Video and computer vision algorithm software can now be used to crack the Pattern Lock on your Android home screen—and can do so without even seeing the screen itself. University researchers used the software to track fingertip movements and produce options for a potential adversary to use to gain access to the device, as noted in their research.
For those unfamiliar, Pattern Lock is an alternative to PIN-based passcodes that Google released as part of the Android OS. To unlock their phones, users trace a unique pattern over a set of nine dots that appear on the lock screen instead of tapping in a set of numbers.
Android users are typically given five attempts to correctly trace their pattern and unlock the device before they are locked out. The new research was able to unlock 95% of its test patterns within the five attempt limit, the research said.
According to the research, the victim can be filmed from afar using the attacker's smartphone camera. Then, a computer vision algorithm is applied "to track the fingertip movements to infer the pattern," the research stated. "Using the geometry information extracted from the tracked fingertip motions, our approach is able to accurately identify a small number of (often one) candidate patterns to be tested by an adversary."
The research used 120 patterns collected from 215 independent users, relying on video footage from smartphone cameras. Additionally, complex patterns didn't seem any more secure, as they would limit the number of potential patterns that could be used. The research abstract noted that, with complex patterns, the researchers had a 97.5% success rate.
A Phys.org article detailing the research said that mobile video can produce accurate results from up to two and a half meters away. However, the article noted that it could also be used with SLR footage shot from up to nine meters away.
While this research only works with digital footage from smartphones or digital SLRs, if this algorithm could be augmented to work with the now-ubiquitous security cameras, it could cause even more issues. Researchers recommended users cover their hands when entering their Pattern Lock, or set the screen brightness to change quickly to throw off any recording.
"Since our threat model is common in day-to-day life, this paper calls for the community to revisit the risks of using Android pattern lock to protect sensitive information," the research said.
Much like standard passwords and passcodes, the Pattern Lock suffers from predictability and other issues. If possible, Android users should consider an alternate security method and enabling two-factor authentication.
The 3 big takeaways for TechRepublic readers
- New research has used computer vision algorithms to unlock Android Pattern Unlock codes in fewer than five attempts.
- The algorithm can use footage from a smartphone and doesn't need to see the screen, as it analyzes the movement of a user's fingertips.
- Android users should take extra steps to protect themselves, and should consider two-factor authentication.
- Delete unused Android apps now, or risk a security nightmare (TechRepublic)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- Gallery: Android security software: Unique features of five popular apps (TechRepublic)
- Unpatched Android Lollipop devices open to lockscreen bypass bug (ZDNet)
- 10 do's and don'ts for securing your Android device (TechRepublic)
Conner Forrest has nothing to disclose. He doesn't hold investments in the technology companies he covers.
Conner Forrest is a Senior Editor for TechRepublic. He covers enterprise technology and is interested in the convergence of tech and culture.