Capturing Pattern-Lock Authentication

Interesting research -- "Cracking Android Pattern Lock in Five Attempts":

Abstract: Pattern lock is widely used as a mechanism for authentication and authorization on Android devices. In this paper, we demonstrate a novel video-based attack to reconstruct Android lock patterns from video footage filmed u sing a mobile phone camera. Unlike prior attacks on pattern lock, our approach does not require the video to capture any content displayed on the screen. Instead, we employ a computer vision algorithm to track the fingertip movements to infer the pattern. Using the geometry information extracted from the tracked fingertip motions, our approach is able to accurately identify a small number of (often one) candidate patterns to be tested by an adversary. We thoroughly evaluated our approach using 120 unique patterns collected from 215 independent users, by applying it to reconstruct patterns from video footage filmed using smartphone cameras. Experimental results show that our approach can break over 95% of the patterns in five attempts before the device is automatically locked by the Android system. We discovered that, in contrast to many people's belief, complex patterns do not offer stronger protection under our attacking scenarios. This is demonstrated by the fact that we are able to break all but one complex patterns (with a 97.5% success rate) as opposed to 60% of the simple patterns in the first attempt. Since our threat model is common in day-to-day lives, our work calls for the community to revisit the risks of using Android pattern lock to protect sensitive information.

News article.

Posted on January 25, 2017 at 6:18 AM • 10 Comments


rJanuary 25, 2017 7:27 AM

I wonder what information swype/google keyboards have for spelling issues akin to what @Clive mentioned in AES/A[r]S next door.

Those are patterns too!

rJanuary 25, 2017 9:03 AM

Wasn't this defeated years ago with a randomized keypad display?

... So pattern is insecure ... change the points to numbers and randomize them

jay_BJanuary 25, 2017 9:38 AM

No surprise here. Pattern locks were never intended to stop this type of attack, they are literally named after patterns, which are easy to replicate, and to remember when seen even once. They are there for lost phones, which is a much larger problem.

Still interesting to see the research, thanks.

GeorgeJanuary 25, 2017 9:40 AM

This seems so obvious--I had assumed this was already a fait d'compli. The very idea of a pattern password is ridiculous, at least without secondary authentication.

webJanuary 25, 2017 9:48 AM

Excellent research in its thoroughness, even if it is a known issue. I wonder what the results would be when using a complex pattern that ignores one of the border rows or columns.

JeffPJanuary 25, 2017 10:15 AM

I recall a related comment, years ago, on the Risks Forum by Peter G. Neumann. The statement was musicians could guess passwords by watching finger movements on the keyboard, without seeing the keys. The rational was they frequently learn from other musicians by, surprise, watching finger movements. Pianists may have been specifically mentioned, but my memory fails me.

Fred PJanuary 25, 2017 3:10 PM

@JeffP - In section VI subsection F, of the referenced paper, they describe trying to replicate this with eyes. Within 5 attempts, they get 11.7% success for complex patterns, 38.2% for 'median' patterns, and 48.3% for simple patterns.

faJanuary 25, 2017 3:19 PM


Grossly pedantic remark: the correct French is 'fait accompli' (accomplished fact).
Otherwise, agreed 100% !

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.