Losing your smartphone can result in a catastrophic security breach. After all, these devices are potential treasure troves of confidential corporate and personal information waiting to be exploited by anyone who comes across them.
Because of this a mobile device security industry has sprung up over the last few years, offering everything from simple data encryption for mobile apps to complex mobile device management systems.
But the most basic level of security is provided by the devices themselves. Devices lock themselves if they are idle for a few minutes. So if a thief, a hacker or even a foreign government agent wants to access the data on a phone, in most cases he must unlock it first.
This begs a simple question: What’s the best unlock mechanism to choose – and in this context “the best” means one that provides the most appropriate balance of security and convenience.
Perils of the PIN
A common solution used by iOS devices is to require a simple four digit PIN. On the face of it such a PIN should provide an adequate level of security because there are 10,000 possibilities, and mobile operating systems can be set to erase all data on the device after 10 failed PIN entries. So there’s only a one in a thousand chance, or a probability of 0.001, that anyone could access the device by guessing a correct PIN before the data is erased.
That’s not quite the whole story, however. Many people choose predictable PINs like 1212 or ones that make patterns on the keypad, like 2580 (straight down the middle of the keypad) or 1739 (top left, bottom left, top right, bottom right) or 5684 (which spells LOVE).
“That means that the chance of guessing a PIN is more like one in 10, because people tend to choose such predictable PINs,” said Ben Schlabs, an expert at German security collective Security Research Labs.
There’s another reason that a four digit PIN is undesirable, even if you choose a PIN that is not an easily guessed one. Four digit PINs are highly susceptible to shoulder surfing, said Schlabs; someone looking over your shoulder or sitting next to you can easily see the digits you enter when you unlock you phone.
Not only that, but many people choose the same four digit PIN for their phone, ATM card and for other uses such as disarming their security alarm. That means that anyone shoulder surfing a phone PIN could also possibly access your bank account and even your home, Schlabs said.
Most mobile operating systems allow you to choose to unlock your phone by entering a longer password rather than a four digit PIN. These are harder to shoulder surf (because they are longer and more complex) and much harder to guess – as long as you avoid obvious ones – because there are many more possibilities.
That’s important, and here’s why. A foreign government agency that gets access to your phone may have the technical ability and resources to bypass the device’s operating system. That means it can make unlimited attempts to guess your PIN without the data being erased after 10 failed attempts. But it would be much harder to “brute force” a password that was six characters compared to one that was four digits, because of hardware limitations on the rate at which you can make guesses.
“With the hardware limits of one guess every five seconds it would take 50,000 seconds (about 13 hours) to brute force a four digit PIN, compared to a hundred times that (about two months) to brute force a six digit one,” Schlabs said.
Android’s Unlock Patterns
Android phones offer the option to use unlock patterns – tracing a pattern on a grid of nine points or nodes – rather than using a PIN or password to unlock. But using an unlock pattern is not a good idea in terms of security.
Marte Løge, a researcher at the Norwegian University of Science and Technology, has shown that many users employ the same predictable patterns – analogous to PIN users choosing 1234 or 5280. She recently gave a presentation entitled “Tell Me Who You Are, and I Will Tell You Your Lock Pattern” at the PasswordsCon conference in Las Vegas.
Her research found that 44 percent of all patterns start in the top left, and most then move to the bottom right. Many people also trace out a letter, often the initial letter of their name.
Unlock patterns are also easy for shoulder surfers to see, but Løge found that patterns that pass over the same node twice or which connect more than four nodes make life significantly more difficult for shoulder surfers. Turning off the “make pattern visible” option in Android, which shows a line connecting the nodes as they are traced, also helps to confound shoulder surfers.
But Schlabs believes unlock patterns should be avoided altogether. “They are really begging for people to shoulder surf them, and no one involved with IT security would use them” he said, adding that in many cases it is possible to work out the unlock pattern on a phone by looking for a tell-tale smear pattern on the screen left after the pattern has been traced numerous times.
Malware and Fingerprints
The best way to avoid the shoulder surfing problem is to avoid using PINs, passwords and unlock patterns. This can be done easily on an iOS or Android device with a fingerprint reader, by using fingerprint recognition to unlock the device.
But there are problems with fingerprint readers that shouldn’t be overlooked. Security Research Laboratories has been at the forefront of showing how these can be spoofed – sometimes by lifting a latent fingerprint from the touchscreen and using that to make a false finger. For many people this is more of a theoretical than a practical concern, because few thieves or people finding your device will have the knowledge or desire to try fingerprint spoofing.
A more realistic concern is posed by malware. In August a team of researchers from security firm FireEye revealed at the Black Hat conference in Las Vegas how stored fingerprints can be remotely harvested from some Android devices such as the Samsung Galaxy S5 and HTC One Max.
Most Android device makers don’t make use of Android’s Trust Zone to protect biometric data like fingerprints, and the HTC One Max actually stores fingerprints as unencrypted images that unprivileged processes or applications can read and download from the phone, the researchers found.
This means that an attacker could also conceivably upload an image of their own fingerprint using malware to gain access to a phone.
Fingerprint readers are a special hazard for people traveling internationally, warned Schlabs. Many countries, including the U.S., take high resolution fingerprint scans of foreigners as they cross the border. “They can take a picture that is at least as high resolution as the picture taken on an iPhone, for example, and from that they can make a spoof fingerprint,” he said.
He has this advice for travelers. “If you are an average citizen that never leaves the country and are not a target of foreign agencies, then for most people a fingerprint reader offers good security and convenience. But if you are someone who is crossing border controls then there is no good reason to use the fingerprint reader on your phone.”
Instead he recommends using a good old fashioned lockscreen password or PIN – with the provisos that it is six or more characters, is not an obvious one and, if it is a PIN, doesn’t spell out a simple word on a phone keypad.
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.