Mutt
Professional
- Messages
- 1,056
- Reaction score
- 643
- Points
- 113
In their work, computer forensic experts regularly come across cases when it is necessary to quickly unlock a smartphone. For example, the data from the phone are needed by the investigation in order to understand the reasons for the suicide of a teenager. In another case, they will help to get on the trail of a criminal group attacking truck drivers. There are, of course, cute stories - parents forgot the password for the gadget, and there is a video on it with the first steps of their baby, but, unfortunately, there are only a few of them. But they also require a professional approach to the issue. In this article, Igor Mikhailov, a specialist at the Group-IB Computer Forensics Laboratory, talks about ways that forensic experts can bypass a smartphone lock.
So the most common method of restricting access to user information contained in the device is to lock the screen of a mobile device. When such a device enters the forensic laboratory, it can be difficult to work with it, since it is impossible to activate USB debugging mode for such a device (for Android devices), it is impossible to confirm permission for the expert's computer to interact with this device (for Apple mobile devices), and as a result, it is impossible to access the data in the device's memory.
The fact that the US FBI paid a large sum for unlocking the iPhone of terrorist Syed Farouk, one of the participants in the terrorist attack in San Bernardino, California, shows how the usual locking of the screen of a mobile device prevents specialists from extracting data from it.
Mobile device screen unlock methods
Typically, the following is used to lock the screen of a mobile device:
Also, to unlock the screen of a number of mobile devices, methods of SmartBlock technology can be used:
Social methods of unlocking a mobile device
In addition to purely technical ones, there are other ways to find out or overcome the PIN-code, or the graphic code (pattern) of the screen lock. In some cases, social methods can be more effective than technical solutions and can help unlock devices that are lagged behind by existing technical developments.
This section will describe methods for unlocking the screen of a mobile device that do not require (or require only limited, partial) use of technical means.
To carry out social attacks, it is necessary to study the psychology of the owner of the locked device as deeply as possible, to understand by what principles he generates and saves passwords or graphic patterns. Also, the researcher will need a drop of luck.
When using methods related to password guessing, it should be borne in mind that:
Method 1: ask for a password
It may seem strange, but you can find out the unlock password by simply asking the owner of the device. Statistics show that about 70% of mobile device owners willingly provide a password. Especially if it shortens the research time and, accordingly, the owner gets his device back faster. If it is not possible to ask the owner for the password (for example, the owner of the device has died) or he refuses to disclose it, the password can be obtained from his close relatives. As a rule, relatives know the password or can suggest possible options.
Protection recommendation: Your phone password is a universal key for all data, including payment. Talking, transmitting, writing it in messengers is a bad idea.
Method 2: peep the password
The password can be peeped at the moment the owner uses the device. Even if you remember the password (symbolic or graphic) only partially, this will significantly reduce the number of possible options, which will allow you to find it faster.
A variation of this method is the use of CCTV recordings, on which the owner is captured, unlocking the device using a picture password. The algorithm described in Cracking Android Pattern Lock in Five Attempts, by analyzing video recordings, makes it possible to suggest options for a picture password and unlock the device in several attempts (as a rule, this requires no more than five attempts). According to the authors, "the more complex a picture password, the easier it is to guess."
Security tip: Using a pattern is not a good idea. The alphanumeric password is very difficult to peep.
Method 3: find the password
The password can be found in the records of the device owner (files on the computer, in the diary, on pieces of paper lying in documents). If a person uses several different mobile devices and they have different passwords, then sometimes in the battery compartment of these devices or in the space between the body of the smartphone and the case, you can find scraps of paper with the passwords written down:
Security recommendation: do not keep a "notepad" with passwords. This is a bad idea, unless all of these passwords are known to be false to reduce the number of unlock attempts.
Method 4: fingerprints (Smudge attack)
This method allows you to identify sweat marks of hands on the display of the device. You can see them by treating the device screen with a light fingerprint powder (instead of a special forensic powder, you can use baby powder or another chemically inactive fine powder of white or light gray color) or by looking at the device screen in oblique rays of light. Analyzing the position of handprints and having additional information about the owner of the device (for example, knowing his year of birth), you can try to guess a text or graphic password. This is how the fat layer on a smartphone display looks like a stylized letter Z:
Security recommendation: As we said, a picture password is not a good idea, as are glasses with a poor oleophobic coating.
Method 5: artificial finger
If the device can be unlocked by a fingerprint, and the researcher has samples of the owner's handprints, then a three-dimensional copy of the owner's fingerprint can be made on a 3D printer and used to unlock the device:
For a more complete imitation of the finger of a living person - for example, when the smartphone's fingerprint sensor still detects heat - the 3D model is put on (leaning against) the finger of a living person.
The owner of the device, even having forgotten the screen lock password, can unlock the device himself using his fingerprint. This can be used in certain cases where the owner cannot provide a password, but is nevertheless willing to help the researcher unlock his device.
The researcher should be aware of the generations of sensors used in various models of mobile devices. Older models of sensors can be triggered by almost any finger, not necessarily belonging to the owner of the device. On the other hand, modern ultrasonic sensors scan very deeply and clearly. In addition, a number of modern sub-screen sensors are simply CMOS cameras that cannot scan image depth, which makes them much easier to deceive.
Protection recommendation: If a finger, then only an ultrasonic sensor. But do not forget that it is much easier to put your finger against your will than your face.
Method 6: "dash" (Mug attack)
This method is described by the British police. It consists in covert surveillance of the suspect. At the moment when the suspect unlocks his phone, the agent in civilian clothes pulls it out of the owner's hands and does not allow the device to lock again until it is handed over to the experts.
Defense Recommendation: I think if they are going to take such measures against you, then it is bad. But here you need to understand that accidental blocking devalues this method. And, for example, repeatedly pressing the lock button on the iPhone launches SOS mode, which in addition turns off FaceID and turns on the requirement for a passcode.
Method 7: errors in device control algorithms
In the news feeds of profile resources, you can often find messages that when certain actions are performed with the device, its screen is unlocked. For example, the lock screen of some devices can be unlocked on an incoming call. The disadvantage of this method is that the identified vulnerabilities, as a rule, are promptly eliminated by manufacturers.
An example of an approach to unlocking mobile devices released earlier than 2016 is battery drain. When the battery is low, the device will unlock and prompt you to change your power settings. In this case, you need to quickly go to the page with security settings and disable the screen lock.
Protection recommendation: do not forget to timely update the OS of your device, and if it is no longer supported, change your smartphone.
Method 8: vulnerabilities in third-party programs
Vulnerabilities identified in third-party applications installed on the device can also provide access to the data of the locked device in whole or in part.
An example of such a vulnerability is iPhone data theft by Jeff Bezos, the main owner of Amazon. A vulnerability in the WhatsApp messenger, exploited by unknown persons, led to the theft of confidential data from the device's memory.
Researchers can use such vulnerabilities to achieve their goals - to extract data from locked devices or to unlock them.
Security recommendation: You need to update not only the OS, but also the application programs that you use.
Method 9: corporate phone
Corporate mobile devices can be unlocked by company sysadmins. For example, corporate Windows Phone devices are linked to a company's Microsoft Exchange account and can be unlocked by its administrators. For corporate Apple devices, there is a Mobile Device Management service similar to Microsoft Exchange. Its administrators can also unlock the corporate iOS device. In addition, corporate mobile devices can only be connected to specific computers specified by the administrator in the mobile device settings. Therefore, without interacting with the company's system administrators, such a device cannot be connected to the researcher's computer (or software and hardware complex for forensic data extraction).
Security recommendation: MDM is both good and bad in terms of security. The MDM administrator can always reset the device remotely. In any case, you shouldn't store sensitive personal data on a corporate device.
Method 10: information from sensors
By analyzing the information received from the sensors of the device, you can guess the password for the device using a special algorithm. Adam J. Aviv demonstrated the possibility of such attacks using data obtained from a smartphone's accelerometer. In the course of research, the scientist was able to correctly determine the symbolic password in 43% of cases, and the graphic password in 73%.
Security recommendation: Pay close attention to which applications you grant permission to track different sensors.
Method 11: face unlock
As in the case of a fingerprint, the success of unlocking a device using FaceID technology depends on which sensors and which mathematical apparatus are used in a particular mobile device. Thus, in the work "Gezichtsherkenning op smartphone niet altijd veilig", the researchers showed that some of the smartphones under study were unlocked by simply showing the owner's photo to the smartphone's camera. This is possible when only one front camera is used for unlocking, which does not have the ability to scan the image depth data. After a series of high-profile publications and videos on YouTube, Samsung was forced to add a warning to the firmware of its smartphones. Face Unlock Samsung:
More advanced smartphone models can be unlocked using a mask or self-learning device. For example, the iPhone X uses a special TrueDepth technology: the device's projector, using two cameras and an infrared emitter, projects a grid of more than 30,000 points onto the wearer's face. Such a device can be unlocked using a mask, the contours of which mimic the contours of the wearer's face. IPhone Unlock Mask [10]:
Since such a system is very complex and does not work under ideal conditions (natural aging of the owner occurs, a change in the configuration of the face due to the expression of emotions, fatigue, health, etc.), it is forced to constantly self-learn. Therefore, if another person holds the unlocked device in front of him, his face will be remembered as the face of the owner of the device and in the future he will be able to unlock the smartphone using FaceID technology.
Protection recommendation: do not use unlocking by "photo" - only systems with full-fledged face scanners (Apple's FaceID and analogues on Android devices).
The main recommendation is not to look at the camera, just look away. Even if you close one eye, the chance to unlock drops dramatically, as with hands on your face. In addition, to unlock by face (FaceID), only 5 attempts are given, after which you will need to enter a password.
Method 12: using leaks
Databases of leaked passwords are a great way to understand the psychology of the owner of the device (provided that the researcher has information about the email addresses of the owner of the device). In the example above, a search for an email address returned two similar passwords that the owner used. It can be assumed that the password 21454162 or its derivatives (for example, 2145 or 4162) could be used as a mobile device lock code. (A search by the owner's email address in the leak databases shows what passwords the owner could have used, including to block his mobile device).
Protection recommendation: act proactively, track data on leaks and change passwords noticed in leaks in a timely manner!
Method 13: typical passwords to lock devices
As a rule, not one mobile device is confiscated from the owner, but several. Often there are about a dozen such devices. In this case, you can guess the password for the vulnerable device and try to apply it to other smartphones and tablets seized from the same owner.
When analyzing data extracted from mobile devices, such data is displayed in forensic programs (often - even when extracting data from blocked devices using various types of vulnerabilities).
As you can see in the screenshot of a part of the working window of the UFED Physical Analyzer program, the device is locked with a rather unusual PIN-code fgkl.
Do not neglect other user devices. For example, by analyzing the passwords stored in the cache of the web browser of the computer of the owner of the mobile device, one can understand the principles of password generation, which the owner adhered to. You can view the saved passwords on your computer using a utility from NirSoft.
Also, the computer (laptop) of the owner of the mobile device may have Lockdown files that can help to gain access to the locked Apple mobile device. This method will be discussed later.
Security recommendation: use different, unique passwords everywhere.
Method 14: typical PIN codes
As noted earlier, users often use typical passwords: phone numbers, bank cards, PIN codes. This information can be used to unlock the provided device.
If all else fails, you can use the following information: researchers conducted an analysis and found the most popular PIN codes (the given PIN codes cover 26.83% of all passwords):
PIN Frequency,% 123410,71311116,01600001,88112121,19777770,74510040,61620000,61344440,52622220,51669690,51299990,45133330,41955550,39566660,39111220,36613130,30488880,30343210,29320010,29010100
Application of this list of PIN-codes to a blocked device will allow it to be unblocked with a probability of ~ 26%.
Security recommendation: check your PIN against the table above and, even if it doesn't match, change it anyway, because 4 digits is too small for 2020.
Method 15: typical graphic passwords
As described above, having data from CCTV cameras on which the owner of the device tries to unlock it, you can choose an unlock pattern from five attempts. In addition, just as there are typical PIN codes, there are also typical patterns that can be used to unlock blocked mobile devices.
Simple patterns:
Patterns of medium difficulty:
Complex patterns:
List of the most popular graphic patterns according to researcher Jeremy Kirby.
On some mobile devices, in addition to the picture code, an additional PIN code may be set. In this case, if it is not possible to find a graphic code, the researcher can click on the Additional PIN-code (additional PIN-code) button after entering an incorrect graphic code and try to find an additional PIN-code.
Security recommendation: it is better not to use graphic keys at all.
Method 16: alphanumeric passwords
If the device can use an alphanumeric password, then the owner could use the following popular passwords as the lock code [16]:
Method 17: cloud or local storage
If it is not technically possible to extract data from a locked device, forensic experts can search for its backups on the computers of the device owner or in the appropriate cloud storage.
Often, owners of Apple smartphones, connecting them to their computers, do not realize that at this time a local or cloud backup of the device can be created.
Google and Apple cloud storage can store not only data from devices, but also passwords saved by the device. Extracting these passwords can help in guessing the mobile device lock code.
From the Keychain stored in iCloud, you can extract the owner-set password for the device backup, which is highly likely to match the screen lock PIN.
If law enforcement agencies contact Google and Apple, companies can transfer the available data, which will likely greatly reduce the need to unlock the device, since the data will already be in the hands of law enforcement officers.
For example, after the terrorist attack in Pensocon, copies of data stored in iCloud were transferred to the FBI. From Apple's statement:
Method 18: Google account
This method is suitable for removing the picture password that locks the screen of a mobile device running the Android operating system. To use this method, you need to know the username and password from the Google account of the device owner. Second condition: the device must be connected to the Internet.
If you enter an incorrect picture password several times in a row, the device will prompt you to recover the password. After that, you need to log into the user account, which will unlock the device screen.
Due to the variety of hardware solutions, Android operating systems and additional security settings, this method is only applicable to a number of devices.
If the researcher does not have a password to the device owner's Google account, he can try to recover it using standard methods for recovering passwords from such accounts.
If the device is not connected to the Internet at the time of the study (for example, the SIM card is blocked or there is not enough money on it), then such a device can be connected to Wi-Fi using the following instructions:
Method 19: guest account
On mobile devices running Android 5 and higher, there can be multiple accounts. To access the data of the additional account, there may be no lock with a PIN code or a graphic code. To switch, you need to click on the account icon in the upper right corner and select another account.
For an additional account, access to some data or applications may be restricted.
Protection recommendation: it is important to update the OS here. On modern versions of Android (9 and up with the July 2020 security patches), the Guest account generally does not provide any options.
Method 20: specialized services
Companies involved in the development of specialized forensic programs, including offering services for unlocking mobile devices and extracting data from them. The capabilities of these services are fantastic. Using them, you can unlock top models of Android and iOS devices, as well as devices that are in recovery mode (which the device switches to after exceeding the number of attempts to enter the wrong password). The disadvantage of this method is its high cost.
A snippet of Cellebrite's website describing what devices they can retrieve data from. The device can be unlocked in the development laboratory (Cellebrite Advanced Service (CAS)):
For such a service, the device must be provided to the regional (or head) office of the company. Departure of a specialist to the customer is possible. As a rule, it takes one day to crack the screen lock code.
Security recommendation: It is almost impossible to protect yourself, other than using a strong alphanumeric password and changing devices annually.
Thank you for your attention!
So the most common method of restricting access to user information contained in the device is to lock the screen of a mobile device. When such a device enters the forensic laboratory, it can be difficult to work with it, since it is impossible to activate USB debugging mode for such a device (for Android devices), it is impossible to confirm permission for the expert's computer to interact with this device (for Apple mobile devices), and as a result, it is impossible to access the data in the device's memory.
The fact that the US FBI paid a large sum for unlocking the iPhone of terrorist Syed Farouk, one of the participants in the terrorist attack in San Bernardino, California, shows how the usual locking of the screen of a mobile device prevents specialists from extracting data from it.
Mobile device screen unlock methods
Typically, the following is used to lock the screen of a mobile device:
- Symbolic password
- Picture password
Also, to unlock the screen of a number of mobile devices, methods of SmartBlock technology can be used:
- Fingerprint unlock
- Face unlock (FaceID technology)
- Unlocking the iris recognition device
Social methods of unlocking a mobile device
In addition to purely technical ones, there are other ways to find out or overcome the PIN-code, or the graphic code (pattern) of the screen lock. In some cases, social methods can be more effective than technical solutions and can help unlock devices that are lagged behind by existing technical developments.
This section will describe methods for unlocking the screen of a mobile device that do not require (or require only limited, partial) use of technical means.
To carry out social attacks, it is necessary to study the psychology of the owner of the locked device as deeply as possible, to understand by what principles he generates and saves passwords or graphic patterns. Also, the researcher will need a drop of luck.
When using methods related to password guessing, it should be borne in mind that:
- Entering ten incorrect passwords on Apple mobile devices may erase user data. It depends on the security settings that the user has set;
- on mobile devices running the Android operating system, the Root of Trust technology can be used, which will lead to the fact that after entering 30 incorrect passwords, user data will be either inaccessible or erased.
Method 1: ask for a password
It may seem strange, but you can find out the unlock password by simply asking the owner of the device. Statistics show that about 70% of mobile device owners willingly provide a password. Especially if it shortens the research time and, accordingly, the owner gets his device back faster. If it is not possible to ask the owner for the password (for example, the owner of the device has died) or he refuses to disclose it, the password can be obtained from his close relatives. As a rule, relatives know the password or can suggest possible options.
Protection recommendation: Your phone password is a universal key for all data, including payment. Talking, transmitting, writing it in messengers is a bad idea.
Method 2: peep the password
The password can be peeped at the moment the owner uses the device. Even if you remember the password (symbolic or graphic) only partially, this will significantly reduce the number of possible options, which will allow you to find it faster.
A variation of this method is the use of CCTV recordings, on which the owner is captured, unlocking the device using a picture password. The algorithm described in Cracking Android Pattern Lock in Five Attempts, by analyzing video recordings, makes it possible to suggest options for a picture password and unlock the device in several attempts (as a rule, this requires no more than five attempts). According to the authors, "the more complex a picture password, the easier it is to guess."
Security tip: Using a pattern is not a good idea. The alphanumeric password is very difficult to peep.
Method 3: find the password
The password can be found in the records of the device owner (files on the computer, in the diary, on pieces of paper lying in documents). If a person uses several different mobile devices and they have different passwords, then sometimes in the battery compartment of these devices or in the space between the body of the smartphone and the case, you can find scraps of paper with the passwords written down:
Security recommendation: do not keep a "notepad" with passwords. This is a bad idea, unless all of these passwords are known to be false to reduce the number of unlock attempts.
Method 4: fingerprints (Smudge attack)
This method allows you to identify sweat marks of hands on the display of the device. You can see them by treating the device screen with a light fingerprint powder (instead of a special forensic powder, you can use baby powder or another chemically inactive fine powder of white or light gray color) or by looking at the device screen in oblique rays of light. Analyzing the position of handprints and having additional information about the owner of the device (for example, knowing his year of birth), you can try to guess a text or graphic password. This is how the fat layer on a smartphone display looks like a stylized letter Z:
Security recommendation: As we said, a picture password is not a good idea, as are glasses with a poor oleophobic coating.
Method 5: artificial finger
If the device can be unlocked by a fingerprint, and the researcher has samples of the owner's handprints, then a three-dimensional copy of the owner's fingerprint can be made on a 3D printer and used to unlock the device:
For a more complete imitation of the finger of a living person - for example, when the smartphone's fingerprint sensor still detects heat - the 3D model is put on (leaning against) the finger of a living person.
The owner of the device, even having forgotten the screen lock password, can unlock the device himself using his fingerprint. This can be used in certain cases where the owner cannot provide a password, but is nevertheless willing to help the researcher unlock his device.
The researcher should be aware of the generations of sensors used in various models of mobile devices. Older models of sensors can be triggered by almost any finger, not necessarily belonging to the owner of the device. On the other hand, modern ultrasonic sensors scan very deeply and clearly. In addition, a number of modern sub-screen sensors are simply CMOS cameras that cannot scan image depth, which makes them much easier to deceive.
Protection recommendation: If a finger, then only an ultrasonic sensor. But do not forget that it is much easier to put your finger against your will than your face.
Method 6: "dash" (Mug attack)
This method is described by the British police. It consists in covert surveillance of the suspect. At the moment when the suspect unlocks his phone, the agent in civilian clothes pulls it out of the owner's hands and does not allow the device to lock again until it is handed over to the experts.
Defense Recommendation: I think if they are going to take such measures against you, then it is bad. But here you need to understand that accidental blocking devalues this method. And, for example, repeatedly pressing the lock button on the iPhone launches SOS mode, which in addition turns off FaceID and turns on the requirement for a passcode.
Method 7: errors in device control algorithms
In the news feeds of profile resources, you can often find messages that when certain actions are performed with the device, its screen is unlocked. For example, the lock screen of some devices can be unlocked on an incoming call. The disadvantage of this method is that the identified vulnerabilities, as a rule, are promptly eliminated by manufacturers.
An example of an approach to unlocking mobile devices released earlier than 2016 is battery drain. When the battery is low, the device will unlock and prompt you to change your power settings. In this case, you need to quickly go to the page with security settings and disable the screen lock.
Protection recommendation: do not forget to timely update the OS of your device, and if it is no longer supported, change your smartphone.
Method 8: vulnerabilities in third-party programs
Vulnerabilities identified in third-party applications installed on the device can also provide access to the data of the locked device in whole or in part.
An example of such a vulnerability is iPhone data theft by Jeff Bezos, the main owner of Amazon. A vulnerability in the WhatsApp messenger, exploited by unknown persons, led to the theft of confidential data from the device's memory.
Researchers can use such vulnerabilities to achieve their goals - to extract data from locked devices or to unlock them.
Security recommendation: You need to update not only the OS, but also the application programs that you use.
Method 9: corporate phone
Corporate mobile devices can be unlocked by company sysadmins. For example, corporate Windows Phone devices are linked to a company's Microsoft Exchange account and can be unlocked by its administrators. For corporate Apple devices, there is a Mobile Device Management service similar to Microsoft Exchange. Its administrators can also unlock the corporate iOS device. In addition, corporate mobile devices can only be connected to specific computers specified by the administrator in the mobile device settings. Therefore, without interacting with the company's system administrators, such a device cannot be connected to the researcher's computer (or software and hardware complex for forensic data extraction).
Security recommendation: MDM is both good and bad in terms of security. The MDM administrator can always reset the device remotely. In any case, you shouldn't store sensitive personal data on a corporate device.
Method 10: information from sensors
By analyzing the information received from the sensors of the device, you can guess the password for the device using a special algorithm. Adam J. Aviv demonstrated the possibility of such attacks using data obtained from a smartphone's accelerometer. In the course of research, the scientist was able to correctly determine the symbolic password in 43% of cases, and the graphic password in 73%.
Security recommendation: Pay close attention to which applications you grant permission to track different sensors.
Method 11: face unlock
As in the case of a fingerprint, the success of unlocking a device using FaceID technology depends on which sensors and which mathematical apparatus are used in a particular mobile device. Thus, in the work "Gezichtsherkenning op smartphone niet altijd veilig", the researchers showed that some of the smartphones under study were unlocked by simply showing the owner's photo to the smartphone's camera. This is possible when only one front camera is used for unlocking, which does not have the ability to scan the image depth data. After a series of high-profile publications and videos on YouTube, Samsung was forced to add a warning to the firmware of its smartphones. Face Unlock Samsung:
More advanced smartphone models can be unlocked using a mask or self-learning device. For example, the iPhone X uses a special TrueDepth technology: the device's projector, using two cameras and an infrared emitter, projects a grid of more than 30,000 points onto the wearer's face. Such a device can be unlocked using a mask, the contours of which mimic the contours of the wearer's face. IPhone Unlock Mask [10]:
Since such a system is very complex and does not work under ideal conditions (natural aging of the owner occurs, a change in the configuration of the face due to the expression of emotions, fatigue, health, etc.), it is forced to constantly self-learn. Therefore, if another person holds the unlocked device in front of him, his face will be remembered as the face of the owner of the device and in the future he will be able to unlock the smartphone using FaceID technology.
Protection recommendation: do not use unlocking by "photo" - only systems with full-fledged face scanners (Apple's FaceID and analogues on Android devices).
The main recommendation is not to look at the camera, just look away. Even if you close one eye, the chance to unlock drops dramatically, as with hands on your face. In addition, to unlock by face (FaceID), only 5 attempts are given, after which you will need to enter a password.
Method 12: using leaks
Databases of leaked passwords are a great way to understand the psychology of the owner of the device (provided that the researcher has information about the email addresses of the owner of the device). In the example above, a search for an email address returned two similar passwords that the owner used. It can be assumed that the password 21454162 or its derivatives (for example, 2145 or 4162) could be used as a mobile device lock code. (A search by the owner's email address in the leak databases shows what passwords the owner could have used, including to block his mobile device).
Protection recommendation: act proactively, track data on leaks and change passwords noticed in leaks in a timely manner!
Method 13: typical passwords to lock devices
As a rule, not one mobile device is confiscated from the owner, but several. Often there are about a dozen such devices. In this case, you can guess the password for the vulnerable device and try to apply it to other smartphones and tablets seized from the same owner.
When analyzing data extracted from mobile devices, such data is displayed in forensic programs (often - even when extracting data from blocked devices using various types of vulnerabilities).
As you can see in the screenshot of a part of the working window of the UFED Physical Analyzer program, the device is locked with a rather unusual PIN-code fgkl.
Do not neglect other user devices. For example, by analyzing the passwords stored in the cache of the web browser of the computer of the owner of the mobile device, one can understand the principles of password generation, which the owner adhered to. You can view the saved passwords on your computer using a utility from NirSoft.
Also, the computer (laptop) of the owner of the mobile device may have Lockdown files that can help to gain access to the locked Apple mobile device. This method will be discussed later.
Security recommendation: use different, unique passwords everywhere.
Method 14: typical PIN codes
As noted earlier, users often use typical passwords: phone numbers, bank cards, PIN codes. This information can be used to unlock the provided device.
If all else fails, you can use the following information: researchers conducted an analysis and found the most popular PIN codes (the given PIN codes cover 26.83% of all passwords):
PIN Frequency,% 123410,71311116,01600001,88112121,19777770,74510040,61620000,61344440,52622220,51669690,51299990,45133330,41955550,39566660,39111220,36613130,30488880,30343210,29320010,29010100
Application of this list of PIN-codes to a blocked device will allow it to be unblocked with a probability of ~ 26%.
Security recommendation: check your PIN against the table above and, even if it doesn't match, change it anyway, because 4 digits is too small for 2020.
Method 15: typical graphic passwords
As described above, having data from CCTV cameras on which the owner of the device tries to unlock it, you can choose an unlock pattern from five attempts. In addition, just as there are typical PIN codes, there are also typical patterns that can be used to unlock blocked mobile devices.
Simple patterns:
Patterns of medium difficulty:
Complex patterns:
List of the most popular graphic patterns according to researcher Jeremy Kirby.
On some mobile devices, in addition to the picture code, an additional PIN code may be set. In this case, if it is not possible to find a graphic code, the researcher can click on the Additional PIN-code (additional PIN-code) button after entering an incorrect graphic code and try to find an additional PIN-code.
Security recommendation: it is better not to use graphic keys at all.
Method 16: alphanumeric passwords
If the device can use an alphanumeric password, then the owner could use the following popular passwords as the lock code [16]:
- 123456
- password
- 123456789
- 12345678
- 12345
- 111111
- 1234567
- sunshine
- qwerty
- I love you
- princess
- admin
- welcome
- 666666
- abc123
- football
- 123123
- monkey
- 654321
- ! @ # $% ^ & *
- charlie
- aa123456
- donald
- password1
- qwerty123
Method 17: cloud or local storage
If it is not technically possible to extract data from a locked device, forensic experts can search for its backups on the computers of the device owner or in the appropriate cloud storage.
Often, owners of Apple smartphones, connecting them to their computers, do not realize that at this time a local or cloud backup of the device can be created.
Google and Apple cloud storage can store not only data from devices, but also passwords saved by the device. Extracting these passwords can help in guessing the mobile device lock code.
From the Keychain stored in iCloud, you can extract the owner-set password for the device backup, which is highly likely to match the screen lock PIN.
If law enforcement agencies contact Google and Apple, companies can transfer the available data, which will likely greatly reduce the need to unlock the device, since the data will already be in the hands of law enforcement officers.
For example, after the terrorist attack in Pensocon, copies of data stored in iCloud were transferred to the FBI. From Apple's statement:
Security recommendation: Anything you send to the cloud unencrypted can and will be used against you.
Method 18: Google account
This method is suitable for removing the picture password that locks the screen of a mobile device running the Android operating system. To use this method, you need to know the username and password from the Google account of the device owner. Second condition: the device must be connected to the Internet.
If you enter an incorrect picture password several times in a row, the device will prompt you to recover the password. After that, you need to log into the user account, which will unlock the device screen.
Due to the variety of hardware solutions, Android operating systems and additional security settings, this method is only applicable to a number of devices.
If the researcher does not have a password to the device owner's Google account, he can try to recover it using standard methods for recovering passwords from such accounts.
If the device is not connected to the Internet at the time of the study (for example, the SIM card is blocked or there is not enough money on it), then such a device can be connected to Wi-Fi using the following instructions:
- press the "Emergency Call" icon
- dial * # * # 7378423 # * # *
- select Service Test - Wlan
- connect to an available Wi-Fi network [5]
Method 19: guest account
On mobile devices running Android 5 and higher, there can be multiple accounts. To access the data of the additional account, there may be no lock with a PIN code or a graphic code. To switch, you need to click on the account icon in the upper right corner and select another account.
For an additional account, access to some data or applications may be restricted.
Protection recommendation: it is important to update the OS here. On modern versions of Android (9 and up with the July 2020 security patches), the Guest account generally does not provide any options.
Method 20: specialized services
Companies involved in the development of specialized forensic programs, including offering services for unlocking mobile devices and extracting data from them. The capabilities of these services are fantastic. Using them, you can unlock top models of Android and iOS devices, as well as devices that are in recovery mode (which the device switches to after exceeding the number of attempts to enter the wrong password). The disadvantage of this method is its high cost.
A snippet of Cellebrite's website describing what devices they can retrieve data from. The device can be unlocked in the development laboratory (Cellebrite Advanced Service (CAS)):
For such a service, the device must be provided to the regional (or head) office of the company. Departure of a specialist to the customer is possible. As a rule, it takes one day to crack the screen lock code.
Security recommendation: It is almost impossible to protect yourself, other than using a strong alphanumeric password and changing devices annually.
Thank you for your attention!
