How secure is the pattern lock found on Google Android devices? Apparently, quite a bit. Of course, it can be made very easy to crack. For example, if the so-called pattern is a straight line, that’s not much security, is it? That’s the equivalent of using “password” as a password, and defeats BYOD smartphone security, even if something like AlertBoot’s Mobile Security is used to enhance their protection.
But, if you’re not into hamstringing yourself, it turns out that the pattern lock can be very secure. So secure, in fact, that the FBI had to issue a warrant to Google to get the device unlocked.
Or so the headlines would lead you to believe….
FBI Wants Access to Pimp’s Phone
“FBI, stumped by pimp’s Android pattern lock, serves warrant on Google” is the headline at arstechnica.com (14 March 2013). A similar observation is made by wired.com.
The story: a pimp with a criminal history is found to be using an Android phone to coordinate his business activities in the sex trade. The FBI gets a warrant to search his house and belongings, which includes the phone. Pimp won’t cooperate. So, the FBI sends the phone to its technicians, who eventually end up triggering a device lock-out after too many erroneous attempts. Once that happens, the FBI applies for a second warrant so that Google will unlock the phone.
So, what happened? As the arstechnica.com article notes, studies have shown that smudges on the phones can defeat the pattern lock. It’s a guessing game, and under “ideal conditions” researchers were able to gain access to a phone 90% of the time.
But then, those are under ideal conditions. Make the pattern long enough and complex enough, and the odds of successfully breaking into a smartphone plummet. Especially if you attempt it more than 20 times. After the twentieth entry, the phone will lock you out, as noted earlier, and the only way to regain access is to provide the Google email address and password.
Mobile Security: MDM Controls Maximum Number of Failed Attempts
One of the features in AlertBoot Mobile Security is setting a policy for the number of failed passcode attempts before data on a device is wiped. This is a powerful way of ensuring data security for two reasons:
- Chances are that, if the passcode is entered incorrectly too many times, it’s not the device owner who’s trying to gain access. (Of course, you need to find a balance. One wrong attempt is too little, but more than 15 wrong attempts is too much, never mind 20!)
- Remote wiping sometimes doesn’t work because the device is not connected to a network. Why not establish a self-destruction mechanism independent of internet or cellular network connectivity?
The real star of the FBI story is not really the pattern lock – which can work wonders, obviously – but the fact that you (or, rather, someone other than you) will get locked out after too many incorrect attempts.
If there was no limit, who’s to say what would have happened?
Related Articles and Sites: