The Pattern Lock in Android mobile phones and tablets is used by many consumers as an alternative to PIN codes or text passwords. It works by users drawing a pattern on an on-screen grid of dots -- if this matches the pattern set by the owner the device unlocks. About 40% of Android owners use this pattern lock system to protect their devices.
However, new research from Lancaster University, Northwest University in China and the University of Bath show that attackers can crack Pattern Lock systems in just five attempts. And the more complicated patterns are, the easier they are to crack.
Researchers accomplished this by covertly video recording the owner unlocking their device with a Pattern Lock shape, and then the attacker uses the software to quickly track the owner’s fingertip movements relative to the position of the device. Within seconds, the algorithm produces a small number of patterns to access the smartphone or tablet.
Researchers say that the attack works even when the video of the device does not see any on-screen content -- meaning video can be obtained much further away (up to two and half meters) without covert shoulder-surfing.
The team evaluated attacks on Android phones using 120 unique patterns collected from independent users. They were able to crack the Pattern Lock system 95% of the time within five attempts. More complex patterns, which use more lines than dots, were easier to crack because the fingertip algorithm made it easier to narrow down the possible options.
During tests, researchers were able to crack Android devices with complex patterns 87.5% of the time on the first attempt, and 60% of the time for simple patterns on the first attempt.
“Contrary to many people's perception that more complex patterns give better protection, this attack actually makes more complex patterns easier to crack and so they may be more secure using shorter, simpler patterns,” said Guixin Ye, a student at Northwest University that helped in the study.
This form of attack would allow attackers to obtain sensitive information on Android devices or would allow them to install malware quickly while owners were distracted. Given many consumers use the same pattern on multiple devices, this could potentially give attackers access to multiple devices, according to researchers.
So how do you prevent attacks like this from happening? Researchers say fully covering fingers when drawing patterns or changing patterns frequently is a good way. Also using pattern locking with other activities such as entering a sentence using Swype-like methods would make cracking the device much harder.