Your smartphone’s unlock pattern or PIN can be easily cracked
Locking your smartphone or tablet when not in use is a great idea, but you should be aware that shoulder-surfing individuals can easily discover the PIN or pattern you use to unlock your device.
In fact, the would-be attacker doesn’t even have to look over your shoulder: a group of researchers proved that recording a user’s finger movements from a few meters away allows them to crack the unlock pattern of 95 percent of Android users in five attempts.
Around 40 percent of Android device owners use a pattern to protect their phones, and the phones accept only five attempts to trace it correctly. Also, the option is often used to confirm/authenticate financial transactions (e.g. online banking).
Calculating patterns
Researchers from Lancaster University, Northwest University in China, and the University of Bath used recordings of users inputing the pattern – and they don’t have to be recordings capturing the smartphone’s screen – and computer vision algorithm software.
The software analyzes the finger movements from the recording, and calculates likely patterns that an attacker can then try out once he gets his hands on the target’s device.
This type of attack is more covert than shoulder-surfing, as the recording can be made via mobile phone or digital SLR camera from 2,5 to 9 meters away, respectively.
And, as it turns out, more complex patterns are more easy to crack, as they allow the fingerprint algorithm to narrow down the possible options. In fact, the researchers found that the first combination offered by the software for a complex patterns is usually the correct one.
How you can protect yourself
The most simple countermeasure users can implement to prevent such an attack from succeeding is to cover their fingers when tracing the pattern, especially when they are in a public area.
Other countermeasures, such as having the screen colour and brightness change dynamically to confuse the recording camera or mixing pattern locking with other activities, depend on device developers.