Regularities in Android Lock Patterns

Interesting:

Marte Løge, a 2015 graduate of the Norwegian University of Science and Technology, recently collected and analyzed almost 4,000 ALPs as part of her master's thesis. She found that a large percentage of them­ -- 44 percent­ -- started in the top left-most node of the screen. A full 77 percent of them started in one of the four corners. The average number of nodes was about five, meaning there were fewer than 9,000 possible pattern combinations. A significant percentage of patterns had just four nodes, shrinking the pool of available combinations to 1,624. More often than not, patterns moved from left to right and top to bottom, another factor that makes guessing easier.

EDITED TO ADD (9/10): Similar research on this sort of thing.

Posted on August 26, 2015 at 6:24 AM • 23 Comments

Comments

Shawn McMahonAugust 26, 2015 7:06 AM

The third paragraph of the paper justifies its existence, but the real answer is Master's Thesis. You don't have to be on the cutting edge for that, just advancing the field in some small way.

BooAugust 26, 2015 8:23 AM

I really like the idea of the randomized layout of numbers when entering a PIN on an Android ....if somebody is able to look for fingerprints to determine the most likely component digits, they are gonna get a tougher time. Still possible to brute force the pin code though if you have a USB Rubber Ducky and some time ..... I've been looking at one POSSIBLE solution that involves downloading an app from FDROID, whereby after 10 incorrect guesses, the device shuts down.

TimHAugust 26, 2015 9:14 AM

@Boo Some of my longer passwords are really keypress shapes that I remember, not actual keys, so a morphing key layout would kill me.

kevinAugust 26, 2015 9:26 AM

@TimH You mean you cannot use the same password you use in other places? That sounds terrible.

WinterAugust 26, 2015 9:34 AM

"The average number of nodes was about five, meaning there were fewer than 9,000 possible pattern combinations."

You have to type the patterns. At 1 second per try, that would be around 1 hour and 20 minutes of attempts (on average). Provided, you keep track of what you have already tried (doubles the time).

I see a market for robot arm machines to try out all the patterns.

blakeAugust 26, 2015 10:20 AM

@Winter

> I see a market for robot arm machines to try out all the patterns.

At that point it's just easier to go after the cell tower, or the wifi connection, or the unencrypted texts, or any old other webpage exploit, depending on what you want. If you have hours of physical access to a target phone and *just have* to get your hands on data that is on the phone but never been transmitted, then you probably have some friends who can plug a thing into the USB and just take care of that for you, locked phone or not.

What's new?August 26, 2015 11:30 AM

Anyone familiar with those five-button Simplex Locks?

These are still used to secure labs, supplies rooms, computer centers, fast food employee entrances, etc.

Thirty years ago, when I was an undergraduate student, these weren't considered very secure, and one would compute tables combinations in order of decreasing probability. The few combinations I knew were high in the list.

We weren't the only ones to notice.

ArclightAugust 26, 2015 1:33 PM

If an adversary has physical posession of the encrypted device, isn't the standard procedure to just image the flash and/or SD card and run a purpose-built brute forcing app against the data?

The SD is easy to get to, and flash chips usually have JTAG access.

Is this not done?

Arclight

'Name'August 26, 2015 2:29 PM

I may be wrong as it's a while since I looked into it but with mobiles such as the iPhone and Windows Phone (all Android devices are built differently) you can't image the flash because of in-built restrictions thereby rendering brute force useless. I think that, like Apple, no Windows Phone have SD card slots.

With iOS 8+ providing you can use a secure password (16 characters or more for boot) then you're safe. You can then use the Touch ID, for convenience, to unlock at other times. So if the phone was seized when powered down you'd be brute forcing 16 characters and doing that isn't practicable - particularly when they limit the number of attempts by forcing it to be an online attack (i.e. not cracking an image).

ThomasAugust 26, 2015 3:37 PM

Before I upgraded to a dumb-phone my unlock pattern visited all the nodes, that way I could continue and swipe randomly over the screen after unlocking to erase any tell-tale tracks.

DanielAugust 26, 2015 4:55 PM

OFFTOPIC:

I won't be around for Friday's post so I'll post this here instead.

We rarely see real life examples of the famous cartoon below:

http://xkcd.com/538/

however an article on the front page of the NYT notes the following on Page A6 regarding migrants from Syria.

"If you don't give the soldiers your Facebook password, they would beat you, destroy your phone or worse, Mr. Alijasem said.

They want the Facebook password in order to determine the migrant's political position.


Allan HaukeAugust 26, 2015 7:03 PM

Droid Razr M owner here. About a month ago, I changed the swipe pattern after the simple "accidental" act of breathing on the phone's screen and tilting into different light sources. For a few seconds, even in a hot (90's F) & humid (80-95%) atmosphere, the old swipe pattern stood out. The screen was then washed with a soapy damp cloth, rinsed and dried. The pattern still stood out when a deep humid breath was applied. Non-scientific conclusion: "It ain't just your finger grease leaving a pattern on the screen". Just now: Another few dragon-breath attempts produce a different, muddled pattern covering the 9 dot square. However, it still very much stands out from the other standard "poking" locations on the screen.

@Thomas
You state, "..I could continue..". Do you? Every time? Rhetorical question. No need to respond. :)

@Daniel
Excellent XKCD reference.

Cheers!
-Hauke

ArclightAugust 27, 2015 1:54 AM

After reading up on the current state of mobile device forensics, I still stand by my belief that:

1. An adversary with possession of your phone can get to the encrypted data, either through use of a custom boot image or low-level hardware tools. Even purpose-built security hardware like smart cards and cipher machines can have their data retrieved. What we have here is not nearly as robust against hardware tampering. We're talking about mass-marketed consumer device with generic NAND flash.

2. Most real-world, human-usable passphrases, PINs or patterns can be brute-forced once data has been retrieved from flash.

3. It's mostly a moot point anyway, since the data probably went in the clear through a carrier who can and will retain copies of at least the metadata and possibly more.

Arclight

paulAugust 27, 2015 8:44 AM

I'm not an expert, but also not illiterate, and I had no idea that patterns visiting the same node more than once were acceptable to the unlock algorithm. (And no, I don't keep anything serious on my phone.)

ThomasAugust 27, 2015 7:01 PM

@Allan
> ... The screen was then washed with a soapy damp cloth, rinsed and dried.

To properly clean the old wipe pattern off a smartphone I recommend a "linen" cycle at your local laundromat.

> @Thomas
> You state, "..I could continue..". Do you? Every time? Rhetorical question. No need to respond. :)

Yes, it just became part of the unlock muscle-memory.
I eventually acknowledged the futility of hardening the least-likely attack (someone getting physical control of the device and being unable to coerce me into unlocking it for them) while ignoring the obvious OTA attacks.

> @Daniel
> Excellent XKCD reference.

They're _ALL_ excellent!

FranciscoAugust 28, 2015 11:43 AM

I find the dynamic graph feature quite helpful when trying to guess my friends' smartphone's lock pattern.

Memorizing the visual pattern while being blind to the actual numbers makes it possible for a later transcription on a regular keyboard, which allows for a lasting numerical memorization.

I usually get it right, so I think the whole thing is quite conspicuous. I don't have a smartphone so I have no idea if there's a possibility of deactivating this feature.

If people were typing numbers separately on a keyboard I guess it would be a lot more difficult to find out the pattern.

B. D. JohnsonAugust 28, 2015 12:01 PM

The real problem here is people are putting way too much faith in phone's security and totally misunderstanding what it's designed for. If they have possession of your device and the time to try anything even slightly in-depth (like attempts at brute force or attempting to break in via a JTAG or USB) then you've already lost.

If your whole device is encrypted then the odds are good that you don't have to worry about data on your device from a casual theft. I'd be surprised if they even try anything past 1-1-1-1 and 1-2-3-4 before just wiping the thing clean and shipping it out of the country. If it's someone targeting data on your phone specifically then, by the time they get it in their possession, they've probably already planned to take the long road and it's just a matter of time.

Cell phone lock screen and encryption aren't there to provide bulletproof protection from everyone. They will protect against personal snooping (a friend or family member picking up your phone and going through it or using it), a theft of opportunity where they're more interested in reselling the hardware or selling it quickly for someone to use for a short time, and it provide a legally symbolic gesture of protecting the contents of your phone from searches. That's pretty much it.

Amusingly enough, the thing people complain most about cell phone (that people are always checking them and using them in public) is probably the single biggest thing protecting the data on your phone. You notice quickly if it's missing and can act quickly to wipe the phone.

JohnAugust 29, 2015 4:27 PM

If you encrypt the phone, a pattern cannot be used. A passphrase is required - at least on Android 4+.

Or am I missing something.

After having my phone stolen overseas, I started encrypting **every** portable device and having a non-trivial passcode. Currently 6 characters + a Ubikey input to unlock netbook OSes and about 20 characters for the smartphone.

Yes, it sucks, but I sleep well at night.

MarecSeptember 2, 2015 6:32 AM

Few years ago pattern could only go through every number (place) once. Now I have seen patterns that has 15-20 numbers in them. Crazy.

ianfJune 26, 2016 12:48 AM


Haven't read any of here quoted papers, but if there's no mention of the Fitts's Law in the abstract, or the first few paragraphs in each of them, then they're not worth the paper that they're not printed on.

    Speaking of which: decentralized web and all that, but shouldn't we begin the noble task of taking back the web, the road to the contradictorily-named Locked Open Web initiative, by developing an alternative to the concrete-frame-dimensions-dependent (and proprietary) PDF format/ and public domain document generator(s)? Let us remember that Postscript and its offspring PDF really are a fixed physical-side-ratio/size page description technique, developed originally for serial line laser printers, used for previewing expensive phototypeset output, and as such ill-suited for fluid-dimensions screen displays.

    The world would embrace a stand-alone binary/ compressed document format that adapted itself transparently to actual display dimensions, and rendered the content in each reader's default preset typeface and font (size). Something akin to a Responsive Web Design file, only a self-contained such, not dependent on any secondary/ auxilliary elements, apart from target device's resident font files (and, potentially, audio-, wireframe-3D-, and other embedded data renderers).

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.