Warning to Android owners who use the Pattern Lock system: your device can still be compromised. That’s according to new research from Lancaster University, Northwest University in China, and the University of Bath.
According to an article at PHYS.org, researchers found that attackers can crack Pattern Lock within five attempts by using video and computer vision algorithm software. From the article:
By covertly videoing the owner drawing their Pattern Lock shape to unlock their device, while enjoying a coffee in a busy café, for example, the attacker, who is pretending to play with their phone, can then use software to quickly track the owner’s fingertip movements relative to the position of the device. Within seconds the algorithm produces a small number of candidate patterns to access the Android phone or tablet. The attack works even without the video footage being able to see any of the on-screen content, and regardless of the size of the screen. Results are accurate on video recorded on a mobile phone from up to two and a half meters away – and so attacks are more covert than shoulder-surfing. It also works reliably with footage recorded on a digital SLR camera at distances up to nine meters away.
According to the report, researchers used 120 unique patterns they assembled from independent users and could crack more than 95% of those patterns within five attempts. From the article:
Complex patterns, which use more lines between dots, are used by many to make it harder for observers to replicate. However, researchers found that these complex shapes were easier to crack because they help the fingertip algorithm to narrow down the possible options. During tests, researchers were able to crack all but one of the patterns categorized as complex within the first attempt. They were able to successfully crack 87.5% of median complex patterns and 60 per cent of simple patterns with the first attempt.
Defensive measures
While the findings are certainly cause for concern, there are things users can do to protect their information. For starters:
- Since you can’t fully rely on pattern locks to secure the information, choose the information you input carefully. If the information is highly sensitive, you shouldn’t transmit it with a phone.
- Users who are particularly concerned should cover their fingers when painting their pattern on the screen, just as some choose to cover their typing when entering a PIN into a checkout counter card swiper.
- From there, the broader security best practices for smartphones still apply. As Naked Security’s Paul Ducklin wrote, users should ask themselves:
- Q1. Which security settings are suitable for me?
- Q2. How do I configure them?
- Q3. How do I check that my settings are correct?
From there, you need to know how to make wise choices about what we call “The Three Ls”:
- Your lock screen. How quickly to blank the screen? How quickly to lock the door behind you?
- Lock code choices. PIN or password? Four digits or 14 characters? Encryption or not?
- Location choices. Always on? Always off? Use on special occasions?
Even if you aren’t worried about your secret pattern being sniffed out, Ducklin said it’s worth moving away from Pattern Lock anyway. At least on older Android versions, which the majority of users still have, you can’t turn on device encryption unless you switch to locking your device wth a PIN or a passcode. He said:
An encrypted device makes it much harder for a crook who finds a lost phone (or steals it in the first place) from connecting up via USB and snooping through your Android data, because everything written to the device is automatically encrypted. Just make sure you follow the advice from our How to Pick a Proper Password video and go as long and complex as you can when you choose your PIN or passcode. It makes unlocking your phone a tiny bit less convenient for you, but in return makes it way less convenient for a crook with access to your phone to plunder your digital life.
For broader, more general insight into smartphone security, we recommend a look at 10 tips for securing your smartphone.
Ronald van Doorn
On some Android versions you can choose larger grids 4×4 or 6×6.
Jonathon
A while ago, I saw an ad for a new Windows operating system, and one of the features I got excited about was a pattern locker based on a photo. That is, you didn’t have specific points on a limited grid to draw, but you drew on a much more complex background. That is computationally expensive, requiring AI interpretation to handle “near misses”, but seems much more complex and secure than the standard 9-point pattern lock.
You can compromise and lay out a much more dense grid pattern over a photo, and still use discrete grid points to have a valid pattern. So, for instance, instead of drawing a point on each pupil of the eyes of the photo subject, and then drawing a curved line along their smile, you can hit the pattern points nearest the pupils and draw a line along points near the smile. This would require far less computation, and would be nearly as secure.
There are alternate grid patterns available on the Google Play store (a heart shape, for one), but those grids are still pretty limited, making them susceptible to this pattern recording.
Gary
Why would this attack be limited to pattern lock, surely the same logic can be applied to pin lock
AJM
That’s why they need a scramble pad pin entry.
TatMummy
why isn’t this a thing. Why didn’t I think of it.
Chris
Not exactly a security bombshell, surely. In essence all this is saying is if someone watches you enter your unlock pattern, they can probably figure it out.
It’s interesting to see the advances in motion analysis that allows them to figure out what you swiped without needing to see the screen, but honestly anyone who was relying on pattern unlock as a security mechanism was deluding themselves even before this. Pattern lock is a convenient compromise that stops pocket dialling and prevents someone casually picking up your phone and accessing it, but still gives you quick access when you want it. If you really need to secure your mobile device, pattern lock was never a serious option.
Paul Ducklin
This is a storm in a teacup as far as I can see. (It’s annoying that the official link to the paper still describes it as “forthcoming”, so we can’t yet easily get it from the University to see what was tested and how. It also raised my hackles that the phys.org writeup said “[cracked] reliably within five attempts” while also explicitly admitting that the students did *not* manage to crack all of their 120 sample patterns in five goes. I felt more than a whiff of hyperbole there.)
To me, the main reason not to use Pattern Lock is what Bill mentioned in the article: it precludes enabling device encryption.
Most crooks who get hold of stolen phones will IMO not also have carefully-filmed video of the victim unlocking the device with its pattern code. They certainly won’t have the necessary video for phones that wended their way into the underground market through being lost rather than stolen. But crooks don’t really need to fuss around with the lock code if the device isn’t encrypted. In other words, this video attack is only a risk if you are locking your phone in a way that means that the video attack is not necessary in the first place :-)
BTW, for earlier research into Pattern Lock insecurity and guessability, you might like this:
https://nakedsecurity.sophos.com/2015/08/22/surprise-people-choose-predictable-android-lockscreen-patterns/
There has also been some interestingly detailed research done on Microsoft’s once-vaunted “picture passwords”, one of Redmond’s efforts to offer a password-like system that didn’t actually involve typing words or even numbers:
https://nakedsecurity.sophos.com/2013/09/09/windows-picture-passwords-are-they-really-as-easily-crackable-as-everyones-saying/
Bryan
Pattern Lock … precludes enabling device encryption
I’ve got a pattern lock (Android 6) yet was able to encrypt my phone.
I’d assume that switching to a PIN or passcode would be akin to changing a (known) password in many systems–for example no data loss or factory reset required–but this is my first encrypted phone, and hearing the assertion of a pattern lock spurned by encryption is unsettling.
Has there been a change in recent Android versions?
Paul Ducklin
Yes, actually, I think you have that right. Recent Androids ship encrypted (like iPhones), so I guess you can have a pattern lock, or even no password at all, and yet have an encrypted phone.
I’ve made a small edit to clarify that. Thanks for the note…
Paul Ducklin
I *think* that the story with Android “encryption without a PIN or passcode” is that modern Android devices must have what’s called “secure storage”, a special chip (like Apple’s so-called Secure Enclave, a tamper-proof key storage chip that’s part of the fingerprint reader device) where system-generated decryption keys can be stored.
On a device with secure storage, it’s worth pre-encrypting a device with a randomly chosen key because that key can be stored securely on the device iteslf. But on older Android phones without secure storage, you need you to choose a PIN or passcode that can be used to encrypt the system-generated decryption key. Otherwise a crook could just read the decryption key directly out of your phone.
Anyone keen Androiders or #xdadevelopers know if this supposition is correct? AFAIK, all but the most budget Android devices have to have a secure storage chip these days, and are required to be encrypted…
Bryan
more small notes: my phone is new but not bleeding edge…unlocked (Amazon) Moto G4 Play. It was *not* encrypted until I manually encrypted it.
I’d already defined a screen lock pattern which I expected would sooner or later be witnessed–surreptitiously or accidentally– so I was hoping the phone would allow a different one for the more important en/decrypt processes, but my first attempt at a new pattern said “wrong.”
heh–I guess not.
NorthVandea
I’m sorry but what exactly is earth-shattering for security here? Are these researchers seriously concluding that there is a significant flaw in Android because AFTER VIDEO TAPING a user entering their pattern the researchers can then break in with that pattern? Wouldn’t that apply to ANY lock method except fingerprint? If I can get a video of you typing your password, PIN, or pattern, I have a pretty good chance of being able to replicate it. Maybe I’m missing something here but this sounds like a weak “discovery.”
Paul Ducklin
I think their theory is that it’s easier to figure out from a video what your pattern looks like than to figure out your PIN, perhaps even if you can’t clearly see the screen. Presumably that’s because your hand and arm make more obviously different movements for different swipes than the visible difference-from-a-distance between typing ‘2’ or ‘5’. But I agree that this seems very more like a research project curiosity than a real threat. A crook who could video you across the Tube carriage, then pickpocket your phone three stations later and use fancy software to unlock it…would surely just pickpocket your phone at a more opportune moment, before it locked, and then keep it unlocked by using it right away, or steal it and boot into recovery mode :-)
The paper I mentioned in an earlier comment is to my mind more interesting because it tries to quantify the sort of patterns that get chosen even without making a video. For example, IIRC most patterns involve a crossing-point, apparently because people feel it’s “more complex” than picking one at random where the path might just travel around the edge, or something like that.
We know an awful lot about which pass *words* are more likely to be chosen, so we already have password cracking tools that can optimise their guessing order. So even if you want to try AAAAA to ZZZZZ, you don’t have to go AAAAA, AAAAB, AAAAC and so on. You’d probably try PAPA3 before AAAAC, and ASDFG before JDWPL, and thus hugely reduce your average cracking time. For that reason, you used to hear people saying that things like patterns and pictures were “more secure” simply because we didn’t yet know which choices to try first. I think the DEF CON paper tried to figure out if the same sort of biases existed when non-verbal, non-numeric passwords are used…and indeed there were.
prabhanjan naskar
Return original pattern lock