Schneier on Security
A blog covering security and security technology.
« Liars and Outliers News |
| Time to Patch Your HP Printers »
January 6, 2012
Improving the Security of Four-Digit PINs on Cell Phones
The author of this article notices that it's often easy to guess a cell phone PIN because of smudge marks on the screen. Those smudge marks indicate the four PIN digits, so an attacker knows that the PIN is one of 24 possible permutations of those digits.
Then he points out that if your PIN has only three different digits -- 1231, for example -- the PIN can be one of 36 different possibilities.
So it's more security, although not much more secure.
Posted on January 6, 2012 at 6:30 AM
• 46 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Or you can touch all of the numbers and just delete the wrong ones fairly regularly.
Alternatively, when the length isn't constrained, you can also choose a really long PIN, preferably one which contains every digit. The one on my tablet is roughly 20 digits long. And no, it's not a keyboard run of any sort.
A much more secure option, apart from not sticking to a 4 digit PIN code, would be to randomize the location of the digits upon entering - basically changing the layout of the keypad whenever a PIN has to be entered.
Best solution to this I've seen is to change the position of the numbers every time. Takes a second longer to enter a 4 digit pin but its still faster than a longer pin
Another, solution is to get in the habbit of simply wiping your screen on your shirt/pants/etc. this clears any smudges I've ever had on my screen.
If there are 0-9 (10 choices of digits) and you know each one is used in a string of four, then there are
10x9x8x7x (4!) combinations? Sorry if I have this wrong though.
My phone will wipe itself after I think 8 incorrect passcode attempts, and will introduce a delay after several incorrect attempts, to discourage guessing like this. Of course if someone gets the passcode within 8 attempts, we're back to square one...
whoops. Sorry. I had misunderstood! Yep you're right.
What they need to do, is show the keyboard scramble every time, like some banking sites with screen keyboard do. Then there is no smudge attack possible!
The Android 'unlock pattern' mechanism is, if anything, even worse. It makes a very clear smudge mark on your screen, and later taps while using the phone are less likely to obscure it. I try to make my pattern overlap and go back on itself but it would only take a smart person a few tries to figure it out.
This type of security issue is made worse by the fact that your hands are dirtiest when you start using the phone.
Or just play Words with Friends on your phone regularly to cover your screen in smudges...
Also, everyone should have their phone sim-locked. Mine is 8 numeric digits, and only required when I lock my phone (not just the screen), or restart/reboot.
A similar concern I have is the swipe marks from the pattern unlock code on Android. Rather than individual touches the phone is unlocked by having a pattern of swipes between the 9 nodes, no node can be revisited, and some are not accessible because you would have to cross other nodes to get there. But there is no length limit so a swipe could cover all 9 nodes.
Crossings are an advantage as these help to mask previous parts of the swipe to make it harder to replicate.
@Stupid Security Questions, Android allows for pattern, pin, or password screen locks (in addition to none). Just because most people like drawing patterns to unlock their phone doesn't mean you have to choose drawing, too.
& "dirty fingers" is spurious.
The iPhone has an option to wipe after 10 incorrect attempts, which negates this sort of thing pretty well.
I'm very dubious about this....has there been any experiments on 'smudge detection' for PINs ? What %age of the time will all 4 digits be detected ? Methinks rather low.
@Rhys: While there are 10,000 available combinations on the iPhone, there is a high level of predictability based on the smudges on the phone. If you have four highly visible smudges, you are limited to 4! (or 24) PINs. Though the iPhone will wipe itself after 10 invalid tries by default, the probability of guessing the PIN is too high.
If I remember correctly, using a certain digit twice will change the number of probably PINs to 144 (3!^2 * 2!^2), but don't quote me on that.
All you need to do is to change the authentication scheme to Alphanumeric. Introducing letters with numbers will mix that up real good as caps and num require the shift key. So much for smudges reading
And the iPhone will lock itself out for 1 minute after so many tries. Not sure about Android...
I had a cute experiment this week when my 7 yr-old was sure to get my phone unlocked because he knew the digits, but he couldn't figured out the caps.
If the attacked knows the four digits of your four-digit pin are 1, 2, 3 and 4 then there are 24 possible combinations:
If your four-digit pin contains a duplicate number (1, 2, 3 and 1) then there are only 18 unique permutations:
So unless I've overlooked something obvious this would seem to be less secure (I'm confident 18 is less than 36).
Jarin: from the fingerprints alone, the thief doesn't know which digit is duplicated in the PIN.
@Jarin: The issue is that the attacker doesn't know *which* of the three numbers is duplicate. As the owner, you know the '1' is duplicated, so you are restricted to the 18 combinations you indicate.
However, the attacker cannot make that assumption and also needs to try combinations where the '2' or '3' is the duplicate digit. Thus the higher number of guesses they must try...
The iPhone also can wipe your phone after a configurable number of wrong pins, mine is set to 3.
I'm surprised that they don't randomize the locations of the numbers as a standard.
We did that roughly 18 years ago for VLTs, and I think it was standard at the time.
Don't forget, too, that many people reduce their PIN security by setting their phone to require one every time they take it out of their pocket. That dramatically increases the possibility that a prospective thief will see them enter the PIN, defeating any other attempts to increase complexity.
@Nate True: That's a tradeoff - requiring the pin every time you take the phone out of your pocket also increases the chance that someone who finds/steals the phone must provide a PIN before doing anything else, instead of being "already unlocked" when they get the phone.
I rely on the screen-cleaning feature of my jeans' back pockets. A short walk and the phone screen is wiped clean.
I don't know about you, but on my phone the smudges from games are way more prominent and completely obscure any smudges from the PIN.
It really doesn't matter because most forensic tools can bypass any PIN within a few minutes. Android, iOS, etc.
This would require a software mod, but what if you have a lockout code that is permutations of your code? Hit a random number and it ignores you (with maybe a delay between attempts or a screaming alarm). Hit your PIN code and it unlocks. Hit the numbers of your PIN code but in the wrong order and it hard locks.
Several comments noted that the phone can be wiped after N incorrect attempts. That's fine, so long as the person attempting access steals the phone. If they have continuing access, e.g., it's sitting on your desk, then they just try a couple entries and wait till you've gone through an unlock/lock cycle. I'm pretty sure the iPhone doesn't have a "there were N failed login attempts" screen, which is another feature that's existed in various systems for at least thirty years.
Phones with keypads are not subject to this form of attack.
If the smudges are visible, then they impair my use of the phone, and I wipe them off.
If the smudges are not visible, there's no real problem.
I tend to wipe my screen off before putting it away anyway. The window of opportunity to attack the phone is during the time I'm using it.
It's always possible to pull the battery, put the phone into download mode, and copy all the data off anyway. Or open it up and use the JTAG header.
Passcodes, like locks, stop casual attackers. Dedicated attackers will get your (unencrypted) data.
This is one reason I like the fingerprint reader on my phone. I was disappointed when I found out the next version of the phone would not have it.
I don't even lock my phone; there is nothing on it but my contact list and a few games. I think the bigger security issue is why would anyone be running around with sensitive information on any device if that information can only be protected by a 4 digit PIN. Seems like bad security practice.
The issue isn't only smudges. Screens do develop wear. I'd imagine that if the phone is more than six months old it is trivial to detect which parts of the screen (digits) have shown the most wear. That wouldn't necessarily corresponds to the PIN but it would be a good place for a hacker to start.
Phones with keypads, just like any other keypad entry device (keys are physical v. touch screen) are subject to this attack, too. Keypads wear (worse than glass).
Once a phone is unlocked, the user typically does a lot of other things on the touch screen. As a side effect, "smudges" are obscured. In some corner cases, for example when the screen is relatively clean, and the user unlocks it, and then leaves the screen untouched, then this becomes an "issue".
@Harry: "Phones with keypads are not subject to this form of attack."
There were some articles a few months ago, where the heat left on ATM keys was enough for thermal scanning to see which keys had been pressed.
So it's a slightly different method, but keypads are indeed subject to this attack. (Also, if you use the same PIN for a long enough time, the physical keys will show extra wear.)
It's not just the information on your phone that you might want to protect; its also the phone service you pay for. In other words: Someone might steal your phone and then spend the next hour using it on a phone sex 900-number before tossing it in a dumpster, and you could get stuck with the bill. Having to buy a new phone is bad enough.
A 4-digit PIN, while useless against any serious attacker, will at least prevent casual/stupid criminals from using your stolen phone to make free long-distance calls or download gigabytes of data to their laptop.
ATMs should be like a telephone booth, but made of bulletproof glass and when you enter into the booth the booth lights up while a protective dark covering slides down each side, shielding the keypad, your fingers, and you from outside influences (thieves).
ATMs should have internal audits run on random schedules which scan for foreign add-ons, like skimmers, both in code and a staffed individual who is trained in what to look for: mini cameras, skimmers, etc.
The unlock PIN or pattern is not to keep adversaries from your precious angry birds record, it's to stop you from butt dialing people! This type of authentication is easily defeated by my two year old, btw.
Now, if I mumble secrets while my tush is having a conversation with my in laws, I suppose this could be a useful security measure.
There is the "myth" of "wiping" to remove finger prints etc of "glossy" surfaces.
Most people don't do it any where near effectivly enough to even get close to ensuring the combined skin grease and proteins are removed.
To see this turn your phone off and do your usual quick wipe, then put your fingers down in a simple pattern like the five on a dice. Then tip your phone through the light with your eye line to the light source nearly parallel with the screen. Have a look and see if you can see the finger marks. Some people will see them easily some won't, it depends a lot on how clean and cold your hands are or not, as to how much of a mark you leave on the screen. The worst finger marks are usually left after eating food with your fingers (lunch on the go etc) which just happens to coincide with the time you are most likley to take your eye off your phone.
If you have a nice set of visable dabs on the screen try your usual "wipe" again and then have a look through the light again. A lot of people are very surprised at just how much of the dab pattern is still visable.
There are also ways of improving the contrast of the dab pattern quite easily just a gental breath onto the screen is sometimes all that is needed, or much more messy and some what obviously is the use of a very fine freshly dryed powder such as "talc" or "cornflour" or if you have it handy very very fine aluminium powder (fingerprint powder/dust) to stick to the residual grease from the dab pattern. Likewise there are various reagents that are liquid based that will stick to the protein content and will floures under an appropriate light source.
What you often see after a simple wipe is the dabs turned into streaks with the begining and end quite distinguishable...
Even if the wipe is more complex it is still often possible to have sufficient clues to make a reliable guess...
didnt we have this discussion a few years ago on ittoolbox, secutiry monkey blog about the iphone? Dont remember what story but cheif guessed the PIN on an ipohne, i think it belonged to Inez. hope over and check it out where he suggests using a scramble key pad
@Fred P: "I'm surprised that they don't randomize the locations of the numbers as a standard."
It's not so that engineers wouldn't think of those things... security just isn't their only (or even primary) concern.
Unlocking a phone without the pin is not hard without the pin or any smudge marks. They are not trying to steal phone calls here... just get a free phone or something they can move for a 100US or so.
The PIN is there not to keep dedicated hackers from stealing personal information. It is there to keep your friends from posting messages to your facebook or calling your ex when on a night out(after changing her name to "mum" and handing you the phone with the qualifier "your mum is calling" obviously)
The wipe after n wrong attempts is so damn stupid I am not even sure what to say about that. I will however start entering random PINs on every iPhone I get my hands on just to fuck with people. That is an even better prank than posting giant penises on their facebook wall.
If you have sensitive data on your phone, use encryption and a secure passphrase, there is no other way. Now, if your phone does have full-disk encryption, you have a pretty good reason for wanting your PIN to be secure as well, so then you should change that to a secure passphrase, it would be a complete usability nightmare though.
Here's an interesting idea: http://whispersys.com/screenlock.html
Enter the PIN using number keys arranged in a single column, followed by a vertical swipe. The swipe wipes out any smudges produced by entering the PIN.
Try a more than 4 digit pin ex. 6 or 8 digits so it will take longer for the thieves to get it
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.