[chetmanley]

Hello,

A friend of mine discovered this and shared it with me. I've been using picture password for 3 years and never noticed this. Not something I'm terribly concerned about because most non-bb10 users have never seen picture password before.

If someone can watch you unlock your phone, and understand how picture password works, all they need to do is choose and memorize any number and its location. They also need to memorize the number spacing/density.

If that person then gets a hold of the phone, they can typically unlock the phone within 5 tries. During each attempt, if the spacing isnt the same, then just power off the screen and try again - this resets the spacing without using up an attempt.

The person just places their number over the same spot they picked.

The vulnerabiltity results from a lack of randomness in the grid generation. It seems that within 5 tries, the grids can recycle. The attacker wont learn the true intended digit/location combo, but the potential to unlock the phone again exists.

Give it a shot on your bb10. I havent tried it on BlackBerry android yet.

As long as we unlock our phones quickly it will reduce the risk of an attacker being able to memorize the info needed to unlock the phone.

BlackBerry could reduce the risk further by producing more random grids, that arent composed of square lattices.

[ray689]

This is flawed theory.

[Blackberry4Shizzle]

I understand what your saying but I don't really think it's that big of an issue.
I've used it for about 3 years like yourself and I don't remember a time where I've unlocked my phone in front of someone more than once for them to remember the spacing. If I'm in a public place and someone is looking over my shoulder I would still feel happy enough to unlock my phone and know they have no clue what I'm doing.
I'm sure phone users who lock their phone with 4 digit passcodes and patterns don't purposely unlock their phone in front of someone 4/5 times because of course they will be able to guess it.
Just be happy that BlackBerry have this feature and we are more secure than non Blackberry users

Posted via CB10 on my Classic

[Thud Hardsmack]

Hello,

A friend of mine discovered this and shared it with me. I've been using picture password for 3 years and never noticed this. Not something I'm terribly concerned about because most non-bb10 users have never seen picture password before.

If someone can watch you unlock your phone, and understand how picture password works, all they need to do is choose and memorize the location of any number and its location. They also need to memorize the number spacing.

If that person then gets a hold of the phone, they can typically unlock the phone within 5 tries. During each attempt, if the spacing isnt the same, then just power off the screen and try again - this resets the spacing without using up an attempt.

The person just places their number over the same spot they picked.

The vulnerabiltity results from a lack of randomness in the grid generation. It seems that within 5 tries, the grids can recycle. The attacker wont learn the true intended digit/location combo, but the potential to unlock the phone again exists.

Give it a shot on your bb10. I havent tried it on BlackBerry android yet.

As long as we unlock our phones quickly it will reduce the risk of an attacker being able to memorize the info needed to unlock the phone.

BlackBerry could reduce the risk further by producing more random grids, that arent composed of square lattices.

This only works if the user puts their finger or thumb directly on the number used and drags it to the unlock zone. A zone in the middle area defeats this because the user can drag any area on the screen an any direction to unlock. This makes guessing in 5 tries impossible.

[ray689]

This only works if the user puts their finger or thumb directly on the number used and drags it to the unlock zone. A zone in the middle area defeats this because the user can drag any area on the screen an any direction to unlock. This makes guessing in 5 tries impossible.

Exactly which defeats the whole purpose of picture password. I see so many people who think they need to move the specific number rather then the grid itself. This theory of the OP would never work if the user actually used picture password as it's meant to be used. In fact, telling the person the number you use and having them watch you (if you aren't directly putting your finger on the number) and depending on the picture you use is still pretty much in possible to guess.

[werkregen]

This only works if the user puts their finger or thumb directly on the number used and drags it to the unlock zone. A zone in the middle area defeats this because the user can drag any area on the screen an any direction to unlock. This makes guessing in 5 tries impossible.

I for one find it easier to not put my finger directly over the number. I usually start from the middle of the screen.

[ray689]

I for one find it easier to not put my finger directly over the number. I usually start from the middle of the screen.

Great but defeats the purpose of it. And how do you start at the middle of the screen exactly? It's not like the number you use is always in the middle.

Edit: I see that I misread you post. So I agree with you.

[crackbb10]

Trackpad on the Classic is the best for this.

Posted via CB10

[1122334455667788]

Great but defeats the purpose of it. And how do you start at the middle of the screen exactly? It's not like the number you use is always in the middle.

I'm confused. Wasn't wekregen agreeing with you?

[chetmanley]

This only works if the user puts their finger or thumb directly on the number used and drags it to the unlock zone. A zone in the middle area defeats this because the user can drag any area on the screen an any direction to unlock. This makes guessing in 5 tries impossible.

You guys aren't trackin what I'm trying to describe.

The user can place their finger anywhere, doesnt matter. The attacker just needs to memorize any random number, its location, and the grid spacing.

Ive been trying this all afternoon. Im at a 30-40 percent sucess rate I'd guess.

When my friend showed me on my passport, he got it on the 3rd try. When I tried it on his z10, I got it on the very first try, but thats just luck.

If you guys actually try this you will see what I'm trying to describe.

[werkregen]

I'm confused. Wasn't wekregen agreeing with you?

I was confirming the behavior described by fret madden.

Anyway, he is right, i can't always reach the number if I start from the middle. But I usually can, so I start from the middle anyway and just look for the number as I move the thumb. Once every 10 unlocks I won't be able to do it.

It doesn't bother me though because I enabled smart lock with a pebble (which IMO is a bigger security risk, but whatever) which means I fail to unlock on average once a day.

[ray689]

I'm confused. Wasn't wekregen agreeing with you?

Lol yes misread his post.

[Thud Hardsmack]

You guys aren't trackin what I'm trying to describe.

The user can place their finger anywhere, doesnt matter. The attacker just needs to memorize any random number, its location, and the grid spacing.

Ive been trying this all afternoon. Im at a 30-40 percent sucess rate I'd guess.

When my friend showed me on my passport, he got it on the 3rd try. When I tried it on his z10, I got it on the very first try, but thats just luck.

If you guys actually try this you will see what I'm trying to describe.

Not possible if you don't know the correct number to begin with. No random number or random area unlocks the device, that's the whole point. It's a specific number in random order dropped into a random grid that has to be inside in a small zone. You have 10 to choose from and a target that's about ¼" in diameter that can be anywhere on the screen. Even if someone watches you do it the actual likelihood of getting the number right in five or less tries is so astronomical it borders impossible, so we'll call it that.

[sidtek50]

I fully understand you OP, however I've just tried your theory approx 20 times on my Classic and can't recreate it. The random number generation seems fine to me. No vulnerability as far as I can see.

Posted via CB10

[ray689]

Exactly. Claiming a 30-40% rate and getting it on "3rd try" or whatever is ridiculous.

[bobshine]

Looking over the shoulder is a weakness of any password!

[ray689]

Looking over the shoulder is a weakness of any password!

But that is the point of picture password that even looking makes it basically impossible to figure out.

[chetmanley]

Some of you guys seem rather offended by this for some reason... What I've described here is simply something worth a look considering many believe picture password to be invulnerable to onlookers.

Ray - when I say 3rd try, I mean 3rd placement attemp in the first of 5 possible placement attempts before it requires a typed password. So that is significant. Someone who has no idea what my picture password combo is was able to get into my phone with no info other than watching me unlock my phone once.

I then tried it on his phone and got it on the very first placement.

I'm not saying this is a sure thing, but it is statistically significant enough to mention to the community and a simple update by blackberry to increase the entropy would make picture password even better.

[EFats]

I understand what you're saying, but my testing on my Z10 says this won't work.
- The power button to turn off the screen indeed gets me a new grid, but doesn't reset my failed attempts
- I tried over 10 times, but no grid pattern comes out the same as the first time. I randomly picked a number and a point in the picture where I unlocked it, not once was it ever close to placing the correct number over the correct part of the picture.

I don't have to do that much testing as it would lock after 10 times, right? If they managed to guess my password on the 5th try (which is like a secondary security layer already), it just means you score 5 more tries to unlock with the picture.

I'm still quite comfortable unlocking my BB10 in front of any observer, don't think they will get my unlock pattern except by sheer luck.

[1122334455667788]

This actually works. The trick is waiting for the exact same layout. Count the number of numbers both horizontally and vertically.

When watching someone unlock their phone, pick a location that has a number on it.
When trying to break in, get the right layout and move a number to the location you picked out. Since you are using the same grid, you are guaranteed to have a number in the actual unlock spot. Since the numbers are randomized, you now have a 1 out of 10 chance of unlocking the phone.
Once you take into account that you have 5 guesses, you actually have a reasonable chance of getting in.

I was successful in a test I just did where I ignored my actual number and location, and set the numbers using the method above.


This is still much more difficult than watching someone do one of the the standard Android unlock patterns, but it could certainly use some improvement.

[1122334455667788]

- I tried over 10 times, but no grid pattern comes out the same as the first time.

Just to clarify, you don't need the numbers to be the same as the original pattern. Just the number of rows/columns.
Also note that requesting a new pattern does not add to the unlock attempt count.

[Sairos]

A friend of mine discovered dragons and shared this with me too. I told him he wasn't being original.

Only security experts are entitled to write threads citing vulnerabilities. Normal folk are entitled to guess work.

[sidtek50]

Can someone please record this and put on youtube so we can all see? It's not that I don't believe it, it sounds like it could be legit, but I seriously can't reproduce it no matter how many attempts I try. Would really like someone to do a youtube demo because if there is even a tiny chance of a security risk, we need to alert Blackberry so they can patch it.

Posted via CB10

[bloke1]

I always place my finger on the screen and rub my finger swiftly in a circular motion for few times until i get to the number. So can you still see it?

Posted via CB10

[1122334455667788]

I always place my finger on the screen and rub my finger swiftly in a circular motion for few times until i get to the number. So can you still see it?

Posted via CB10

What motion you do while I'm watching isn't relevant.
I pick MY OWN number and location randomly just before you let go and login.
I guess going quickly would make it harder for me to memorize a location and the grid type.
Honestly it would take good eyes and memory for someone to actually succeed.