Researchers have demonstrated an attack that can crack 95 percent of Android pattern locks within the five attempts allowed.
The side-channel attack, devised by researchers from China and the UK, uses video footage from a smartphone's camera and a computer vision algorithm to crack Android's geometric lock patterns. Lock patterns are an alternative to PINs and passwords.
As noted by the researchers, the attack doesn't require footage of the screen itself, only a line of sight to the user's hand movements. The algorithm tracks fingertip motions and reconstructs the lock pattern. The researchers tested the attack on 120 unique patterns from 215 users and report that the method can crack 95 percent of patterns within five attempts.
Additionally, they found that more complex patterns are easier to crack, with 97.5 percent falling within the first attempt, compared with 60 percent of simple patterns and 87 percent of median complex patterns.
While it's not comforting to know that lock patterns can be so thoroughly cracked, for an attacker to take advantage of this method, they would first need to surreptitiously film the target and then gain physical access to the phone without the owner noticing it. The attacker could then steal information from the device or install malware.
However, the attack does offer a more subtle option than shoulder surfing. The researchers say they've successfully reconstructed patterns captured with a smartphone's camera from two and half meters away, and from nine meters (8.2ft and 29.5ft) away, using a digital SLR camera.
Still, the researchers say their findings suggest people shouldn't be using pattern locks to secure important information.
"Pattern Lock is a very popular protection method for Android Devices. As well as for locking their devices, people tend to use complex patterns for important financial transactions such as online banking and shopping because they believe it is a secure system," said Dr Zheng Wang, principle investigator and co-author of the paper, and a lecturer at Lancaster University.
"However, our findings suggest that using Pattern Lock to protect sensitive information could actually be very risky."
It should be noted that pattern lock is also no more vulnerable to video-based side-channel attacks than PIN and passwords, which previous research has shown can be cracked with similar attacks.
The unique aspect of the new research is figuring out how to map the user's finger movements on a specific point-based shape, and reconstructing a pattern as the user would see it, based on footage captured at a distance.
To avoid video-based attacks, the researchers recommend that users fully cover their fingers when painting their pattern on the screen.