In their work, computer forensic experts regularly encounter cases when it is necessary to quickly unlock a smartphone. For example, data from the phone is needed by the investigation in order to understand the reasons for the suicide of a teenager. In another case, they will help to get on the trail of a criminal group attacking truck drivers. There are, of course, cute stories - parents forgot the password to the gadget, and there was a video with the first steps of their baby on it, but, unfortunately, there are only a few of them. But they also require a professional approach to the issue. In this article Igor Mikhailov, specialist of the Group-IB Computer Forensics Laboratory, talks about ways that allow forensic experts to bypass the smartphone lock.
Important: This article is written to evaluate the security of passwords and graphic patterns used by mobile device owners. If you decide to unlock a mobile device using the described methods, remember that you perform all actions to unlock devices at your own peril and risk. When manipulating mobile devices, you can lock the device, erase user data, or cause the device to malfunction. Recommendations are also given to users on how to increase the level of protection of their devices.
So, the most common method of restricting access to user information contained in the device is to lock the screen of the mobile device. When such a device enters the forensic laboratory, working with it can be difficult, since for such a device it is impossible to activate the USB debugging mode (for Android devices), it is impossible to confirm permission for the examiner's computer to interact with this device (for Apple mobile devices), and , as a result, it is impossible to access data stored in the device's memory.
The fact that the US FBI paid a large sum to unlock the iPhone of the terrorist Syed Farouk, one of the participants in the terrorist attack in the California city of San Bernardino, shows how much the usual screen lock of a mobile device prevents specialists from extracting data from it [1].
Mobile Device Screen Unlock Methods
As a rule, to lock the screen of a mobile device is used:
- Symbolic password
- Graphic password
Also, SmartBlock technology methods can be used to unlock the screen of a number of mobile devices:
- Fingerprint unlock
- Face unlock (FaceID technology)
- Unlock device by iris recognition
Social methods of unlocking a mobile device
In addition to purely technical ones, there are other ways to find out or overcome the PIN code or graphic code (pattern) of the screen lock. In some cases, social methods can be more effective than technical solutions and help unlock devices that are succumbed to existing technical developments.
This section will describe methods for unlocking the screen of a mobile device that do not require (or require only limited, partial) use of technical means.
To carry out social attacks, it is necessary to study the psychology of the owner of a locked device as deeply as possible, to understand the principles by which he generates and saves passwords or graphic patterns. Also, the researcher will need a drop of luck.
When using methods related to password guessing, it should be borne in mind that:
- Entering ten incorrect passwords on Apple mobile devices may result in the user's data being erased. This depends on the security settings the user has set;
- on mobile devices running the Android operating system, Root of Trust technology can be used, which will lead to the fact that after entering 30 incorrect passwords, user data will either be inaccessible or erased.
Method 1: ask for a password
It may seem strange, but you can find out the unlock password by simply asking the owner of the device. Statistics show that approximately 70% of mobile device owners are willing to share their password. Especially if it will shorten the research time and, accordingly, the owner will get his device back faster. If it is not possible to ask the owner for the password (for example, the owner of the device has died) or he refuses to disclose it, the password can be obtained from his close relatives. As a rule, relatives know the password or can suggest possible options.
Protection recommendation: Your phone password is a universal key to all data, including payment data. Talking, transmitting, writing it in instant messengers is a bad idea.
Method 2: peep the password
The password can be peeped at the moment when the owner uses the device. Even if you remember the password (character or graphic) only partially, this will significantly reduce the number of possible options, which will allow you to guess it faster.
A variant of this method is the use of CCTV footage showing the owner unlocking the device using a pattern password [2]. The algorithm described in the work “Cracking Android Pattern Lock in Five Attempts” [2], by analyzing video recordings, allows you to guess the options for a graphic password and unlock the device in several attempts (as a rule, this requires no more than five attempts). According to the authors, "the more complex the graphic password, the easier it is to pick it up."
Protection recommendation: Using a graphic key is not the best idea. The alphanumeric password is very difficult to peep.
Method 3: find the password
The password can be found in the records of the owner of the device (files on the computer, in the diary, on fragments of paper lying in documents). If a person uses several different mobile devices and they have different passwords, then sometimes in the battery compartment of these devices or in the space between the smartphone case and the case, you can find scraps of paper with written passwords:
Protection recommendation: no need to keep a "notebook" with passwords. This is a bad idea, unless all of these passwords are known to be false to reduce the number of unlock attempts.
Method 4: fingerprints (Smudge attack)
This method allows you to identify sweat-fat traces of hands on the display of the device. You can see them by treating the screen of the device with a light fingerprint powder (instead of a special forensic powder, you can use baby powder or other chemically inactive fine powder of white or light gray color) or by looking at the screen of the device in oblique rays of light. Analyzing the relative positions of handprints and having additional information about the owner of the device (for example, knowing his year of birth), you can try to guess a text or graphic password. This is how sweat-fat layering looks like on a smartphone display in the form of a stylized letter Z:
Protection recommendation: As we said, a graphic password is not a good idea, just like glasses with a poor oleophobic coating.
Method 5: artificial finger
If the device can be unlocked with a fingerprint, and the researcher has handprint samples of the owner of the device, then a 3D copy of the owner's fingerprint can be made on a 3D printer and used to unlock the device [XNUMX]:
For a more complete imitation of the finger of a living person - for example, when the smartphone's fingerprint sensor still detects heat - the 3D model is put on (leans against) the finger of a living person.
The owner of the device, even if he forgets the screen lock password, can unlock the device himself using his fingerprint. This can be used in certain cases where the owner is unable to provide the password but is willing to help the researcher unlock their device nonetheless.
The researcher should keep in mind the generations of sensors used in various models of mobile devices. Older models of sensors can be triggered by almost any finger, not necessarily the owner of the device. Modern ultrasonic sensors, on the contrary, scan very deeply and clearly. In addition, a number of modern under-screen sensors are simply CMOS cameras that cannot scan the depth of the image, which makes them much easier to fool.
Protection recommendation: If a finger, then only an ultrasonic sensor. But do not forget that putting a finger against your will is much easier than a face.
Method 6: "jerk" (Mug attack)
This method is described by the British police [4]. It consists in covert surveillance of the suspect. The moment the suspect unlocks his phone, the plainclothes agent snatches it from the owner's hands and prevents the device from locking again until handed over to experts.
Protection recommendation: I think if such measures are going to be used against you, then things are bad. But here you need to understand that random blocking devalues this method. And, for example, repeatedly pressing the lock button on the iPhone launches SOS mode, which in addition to everything turns off FaceID and requires a passcode.
Method 7: errors in device control algorithms
In the news feeds of specialized resources, you can often find messages stating that certain actions with the device unlock its screen. For example, the lock screen of some devices can be unlocked by an incoming call. The disadvantage of this method is that the identified vulnerabilities, as a rule, are promptly eliminated by manufacturers.
An example of an unlocking approach for mobile devices released before 2016 is battery drain. When the battery is low, the device will unlock and prompt you to change the power settings. In this case, you need to quickly go to the page with security settings and disable the screen lock [5].
Protection recommendation: do not forget to update the OS of your device in a timely manner, and if it is no longer supported, change your smartphone.
Method 8: Vulnerabilities in third-party programs
Vulnerabilities found in third-party applications installed on the device may also fully or partially provide access to the data of a locked device.
An example of such a vulnerability is the theft of data from the iPhone of Jeff Bezos, the main owner of Amazon. Vulnerability in the WhatsApp messenger, exploited by unknown people, led to the theft of confidential data stored in the device's memory [6].
Such vulnerabilities can be used by researchers to achieve their goals - to extract data from locked devices or to unlock them.
Protection recommendation: You need to update not only the OS, but also the applications that you use.
Method 9: corporate phone
Corporate mobile devices can be unlocked by company system administrators. For example, corporate Windows Phone devices are linked to a company's Microsoft Exchange account and can be unlocked by company administrators. For corporate Apple devices, there is a Mobile Device Management service similar to Microsoft Exchange. Its administrators can also unlock a corporate iOS device. In addition, corporate mobile devices can only be paired with certain computers specified by the administrator in the mobile device settings. Therefore, without interaction with the company's system administrators, such a device cannot be connected to the researcher's computer (or software and hardware system for forensic data extraction).
Protection recommendation: MDM is both evil and good in terms of protection. An MDM administrator can always remotely reset a device. In any case, you should not store sensitive personal data on a corporate device.
Method 10: information from sensors
Analyzing the information received from the sensors of the device, you can guess the password to the device using a special algorithm. Adam J. Aviv demonstrated the feasibility of such attacks using data obtained from a smartphone's accelerometer. In the course of research, the scientist managed to correctly determine the symbolic password in 43% of cases, and the graphic password - in 73% [7].
Protection recommendation: Be careful what apps you give permission to track different sensors.
Method 11: face unlock
As in the case of a fingerprint, the success of unlocking a device using FaceID technology depends on which sensors and which mathematical apparatus are used in a particular mobile device. Thus, in the work “Gezichtsherkenning op smartphone niet altijd veilig” [8], the researchers showed that some of the studied smartphones were unlocked simply by showing the owner’s photo to the smartphone’s camera. This is possible when only one front camera is used for unlocking, which does not have the ability to scan image depth data. Samsung, after a series of high-profile publications and videos on YouTube, was forced to add a warning to the firmware of its smartphones. Face Unlock Samsung:
More advanced smartphones can be unlocked using a mask or device self-learning. For example, the iPhone X uses a special TrueDepth technology [9]: the projector of the device, using two cameras and an infrared emitter, projects a grid consisting of more than 30 points onto the owner's face. Such a device can be unlocked using a mask whose contours mimic the contours of the wearer's face. iPhone unlock mask [000]:
Since such a system is very complex and does not work under ideal conditions (natural aging of the owner occurs, changes in facial configuration due to expression of emotions, fatigue, health status, etc.), it is forced to constantly self-learn. Therefore, if another person holds the unlocked device in front of him, his face will be remembered as the face of the owner of the device and in the future he will be able to unlock the smartphone using FaceID technology.
Protection recommendation: do not use unlocking by “photo” - only systems with full-fledged face scanners (FaceID from Apple and analogues on Android devices).
The main recommendation is not to look at the camera, just look away. Even if you close one eye, the chance to unlock drops greatly, as with the presence of hands on the face. In addition, only 5 attempts are given to unlock by face (FaceID), after which you will need to enter a passcode.
Method 12: Using Leaks
Leaked password databases are a great way to understand the psychology of the device owner (assuming the researcher has information about the device owner's email addresses). In the example above, a search for an email address returned two similar passwords that were used by the owner. It can be assumed that the password 21454162 or its derivatives (for example, 2145 or 4162) could be used as a mobile device lock code. (Searching the owner's email address in leak databases reveals what passwords the owner might have used, including to lock his mobile device.)
Protection recommendation: act proactively, track data about leaks and change passwords noticed in leaks in a timely manner!
Method 13: Generic device lock passwords
As a rule, not one mobile device is confiscated from the owner, but several. Often there are dozens of such devices. In this case, you can guess the password for a vulnerable device and try to apply it to other smartphones and tablets seized from the same owner.
When analyzing data extracted from mobile devices, such data is displayed in forensic programs (often even when extracting data from locked devices using various types of vulnerabilities).
As you can see in the screenshot of a part of the working window of the UFED Physical Analyzer program, the device is locked with a rather unusual fgkl PIN code.
Do not neglect other user devices. For example, by analyzing the passwords stored in the web browser cache of the mobile device owner's computer, one can understand the password generation principles that the owner adhered to. You can view saved passwords on your computer using the NirSoft utility [11].
Also, on the computer (laptop) of the owner of the mobile device, there may be Lockdown files that can help to gain access to a locked Apple mobile device. This method will be discussed next.
Protection recommendation: use different, unique passwords everywhere.
Method 14: Generic PINs
As noted earlier, users often use typical passwords: phone numbers, bank cards, PIN codes. Such information can be used to unlock the provided device.
If all else fails, you can use the following information: the researchers conducted an analysis and found the most popular PIN codes (the given PIN codes cover 26,83% of all passwords) [12]:
PIN
Frequency, %
1234
10,713
1111
6,016
0000
1,881
1212
1,197
7777
0,745
1004
0,616
2000
0,613
4444
0,526
2222
0,516
6969
0,512
9999
0,451
3333
0,419
5555
0,395
6666
0,391
1122
0,366
1313
0,304
8888
0,303
4321
0,293
2001
0,290
1010
0,285
Applying this list of PIN codes to a locked device will unlock it with ~26% probability.
Protection recommendation: check your PIN according to the table above and even if it doesn't match, change it anyway, because 4 digits is too small by the standards of 2020.
Method 15: Typical picture passwords
As described above, having data from surveillance cameras on which the owner of the device tries to unlock it, you can pick up an unlock pattern in five attempts. In addition, just as there are generic PIN codes, there are generic patterns that can be used to unlock locked mobile devices [13, 14].
Simple patterns [14]:
Patterns of medium complexity [14]:
Complex patterns [14]:
List of the most popular chart patterns according to researcher Jeremy Kirby [15].
3>2>5>8>7
1>4>5>6>9
1>4>7>8>9
3>2>1>4>5>6>9>8>7
1>4>7>8>9>6>3
1>2>3>5>7>8>9
3> 5> 6> 8
1> 5> 4> 2
2> 6> 5> 3
4> 8> 7> 5
5> 9> 8> 6
7>4>1>2>3>5>9
1>4>7>5>3>6>9
1>2>3>5>7
3>2>1>4>7>8>9
3>2>1>4>7>8>9>6>5
3>2>1>5>9>8>7
1>4>7>5>9>6>3
7>4>1>5>9>6>3
3>6>9>5>1>4>7
7>4>1>5>3>6>9
5>6>3>2>1>4>7>8>9
5>8>9>6>3>2>1>4>7
7>4>1>2>3>6>9
1>4>8>6>3
1> 5> 4> 6
2> 4> 1> 5
7>4>1>2>3>6>5
On some mobile devices, in addition to the graphic code, an additional PIN code may be set. In this case, if it is not possible to find a graphic code, the researcher can click on the button Additional PIN code (secondary PIN) after entering an incorrect picture code and try to find an additional PIN.
Protection recommendation: It's better not to use graphic keys at all.
Method 16: Alphanumeric Passwords
If an alphanumeric password can be used on the device, then the owner could use the following popular passwords as a lock code [16]:
- 123456
- Password
- 123456789
- 12345678
- 12345
- 111111
- 1234567
- sunshine
- QWERTY
- I love you
- princess
- admin
- welcome
- 666666
- abc123
- Football
- 123123
- monkey
- 654321
- ! @ # $% ^ & *
- charlie
- aa123456
- donald
- password1
- qwerty123
Protection recommendation: use only complex, unique passwords with special characters and different cases. Check if you are using one of the passwords above. If you use - change it to a more reliable one.
Method 17: cloud or local storage
If it is not technically possible to remove data from a locked device, criminalists can search for its backup copies on the computers of the owner of the device or in the corresponding cloud storages.
Often, owners of Apple smartphones, when connecting them to their computers, do not realize that a local or cloud backup copy of the device can be created at this time.
Google and Apple cloud storage can store not only data from devices, but also passwords saved by the device. Extracting these passwords can help in guessing the mobile device's lock code.
From the Keychain stored in iCloud, you can extract the device backup password set by the owner, which will most likely match the screen lock PIN.
If law enforcement turns to Google and Apple, the companies can transfer existing data, which is likely to greatly reduce the need to unlock the device, since law enforcement will already have the data.
For example, after the terrorist attack in Pensocon, copies of the data stored in iCloud were handed over to the FBI. From Apple's statement:
“Within hours of the FBI's first request, on December 6, 2019, we provided a wide range of information related to the investigation. From December 7 to December 14, we received six additional legal requests and provided information in response, including iCloud backups, account information, and transactions for multiple accounts.
We responded to every request promptly, often within hours, exchanging information with the FBI offices in Jacksonville, Pensacola, and New York. At the request of the investigation, many gigabytes of information were obtained, which we handed over to the investigators.” [17, 18, 19]
Protection recommendation: anything you send unencrypted to the cloud can and will be used against you.
Method 18: Google account
This method is suitable for removing a graphic password that locks the screen of a mobile device running the Android operating system. To use this method, you need to know the username and password of the device owner's Google account. Second condition: the device must be connected to the Internet.
If you consecutively enter the wrong picture password several times in a row, the device will offer to reset the password. After that, you need to log in to the user account, which will unlock the device screen [5].
Due to the variety of hardware solutions, Android operating systems, and additional security settings, this method is only applicable to a number of devices.
If the researcher does not have a password for the Google account of the owner of the device, they can try to recover it using standard methods for recovering passwords from such accounts.
If the device is not connected to the Internet at the time of the study (for example, the SIM card is blocked or there is not enough money on it), then such a device can be connected to Wi-Fi using the following instructions:
- press the icon "Emergency call"
- dial *#*#7378423#*#*
- select Service Test - Wlan
- connect to an available Wi-Fi network [5]
Protection recommendation: do not forget to use two-factor authentication wherever possible, and in this case, it is better to link to the application, and not to the code via SMS.
Method 19: guest account
Mobile devices running Android 5 and above can have multiple accounts. Additional account information may not be locked with a PIN or pattern. To switch, you need to click on the account icon in the upper right corner and select another account:
For an additional account, access to some data or applications may be restricted.
Protection recommendation: it is important to update the OS. In modern versions of Android (9 and up with July 2020 security patches), the guest account usually does not provide any options.
Method 20: specialized services
Companies developing specialized forensic programs, among other things, offer services for unlocking mobile devices and extracting data from them [20, 21]. The possibilities of such services are simply fantastic. They can be used to unlock top models of Android and iOS devices, as well as devices that are in recovery mode (which the device enters after exceeding the number of incorrect password entry attempts). The disadvantage of this method is the high cost.
An excerpt from a web page on Cellebrite's website that describes which devices they can retrieve data from. The device can be unlocked in the developer's laboratory (Cellebrite Advanced Service (CAS)) [20]:
For such a service, the device must be provided to the regional (or head) office of the company. Departure of the expert to the customer is possible. As a rule, cracking the screen lock code takes one day.
Protection recommendation: it is almost impossible to protect yourself, except for the use of a strong alphanumeric password and the annual change of devices.
PS Group-IB Laboratory experts talk about these cases, tools and many other useful features in the work of a computer forensic specialist as part of a training course . After completing a 5-day or extended 7-day course, graduates will be able to more effectively conduct forensic research and prevent cyber incidents in their organizations.
PPS Action about information security, hackers, APT, cyber attacks, scammers and pirates. Step-by-step investigations, practical cases using Group-IB technologies and recommendations on how not to become a victim. Connect!
Sources of
- Guixin Yey, Zhanyong Tang, Dingyi Fangy, Xiaojiang Cheny, Kwang Kimz, Ben Taylorx, Zheng Wang.
- Dominic Casciani, Gaetan Portal.
- Anatoly Alizar.
- Maria Nefedova.
- Anton Makarov. Bypass pattern password on Android devices
- Jeremy Kirby.
- Andrey Smirnov.
- Maria Nefedova.
Source: habr.com