Warning to Android owners who use the Pattern Lock system: your device can still be compromised. That’s according to new research from Lancaster University, Northwest University in China, and the University of Bath.
According to an article at PHYS.org, researchers found that attackers can crack Pattern Lock within five attempts by using video and computer vision algorithm software. From the article:
By covertly videoing the owner drawing their Pattern Lock shape to unlock their device, while enjoying a coffee in a busy café, for example, the attacker, who is pretending to play with their phone, can then use software to quickly track the owner’s fingertip movements relative to the position of the device. Within seconds the algorithm produces a small number of candidate patterns to access the Android phone or tablet. The attack works even without the video footage being able to see any of the on-screen content, and regardless of the size of the screen. Results are accurate on video recorded on a mobile phone from up to two and a half meters away – and so attacks are more covert than shoulder-surfing. It also works reliably with footage recorded on a digital SLR camera at distances up to nine meters away.
According to the report, researchers used 120 unique patterns they assembled from independent users and could crack more than 95% of those patterns within five attempts. From the article:
Complex patterns, which use more lines between dots, are used by many to make it harder for observers to replicate. However, researchers found that these complex shapes were easier to crack because they help the fingertip algorithm to narrow down the possible options. During tests, researchers were able to crack all but one of the patterns categorized as complex within the first attempt. They were able to successfully crack 87.5% of median complex patterns and 60 per cent of simple patterns with the first attempt.
While the findings are certainly cause for concern, there are things users can do to protect their information. For starters:
- Since you can’t fully rely on pattern locks to secure the information, choose the information you input carefully. If the information is highly sensitive, you shouldn’t transmit it with a phone.
- Users who are particularly concerned should cover their fingers when painting their pattern on the screen, just as some choose to cover their typing when entering a PIN into a checkout counter card swiper.
- From there, the broader security best practices for smartphones still apply. As Naked Security’s Paul Ducklin wrote, users should ask themselves:
- Q1. Which security settings are suitable for me?
- Q2. How do I configure them?
- Q3. How do I check that my settings are correct?
From there, you need to know how to make wise choices about what we call “The Three Ls”:
- Your lock screen. How quickly to blank the screen? How quickly to lock the door behind you?
- Lock code choices. PIN or password? Four digits or 14 characters? Encryption or not?
- Location choices. Always on? Always off? Use on special occasions?
Even if you aren’t worried about your secret pattern being sniffed out, Ducklin said it’s worth moving away from Pattern Lock anyway. At least on older Android versions, which the majority of users still have, you can’t turn on device encryption unless you switch to locking your device wth a PIN or a passcode. He said:
An encrypted device makes it much harder for a crook who finds a lost phone (or steals it in the first place) from connecting up via USB and snooping through your Android data, because everything written to the device is automatically encrypted. Just make sure you follow the advice from our How to Pick a Proper Password video and go as long and complex as you can when you choose your PIN or passcode. It makes unlocking your phone a tiny bit less convenient for you, but in return makes it way less convenient for a crook with access to your phone to plunder your digital life.
For broader, more general insight into smartphone security, we recommend a look at 10 tips for securing your smartphone.