Cracking Android Pattern Lock in 5 Attempts!Guixin Ye

Northwest University (China), Lancaster University (UK), Bath University (UK)

Attacking Scenario !!• Alice and Bob go to a party (or library etc.)!

• Alice leaves her phone unattended for a few minutes, thinking this is okay as she uses PATTERN LOCK protection!!Can Bob quickly install malware on Alice’s phone?!

2

-60 -30 0 30 60-60

-30

0

30

60

How can Bob bypass pattern lock?!

3

Bob only need to observe the fingertip movement!!

Evil Bob films how Alice draws the pattern from a distance of 2-3 meters. No need to see the screen content. !

Tracking !

5

Bob marks two areas of interest, and runs a vision algorithm to track the fingertip movement. !

-60 -30 0 30 60-60

-30

0

30

60

-60 -30 0 30 60-60

-30

0

30

60

Tracking Example!

6

Bob wants this! Tracking algorithm

Resulted fingertip movement trajectory

The pattern

View Transformation !

7

-60 -30 0 30 60-60

-30

0

30

60

-60 -30 0 30 60-60

-30

0

30

60

1S =TS

cos -sin=sin cos

Tθ θ

θ θ⎛ ⎞⎜ ⎟⎝ ⎠Camera’s perspective User’s perspective

-60 -30 0 30 60-60

-30

0

30

60

Trajectory to Candidate Patterns !

8

Fingertip Trajectory Candidate Patterns

-60 -30 0 30 60-60

-30

0

30

60

A large number of possibilities!

9

Fingertip Trajectory Possible Patterns (>100)

……

10

Use Geometric information!

Pattern Lock

Line Length

Line Direction

Example: Identify Candidate Patterns !

11

Rejected patterns

Candidate patterns

Length

Length & Direction

Length & Direction

Test on Alice’s Phone!

12 Correct pattern

Another Example !

13

-80 -40 0 40 80-80

-40

0

40

80

Complex Pattern

Pattern Trajectory

Evaluation Setup!

14

120 patterns from 215 users! plus!some of the most complex patterns!

Other pattern grids!

Xiaomi MI4, Meizu2, Huawei Honor7, Samsung Note4!

Example Patterns!!!!! Simple Medium Complex!

15

Simple Median Complex0%

20%

40%

60%

80%

100%

The complexity of pattern locks

Cra

ckin

g su

cces

s ra

te

1 attempt2 attempts3 attempts4 attempts5 attempts

Complex patterns are less secure!

16

Over 95% of the patterns can be cracked in 5 attempts

1 2 3 4 50

10

20

30

40

Number of candidate patterns

Num

ber o

f pat

tern

s

SimpleMedianComplex

Up to 5 candidate patterns generated!

17

For most median and all complex patterns, our system produces just ONE candidate pattern.

Candidate Pattern

Threat distance reaches 2.5m!

18

Over 80% of the patterns can be cracked within a distance of 2.5 meters away from the target device.

1 1.5 2 2.5 3 3.50%

20%

40%

60%

80%

100%

Distance(Meter)

Cra

ckin

g su

cces

s ra

te

1 attempt2 attempts3 attempts4 attempts5 attempts

Simple Median Complex60%

70%

80%

90%

100%

Cra

ckin

g su

cces

s ra

te

4×4 5×5 6×6

More dots helps, but only for simple patterns!

19

Conclusions!Pattern lock is vulnerable under video based attacks!!Complex patterns could be less secure!!Data available at:!https://dx.doi.org/10.17635/lancaster/researchdata/113!

20

Back Up!

21

Related work Camera Shake How to identify candidate pattern How to define the complexity of pattern lock Video recording devices

22

Existing Researches on Pattern Lock

Smudge Attack Wireless-based Attack

23

Video-based Attacks on PIN- or text-based passwords

Text-based: Directly facing the keyboard or the screen

PIN-based: The dynamics of hand during typing

24

Pattern Lock v.s. PIN- or text-based password

Discrete keystrokes Continuous points

Overlapping lines Different size of pattern grid

How to map the fingertip movements to a graphical structure?

How to identify two overlapping lines?

How can the algorithm adapt to the different size of pattern grid

Existing attacks methods cannot be used to crack pattern lock

-100 -50 0 50 100-100

-50

0

50

100

-100 -50 0 50 100-100

-50

0

50

100

Camera Shake Effect!

25

Expected trajectory Unique pattern Tracking process

Actual trajectory

-100 -50 0 50 100-100

-50

0

50

100

Camera Shake Calibration!

26

w/ camera !shake calibration

Correct pattern

Fixed point Fixed point Fixed point

1 2 31 2 3( , , ; , , ) l l ll l l d d d{ ; }CP L D=

l L is the collection of the relative line segments.!

l D is collection of the directions corresponding to the line segment.!

Geometric Features Fingertip Trajectory

27

Solution: Identify Candidate Patterns!

Example: Extracting Geometric Features!Length Feature

120 140 160 180 200 220 240 260-950

-900

-850

-800

-750

-700

-650S

ET2

T1

1 1 2 2: ( , , )ST TT T EL l l l

: (5,11,5)D

Direction Feature

All line directions

28

Pattern Collection and Category!

ü  Simple pattern（40）: !ü Median Pattern（40）: !ü Complex pattern（40）:

𝑆↓𝑃 ∈[6.34,19) 𝑆↓𝑃 ∈[19,33) 𝑆↓𝑃 ∈[33,46.8)

29

𝐶𝑆↓𝑃 = 𝑆↓𝑃 × log↓2 ( 𝐿↓𝑃 + 𝐼↓𝑃 + 𝑂↓𝑃 )

ü  is the number of connected dots!ü  is the total length of all line segments that form the pattern !ü  are the number of intersections!ü  are the number of overlapping linear segments

𝑆↓𝑃 

𝐼↓𝑃  𝐿↓𝑃 

𝑂↓𝑃 

30

Video Recording!l  User Participation! 10 postgraduate: 5 male and 5 female students

l  Test Phones!

Size ! Xiaomi MI4

Huawei Honor7

Samsung Note4

Height(cm)×Height(cm) 13.9×6.9 14.3×7.2 15.4×7.9

Brands

l  Record Device! Apple iPhone4S, Xiaomi MI4 and Meizu2!