Score:1)
Re: (Score:2)
I have bad news for you.
Your four year old is Russian.
Re: (Score:2)