-
I guess some might claim this is a design limitation rather than a vulnerability. The fact is they advertised picture password as being more or less invulnerable to people looking over your shoulder. The op has described a method making this a lot easier to do than most people believed.
We should certainly discuss this so everyone understands the limitations of picture password.02-13-17 08:32 AMLike 0 - Just tried this procedure as described above and it doesn't work for me. First there are more than a few spacing distances for the numbers so it can take many cycles of turning the screen of and on before you get the same spacing as the exemplary case. When the spacing as as nearly the same as I could tell, when I placed the alternative number in the alternative place the real number was never close to the right place. Did this three times until I had gone to 5 bad password tries.
LeapSTR100-2/10.3.3.220502-13-17 10:14 AMLike 0 - The difference here is that a vulnerability has been found, but your friend hasn't really discovered dragons.
I guess some might claim this is a design limitation rather than a vulnerability. The fact is they advertised picture password as being more or less invulnerable to people looking over your shoulder. The op has described a method making this a lot easier to do than most people believed.
We should certainly discuss this so everyone understands the limitations of picture password.
I'll believe so when security experts state that its a vulnerability. Same thing like when your Gf breaks up with you and screams "You're Sickkk". You probably won't believe that. You'll only believe you're sick when your doc tells you so. Get the funny idea? Don't call it a vulnerability.
I won't consider something a vulnerability because two three four bunch of users think it is xD.Last edited by Sairos; 02-13-17 at 10:44 AM.
02-13-17 10:34 AMLike 0 - OK, got it. So I had another go.
In my first try, it took many tries just to get the same grid count, but maybe that doesn't matter so much. When I could get the same grid count, I would've exceeded the 5 tries easily before finding a pattern that would've worked.
I've thought about it some more and yes, I think this should be a problem. The weakness is you only need the relation between 2 numbers on the grid, if you know the grid size. That should give you a 1% chance of hitting the same relationship on any random generation of that fixed grid size. This is much worse than any 4 digit lock code, which is at 0.001%
There are 2 easy fixes to improve the situation:
1) Include any character, not just numbers. This would decrease the probability very significantly already
2) Randomize the grid spacing and size, or even better, do not even use a regular grid spacing.
It's not all gloomy though, this weakness only applies if someone is carefully observing you unlock. In most cases, I doubt someone would have time to even count the grid size. In this case, the old 4 digit lock codes are much worse (I've had 4 year old kids unlock iPhone 4S just watching the adult user a bit).
In a case where someone finds your phone and tries to unlock, the picture password is probably significantly much better.02-13-17 11:21 AMLike 0 - Yes. It's just that picture password was supposedly designed specifically to NOT be vulnerable to this sort of thing. And yes, it's still better than a pin/pattern.02-13-17 01:12 PMLike 0
- Picture password was designed to protect against this kind of attack:
https://drive.google.com/file/d/0B8e...FrbW9hZlE/view
as described here:
BlackBerry’s Picture Password Automatically Protects You from New Hacking Tactic | Inside BlackBerry1122334455667788 likes this.02-13-17 01:21 PMLike 1 - It's not all gloomy though, this weakness only applies if someone is carefully observing you unlock. In most cases, I doubt someone would have time to even count the grid size. In this case, the old 4 digit lock codes are much worse (I've had 4 year old kids unlock iPhone 4S just watching the adult user a bit).
In a case where someone finds your phone and tries to unlock, the picture password is probably significantly much better.
Like you said, not using a fixed grid would work. Or they could use the grid, but make each spot on it be randomized so each number could appear anywhere within a certain distance of its "fixed" grid placement.02-13-17 01:21 PMLike 0 - Just tried this procedure as described above and it doesn't work for me. First there are more than a few spacing distances for the numbers so it can take many cycles of turning the screen of and on before you get the same spacing as the exemplary case. When the spacing as as nearly the same as I could tell, when I placed the alternative number in the alternative place the real number was never close to the right place. Did this three times until I had gone to 5 bad password tries.
LeapSTR100-2/10.3.3.2205
Originally Posted by EFatsThere are 2 easy fixes to improve the situation:
1) Include any character, not just numbers. This would decrease the probability very significantly already
2) Randomize the grid spacing and size, or even better, do not even use a regular grid spacing.
It would be an improvement if they did away with the evenly spaced grid, and went with a more random distribution of numbers, all at varying distances from each other. That one change would eliminate this technique from working all together.
In addition, if they removed the ability to swap between the two grid densities by clicking off the screen, that would further reduce the ability to pull this off.
However, there is no need to count the grid size at the moment. Simply observing the difference between the two possible densities would allow anyone to wait for the correct one to come back.02-13-17 02:28 PMLike 0 - Hello,
A friend of mine discovered this and shared it with me. I've been using picture password for 3 years and never noticed this. Not something I'm terribly concerned about because most non-bb10 users have never seen picture password before.
If someone can watch you unlock your phone, and understand how picture password works, all they need to do is choose and memorize any number and its location. They also need to memorize the number spacing/density.
If that person then gets a hold of the phone, they can typically unlock the phone within 5 tries. During each attempt, if the spacing isnt the same, then just power off the screen and try again - this resets the spacing without using up an attempt.
The person just places their number over the same spot they picked.
The vulnerabiltity results from a lack of randomness in the grid generation. It seems that within 5 tries, the grids can recycle. The attacker wont learn the true intended digit/location combo, but the potential to unlock the phone again exists.
Give it a shot on your bb10. I havent tried it on BlackBerry android yet.
As long as we unlock our phones quickly it will reduce the risk of an attacker being able to memorize the info needed to unlock the phone.
BlackBerry could reduce the risk further by producing more random grids, that arent composed of square lattices.02-13-17 04:22 PMLike 0 - Edited.
From what I can tell, this method of unlocking the phone without knowing the user's "number and position" will only work when the attacker's chosen "number and position" (determined by the attacker when the user successfully unlocks) re-occurs at the precise same relative position to the user's real number as when it did when the attacker chose it, and then the attacker just happens to also choose to reuse that precise variant of their number to reposition as opposed to any other of the other available options for their number. In all my attempts recently, I have seen a specific number re-appear precisely relative to mine only twice over about 10 mins of trying. From my unscientific sampling, I think the odds of this working are not as high as suggested by the original post.
If the attacker could memorize the grid (all numbers and relative locations to each other) when the user successfully unlocks the phone, and then keep pressing the power button until the precise same grid reappears (I am not sure how long it would take to reappear if it would reasonably ever reappear), then this method would work. If the attacker can memorize small parts of the grid and then only attempt when those small parts reappear, then maybe they could increase their chances.
Posted via CB10 on Z10Last edited by spARTacus; 02-13-17 at 05:05 PM.
02-13-17 04:51 PMLike 0 - From what I can tell, this method of unlocking the phone without knowing the user's "number and position" will only work when the attacker's chosen "number and position" (determined by the attacker when the user successfully unlocks) re-occurs at the precise same relative position to the user's real number as when it did when the attacker chose it, and then the attacker just happens to also have to choose to reuse that precise variant of their number to reposition as opposed to any other of the other available options for their number. In all my attempts recently, I have seen a specific number re-appear precisely relative to mine only twice over about 10 mins of trying. From my "unscientific" sampling, I think the odds of this working are not as high as suggested by the original post.
Posted via CB10 on Z10
If I'm doing the math correctly, that means the probability of getting in within the 5 try maximum is 50%.02-13-17 05:03 PMLike 0 - You don't actually have to power off the screen. Just hit the cancel button. It's slightly faster.chetmanley likes this.02-13-17 05:05 PMLike 1
-
Posted via CB10 on Z1002-13-17 05:16 PMLike 0 -
Originally Posted by 1122334455667788You don't actually have to power off the screen. Just hit the cancel button. It's slightly faster.02-13-17 05:33 PMLike 0 - Why are you concluding that the odds are one in ten for getting it? The odds of the attacker's chosen number re appearing at the same precise relative position might be close to one in ten (from what I could tell) but I don't think that means the same as the combined odds of the attacker actually also choosing to reuse that precise option of their number. For any given grid, I normally see close to at least a half dozen options for each/any number.
Posted via CB10 on Z10
They then line up a number to the same spot as they observed that number during a successful login.
Because the grid spacing is identical, it is guaranteed that there is a number in EXACTLY the same spot as the correct spot. Since there are 10 possible number options (0-9), there is a one in ten chance that the number in the correct spot is also the correct number.02-13-17 05:40 PMLike 0 -
- The attacker chooses the same grid. This may seem time consuming, but it will probably take less than 30 seconds.
They then line up a number to the same spot as they observed that number during a successful login.
Because the grid spacing is identical, it is guaranteed that there is a number in EXACTLY the same spot as the correct spot. Since there are 10 possible number options (0-9), there is a one in ten chance that the number in the correct spot is also the correct number.
Posted via CB10 on Z1002-13-17 05:56 PMLike 0 - The spacing is reused since it only consists of whole rows and columns, and seems to be selected from a relatively small range, between 6 and 8 columns on my Leap. I have not been able to determine any procedure for selection so it is probably random, but proving that would take more time than I'm will to invest.
The bottom line is that if you allow someone to watch you enter your secret credentials, regardless of the method of entry, you are reducing the strength of that protection. This can only be a vulnerability if BlackBerry claims that Picture Password is robust against shoulder surfing. To my knowledge they have never made that claim. This is why there are "protect your PIN" on bank machines etc.
So far however Picture Password is robust against spatiotemporal dynamics, which is enough for me.
LeapSTR100-2/10.3.3.220502-13-17 05:57 PMLike 0 -
There were some links posted above.
They even used the words shoulder surfing. Admittedly I don't think they ever said it was perfect, opting for words like "hard" instead, but given how small a change it would take to make it way harder, I think they should have done it.02-13-17 06:13 PMLike 0 - Actually they kind of have.
There were some links posted above.
They even used the words shoulder surfing. Admittedly I don't think they ever said it was perfect, opting for words like "hard" instead, but given how small a change it would take to make it way harder, I think they should have done it.02-13-17 07:24 PMLike 0
- Forum
- BlackBerry 10 Phones & OS
- BlackBerry 10 OS
Picture Password vulnerability
Similar Threads
-
Does the DTEK50 have picture password?
By oberkfell in forum BlackBerry DTEK50Replies: 15Last Post: 04-04-17, 06:19 PM -
Unable to Upload Pictures to my PC and Facebook
By OneMoreQuestion in forum BlackBerry PrivReplies: 8Last Post: 02-12-17, 12:33 PM -
How to export Password Keeper data from Priv back to BB10
By GEO1ER in forum Ask a QuestionReplies: 2Last Post: 02-12-17, 07:29 AM -
How to turn off camera noise while taking a picture?
By cb_arjun_cb in forum Ask a QuestionReplies: 1Last Post: 02-09-17, 12:49 AM -
Exporting Password Keeper records
By Powdah in forum Ask a QuestionReplies: 3Last Post: 02-08-17, 08:08 PM
LINK TO POST COPIED TO CLIPBOARD