Smart Phone Security: PINs, Patterns or Fingerprint.
It is impossible for humans to function well without food, likewise smartphones have become an integral part of our daily lives. For some, they cannot do without their smartphones. From Techno smartphones to Huawei, from Samsung to HTC to mention a few, all these smart devices have one thing in common – Operating System popularly known as OS. Be it Andriod OS or iOS or Windows Mobile OS each of these have it own share measure of security challenges.
Losing your smartphone can result in a catastrophic security breach. After all, these devices are potential treasure troves of confidential corporate and personal information waiting to be exploited by anyone who comes across them. Because of this a mobile device security industry has sprung up over the last few years, offering everything from simple data encryption for mobile applications to complex mobile device management systems. But the most basic level of security is provided by the devices themselves. Devices lock themselves if they are idle for a few minutes. So if a thief, a hacker or even a foreign government agent wants to access the data on a phone, in most cases he must unlock it first.
This begs a simple question: What’s the best unlock mechanism to choose and in this context “the best” means one that provides the most appropriate balance of security and convenience. PIN LOCK A common solution used by iOS devices is to require a simple four digit PIN. On the face of it such a PIN should provide an adequate level of security because there are 10,000 possibilities, and mobile operating systems can be set to erase all data on the device
after 10 failed PIN entries. So there is only a one in a thousand chance, or a probability of 0.001, that anyone could access the device by guessing a correct PIN before the data is erased.
Many people choose predictable PINs like 1212 or ones that make patterns on the keypad, like 2580 (straight down the middle of the keypad) or 1739 (top left, bottom left, top right, bottom right) or 5684 (which spells LOVE). “That means that the chance of guessing a PIN is more like one in 10 because people tend to choose such predictable PINs,” said Ben Schlabs, an expert at German security collective Security Research Labs.
There is another reason that a four digit PIN is undesirable, even if you choose a PIN that is not an easily guessed one. Four-digit PINs are highly susceptible to shoulder surfing, someone looking over your shoulder or sitting next to you can easily see the digits you enter when you unlock you phone. Not only that, but many people choose the same four digit PIN for their phone, ATM card and for other uses such as disarming their security alarm. That means that anyone shoulder surfing a phone PIN could also possibly access your bank account and even your home. Most mobile operating systems allow you to choose to unlock your phone by entering a longer password rather than a four digit PIN. These are harder to shoulder surf (because they are longer and more complex) and much harder to guess - as long as you avoid obvious ones - because there are many more possibilities.
That is important, and here is why. A foreign government agency that gets access to your phone may have the technical ability and resources to bypass the device’s operating system. That means it can make unlimited attempts to guess your PIN without the data being erased after 10 failed attempts. But it would be much harder to “brute force” a password that has a minimum of six character or letter combination compared to one that was four digits, because of hardware limitations on the rate at which you can make guesses.
An expert in mobile security states: “With the hardware limits of one guess every five seconds it would take 50,000 seconds (about 13 hours) to brute force a four digit PIN, compared to a hundred times that (about two months) to brute force a six digit one” .
Android’s Unlock Patterns
Android phones offer the option to use unlock patterns - tracing a pattern on a grid of nine points or nodes - rather than using a PIN or password to unlock. But using an unlock pattern is not a good idea in terms of security. Marte Loge, a researcher at the Norwegian University of Science and Technology, has shown that many users employ the same predictable patterns - analogous to PIN users choosing 1234 or 5280. She recently gave a presentation entitled “Tell Me Who You Are, and I Will Tell You Your Lock Pattern” at the PasswordsCon conference in Las Vegas.
Her research found that 44 percent of all patterns start in the top left, and most of them move to the bottom right. Many people also trace out a letter, often the initial letter of their name. Unlock patterns are also easy for shoulder surfers to see, but Loge found that patterns that pass over the same node twice or which connect more than four nodes make life significantly more difficult for shoulder surfers. Turning off the “make pattern visible” option in Android, which shows a line connecting the nodes as they are traced, also helps to confound shoulder surfers.
But Schlabs believes unlock patterns should be avoided altogether. “They are really begging for people to shoulder surf them, and no one involved with IT security would use them” he said, adding that in many cases it is possible to work out the unlock pattern on a phone by looking for a tell-tale smear pattern on the screen left after the pattern has been traced numerous times. Malware and Fingerprints The best way to avoid the shoulder surfing problem is to avoid using PINs, passwords and unlock patterns. This can be done easily on an iOS or Android device with a fingerprint reader, by using fingerprint recognition to unlock the device. But there are problems with fingerprint readers that should not be overlooked. Security Research Laboratories has been at the forefront of showing how these can be spoofed - sometimes by lifting a latent fingerprint from the touchscreen and using that to make a false finger. For many people, this is more of a theoretical than a practical concern, because few thieves or people finding your device will have the knowledge or desire to try fingerprint spoofing. A more realistic concern is posed by malware. In August, a team of researchers from security firm FireEye revealed at the Black Hat conference in Las Vegas how stored fingerprints can be remotely harvested from some Android devices such as the Samsung Galaxy S5 and HTC One Max.
Most Android device makers do not make use of Android’s Trust Zone to protect biometric data like fingerprints, and the HTC One Max actually stores fingerprints as unencrypted images that unprivileged processes or applications can read and download from the phone, the researchers found.
This means that an attacker could also conceivably upload an image of their own fingerprint using malware to gain access to a phone. Fingerprint readers are a special hazard for people traveling internationally, warned Schlabs. Many countries, including the U.S., take high-resolution fingerprint scans of foreigners as they cross the border. “They can take a picture that is at least as high resolution as the picture taken on an iPhone, for example, and from that they can make a spoof fingerprint,” he said.
He has this advice for travelers. “If you are an average citizen that never leaves the country and are not a target of foreign agencies, then for most people a fingerprint reader offers good security and convenience. But if you are someone who is crossing border controls then there is no good reason to use the fingerprint reader on your phone.”
Instead, he recommends using a good old fashioned lock-screen password or PIN - with the provisos that it is six or more characters, is not an obvious one and, if it is a PIN, does not spell out a simple word on a phone keypad.