research-article

A pilot study on the security of pattern screen-lock methods and soft side channel attacks

Authors:

Panagiotis Andriotis,

Theo Tryfonas,

George Oikonomou,

Can YildizAuthors Info & Claims

WiSec '13: Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks

Pages 1 - 6

https://doi.org/10.1145/2462096.2462098

Published: 17 April 2013 Publication History

Get Access

Abstract

Graphical passwords that allow a user to unlock a smartphone's screen are one of the Android operating system's features and many users prefer them instead of traditional text-based codes. A variety of attacks has been proposed against this mechanism, of which notable are methods that recover the lock patterns using the oily residues left on screens when people move their fingers to reproduce the unlock code. In this paper we present a pilot study on user habits when setting a pattern lock and on their perceptions regarding what constitutes a secure pattern. We use our survey's results to establish a scheme, which combines a behaviour-based attack and a physical attack on graphical lock screen methods, aiming to reduce the search space of possible combinations forming a pattern, to make it partially or fully retrievable.

References

[1]

A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. M. Smith. Smudge attacks on smartphone touch screens. In Proceedings of the 4th USENIX conference on Offensive technologies, pages 1--7. USENIX Association, August 2010.

Digital Library

Google Scholar

[2]

R. Biddle, S. Chiasson, and P. C. Van Oorschot. Graphical passwords: Learning from the first twelve years. ACM Computing Surveys, 44(4):1--41, August 2012.

Digital Library

Google Scholar

[3]

D. Davis, F. Monrose, and M. Reiter. On user choice in graphical password schemes. In USENIX Assosiation Proceedings of the 13th USENIX Security Symposium, pages 151--163. USENIX Association, August 2004.

Digital Library

Google Scholar

[4]

D. J. Delprato. Mind and its evolution: A dual coding theoretical approach. Psycological Record, 59(2):295--300, September 2009.

Crossref

Google Scholar

[5]

G. Fragkos and T. Tryfonas. A cognitive model for the forensic recovery of end-user passwords. In Proc. of 2nd Intl. Workshop on Digital Forensics and Incident Analysis, pages 48--54. IEEE CS Press, August 2007.

Digital Library

Google Scholar

[6]

K. Mowery, S. Meiklejohn, and S. Savage. Heat of the moment: characterizing the efficacy of thermal camera-based attacks. In Proceedings of the 5th USENIX conference on Offensive technologies, pages 6--6. USENIX Association, August 2011.

Digital Library

Google Scholar

[7]

P. C. v. Oorschot and J. Thorpe. On predictive models and user-drawn graphical passwords. ACM Trans. Inf. Syst. Secur., 10(4):5:1--5:33, January 2008.

Digital Library

Google Scholar

[8]

M. A. Sasse, S. Brostoff, and D. Weirich. Transforming the 'weakest link' - a human/computer interaction approach to usable and effective security. BT Technology Journal, 19(3):122--131, July 2001.

Digital Library

Google Scholar

[9]

C. Shannon. Prediction and entropy of printed english. Bell System Technical Journal, 30(1):50--64, January 1951.

Crossref

Google Scholar

[10]

J. Thorpe and P. C. van Oorschot. Human-seeded attacks and exploiting hot-spots in graphical passwords. In USENIX Assosiation Proceedings of the 16th USENIX Security Symposium, pages 103--118. USENIX Association, August 2007.

Digital Library

Google Scholar

[11]

Y. Zhang, P. Xia, J. Luo, Z. Ling, B. Liu, and X. Fu. Fingerprint attack against touch-enabled devices. In Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices, pages 57--68. ACM, October 2012.

Digital Library

Google Scholar

Cited By

View all

Mahfouz A(2024)User Authentication in the IoT and IIoT EnvironmentSmart and Agile Cybersecurity for IoT and IIoT Environments10.4018/979-8-3693-3451-5.ch008(169-194)Online publication date: 30-Jun-2024
https://doi.org/10.4018/979-8-3693-3451-5.ch008
Por LNg IChen YYang JKu C(2024)A Systematic Literature Review on the Security Attacks and Countermeasures Used in Graphical PasswordsIEEE Access10.1109/ACCESS.2024.337366212(53408-53423)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3373662
Farzand HAbraham MBrewster SKhamis MMarky K(2024)A Systematic Deconstruction of Human-Centric Privacy & Security Threats on Mobile PhonesInternational Journal of Human–Computer Interaction10.1080/10447318.2024.2361519(1-24)Online publication date: 12-Jun-2024
https://doi.org/10.1080/10447318.2024.2361519
Show More Cited By

Index Terms

A pilot study on the security of pattern screen-lock methods and soft side channel attacks
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

A Video-based Attack for Android Pattern Lock

Pattern lock is widely used for identification and authentication on Android devices. This article presents a novel video-based side channel attack that can reconstruct Android locking patterns from video footage filmed using a smartphone. As a ...
On the Effectiveness of Pattern Lock Strength Meters: Measuring the Strength of Real World Pattern Locks
CHI '15: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems

We propose an effective pattern lock strength meter to help users choose stronger pattern locks on Android devices. To evaluate the effectiveness of the proposed meter with a real world dataset (i.e., with complete ecological validity), we created an ...
Boosting the Guessing Attack Performance on Android Lock Patterns with Smudge Attacks
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Android allows 20 consecutive fail attempts on unlocking a device. This makes it difficult for pure guessing attacks to crack user patterns on a stolen device before it permanently locks itself. We investigate the effectiveness of combining Markov model-...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

WiSec '13: Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks

April 2013

230 pages

ISBN:9781450319980

DOI:10.1145/2462096

General Chair:
Levente Buttyán
Budapest University of Technology and Economics, Hungary
,
Program Chairs:
Ahmad-Reza Sadeghi
Technische Universitaet Darmstadt, Fraunhofer SIT, Intel-CRISC, Germany
,
Marco Gruteser
Rutgers University, USA

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

SIGMOBILE: ACM Special Interest Group on Mobility of Systems, Users, Data and Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 April 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

WISEC'13

Sponsor:

SIGSAC

WISEC'13: Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks

April 17 - 19, 2013

Budapest, Hungary

Acceptance Rates

WiSec '13 Paper Acceptance Rate 26 of 70 submissions, 37%;

Overall Acceptance Rate 98 of 338 submissions, 29%

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

100
Total Citations
View Citations
994
Total Downloads

Downloads (Last 12 months)43
Downloads (Last 6 weeks)5

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Mahfouz A(2024)User Authentication in the IoT and IIoT EnvironmentSmart and Agile Cybersecurity for IoT and IIoT Environments10.4018/979-8-3693-3451-5.ch008(169-194)Online publication date: 30-Jun-2024
https://doi.org/10.4018/979-8-3693-3451-5.ch008
Por LNg IChen YYang JKu C(2024)A Systematic Literature Review on the Security Attacks and Countermeasures Used in Graphical PasswordsIEEE Access10.1109/ACCESS.2024.337366212(53408-53423)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3373662
Farzand HAbraham MBrewster SKhamis MMarky K(2024)A Systematic Deconstruction of Human-Centric Privacy & Security Threats on Mobile PhonesInternational Journal of Human–Computer Interaction10.1080/10447318.2024.2361519(1-24)Online publication date: 12-Jun-2024
https://doi.org/10.1080/10447318.2024.2361519
Marky KMacdonald SAbdrabou YKhamis MCalandrino JTroncoso C(2023)In the quest to protect users from side-channel attacksProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620530(5235-5252)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620530
Bailey DMunyendo CDyer HGrant MMarkert PAviv A(2023)“Someone Definitely Used 0000”: Strategies, Performance, and User Perception of Novice Smartphone-Unlock PIN-GuessersProceedings of the 2023 European Symposium on Usable Security10.1145/3617072.3617113(158-174)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3617072.3617113
Bologna DMicciché VViolo GVisconti ACannavò ALamberti F(2023)SPHinX Authentication Technique: Secure Painting autHentication in eXtended reality2023 IEEE Conference on Virtual Reality and 3D User Interfaces Abstracts and Workshops (VRW)10.1109/VRW58643.2023.00313(941-942)Online publication date: Mar-2023
https://doi.org/10.1109/VRW58643.2023.00313
Olade ILiang HFleming C(2023)Story-based authentication for mobile devices using semantically-linked imagesInternational Journal of Human-Computer Studies10.1016/j.ijhcs.2022.102967171:COnline publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1016/j.ijhcs.2022.102967
Liu JSimsek MKantarci BErol-kantarci MMalton AWalenstein A(2022)Risk-aware Fine-grained Access Control in Cyber-physical ContextsDigital Threats: Research and Practice10.1145/34804683:4(1-29)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3480468
Kaur PGeeta Sharma V(2022)Analysis of Secure Locking Techniques on Smart Phones2022 5th International Conference on Contemporary Computing and Informatics (IC3I)10.1109/IC3I56241.2022.10073370(1807-1811)Online publication date: 14-Dec-2022
https://doi.org/10.1109/IC3I56241.2022.10073370
Rayani PChangder S(2022)Continuous user authentication on smartphone via behavioral biometrics: a surveyMultimedia Tools and Applications10.1007/s11042-022-13245-982:2(1633-1667)Online publication date: 9-Jun-2022
https://doi.org/10.1007/s11042-022-13245-9
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

A Video-based Attack for Android Pattern Lock

On the Effectiveness of Pattern Lock Strength Meters: Measuring the Strength of Real World Pattern Locks

Boosting the Guessing Attack Performance on Android Lock Patterns with Smudge Attacks