Smartphones today compete over which can best secure your secrets. They encrypt your data, store the digital keys to unlock themselves on specialized hardware, and even offer fancy biometrics from fingerprints to faceprints. But many millions of smartphones remain open to an absurdly low-tech attack: a sly glance at someone’s phone while they unlock it. One new study has quantified just how easy an Android-style unlock pattern—as opposed to a six-digit PIN or biometric unlock—makes the job of any over-the-shoulder snoop.
Security researchers at the US Naval Academy and the University of Maryland Baltimore County this week published a study that shows that a casual observer can visually pick up and then reproduce an Android unlock pattern with relative ease. In their tests, they found that six-point Android unlock patterns can be recreated by about two out of three observers who see it performed from five or six feet away after a single viewing. Spotting a six-digit PIN of the kind used in most iPhones, on the other hand, proved surprisingly difficult: Only about one in ten observers in the study could reproduce it after one look.
That disparity is in part due to how memorable an Android unlock pattern is for human brains, says Naval Academy professor Adam Aviv. “Patterns are really nice in memorability, but it’s the same as asking people to recall a glyph,” says Aviv, who along with his fellow researchers will present the paper at the Annual Computer Security Applications Conference in Puerto Rico in December. “Patterns are definitely less secure than PINs.”
In their tests, the researchers recruited 1,173 subjects from Amazon’s Mechanical Turk crowdsourcing platform to watch carefully controlled videos of the unlocking online, and had subjects try guessing PINs and unlock patterns after watching the phone’s owner unlock it with commonly used PINs, or patterns from five different angles and distances, averaging out those variables. They also repeated the video test with 91 people in person, just to check their online results. They found that around 64 percent of the online test subjects could reproduce a six-point pattern after one viewing, and 80 percent after two. Only 11 percent could identify a six-digit PIN after one viewing, and 27 percent after two.
For Android users who feel attached to their pattern unlock, the study did find one point of solace. Turning off the “feedback” lines that trace your finger’s path as you swipe through a pattern helped significantly to reduce snooping potential. Only 35 percent of online test subjects could identify a pattern without those lines. “If you’re using a pattern and you like it, turning off those feedback lines will give you some protection,” says Aviv. To do so, go to Settings > Lock screen and security > Secure lock settings, and turn off the Make pattern visible option. (Different Android versions and manufacturers will require slightly different steps.)
There are plenty of other reasons not to trust a pattern to keep your secrets safely locked up. An earlier study (which the Naval Academy’s Aviv also worked on) found that the randomness of an unlocking pattern is roughly equivalent to just a three-digit PIN code. Researchers have shown they can vastly narrow patterns down with automated image recognition software based on video recorded from dozens of feet away, and even derived them fairly reliably from the smudge prints on a phone’s screen. But the latest study presents evidence of the security mechanism’s vulnerability to the simplest, most manual attack method yet.
The PIN versus pattern debate, of course, isn’t quite as relevant as it was a few years ago. Today many Android users and most iPhone users unlock their phones with a fingerprint, or soon, with facial recognition. But smartphones still frequently fall back on PINs and patterns, when the phone first turns on, for instance, or when a biometric reader fails. And plenty of security-sensitive users disable biometrics to avoid spoofing attacks, or being forced to unlock their phone by authorities—the Fifth Amendment sometimes protects Americans who refuse to offer up their PIN, but not their finger or face.
The Naval Academy and Maryland researchers’ snooping study, though, shows just how vulnerable PINs and especially patterns are to the most low-tech form of hacking there is. The lesson: If you use a pattern, switch to a six-digit PIN, or at least turn off those pattern feedback lines. It may be less convenient, but it beats peering over your shoulder with every unlock.