Access area: 30 ways to unlock any smartphone. Part 1

In their work, computer forensics regularly encounter cases when it is necessary to quickly unlock a smartphone. For example, the data from the phone are needed by the investigation in order to understand the reasons for the teenager's suicide. In another case, they will help to get on the trail of a criminal group attacking truck drivers. There are, of course, cute stories - parents forgot the password for the gadget, and there is a video on it with the first steps of their baby, but, unfortunately, there are only a few of them. But they also require a professional approach to the issue. In this article, Igor Mikhailov, a specialist at the Group-IB Computer Forensics Laboratory , talks about ways that forensic experts can bypass smartphone blocking.

: , . — , . , . , .

So, the most common method of restricting access to user information contained in the device is to lock the screen of a mobile device. When such a device enters the forensic laboratory, it can be difficult to work with it, since it is impossible to activate USB debugging mode for such a device (for Android devices), it is impossible to confirm permission for the expert's computer to interact with this device (for Apple mobile devices), and as a result, it is impossible to access the data in the device's memory.



The fact that the US FBI paid a large sum for unlocking the iPhone of terrorist Syed Farouk, one of the participants in the terrorist attack in San Bernardino, California [1], shows how the usual locking of the screen of a mobile device prevents specialists from extracting data from it.

Mobile device screen unlock methods

Typically, the following is used to lock the screen of a mobile device:

1. Symbolic password
2. Picture password

Also, SmartBlock technology methods can be used to unlock the screen of a number of mobile devices:

1. Fingerprint unlock
2. Face unlock (FaceID technology)
3. Unlocking the iris recognition device

Social methods of unlocking a mobile device

In addition to purely technical ones, there are other ways to find out or overcome the PIN-code, or graphic code (pattern) of the screen lock. In some cases, social methods can be more effective than technical solutions and can help unlock devices that are lagged behind by existing technical developments.



This section will describe methods for unlocking the screen of a mobile device that do not require (or require only a limited, partial) use of technical means.

To carry out social attacks, it is necessary to study as deeply as possible the psychology of the owner of the locked device, to understand the principles by which he generates and saves passwords or graphic patterns. Also, the researcher will need a drop of luck.



When using methods related to password guessing, it should be borne in mind that:

• Apple . , ;
• Android Root of Trust, , 30 , .

1: c

It seems strange, but you can find out the unlock password by simply asking the owner of the device. Statistics show that about 70% of mobile device owners willingly provide a password. Especially if it shortens the research time and, accordingly, the owner gets his device back faster. If it is not possible to ask the owner for the password (for example, the owner of the device has died) or he refuses to disclose it, the password can be obtained from his close relatives. As a rule, relatives know the password or can suggest possible options.



Protection recommendation: Your phone password is a universal key from all data, including payment. Talking, transmitting, writing it in messengers is a bad idea.

Method 2: peep the password

The password can be spied on when the owner uses the device. Even if you remember the password (symbolic or graphic) only partially, this will significantly reduce the number of possible options, which will allow you to find it faster.



A variation of this method is the use of CCTV recordings, which capture the owner, unlocking the device using a picture password [2]. The algorithm described in Cracking Android Pattern Lock in Five Attempts [2], by analyzing video recordings, makes it possible to suggest options for a picture password and unlock the device in several attempts (as a rule, this requires no more than five attempts). According to the authors, "the more complex a picture password, the easier it is to guess."



Protection recommendation:Using a pattern is not a good idea. The alphanumeric password is very difficult to peep.

Method 3: find the password

The password can be found in the records of the device owner (files on a computer, in a diary, on pieces of paper lying in documents). If a person uses several different mobile devices and they have different passwords, then sometimes in the battery compartment of these devices or in the space between the body of the smartphone and the case, you can find scraps of paper with written passwords:





Protection recommendation: do not keep a "notebook" with passwords. This is a bad idea, unless all of these passwords are known to be false to reduce the number of unlock attempts.

Method 4: fingerprints (Smudge attack)

This method allows you to identify sweat marks of hands on the display of the device. You can see them by treating the device screen with a light fingerprint powder (instead of a special forensic powder, you can use baby powder or another chemically inactive fine powder of white or light gray color) or by looking at the device screen in oblique rays of light. Analyzing the position of handprints and having additional information about the owner of the device (for example, knowing his year of birth), you can try to guess a text or picture password. This is how the fat layer on a smartphone display looks like a stylized letter Z:





Security recommendation: As we said, a picture password is not a good idea, as are glasses with a poor oleophobic coating.

Method 5: artificial finger

If the device can be unlocked by a fingerprint, and the researcher has samples of the owner's handprints, then a three-dimensional copy of the owner's fingerprint can be made on a 3D printer and used to unlock the device [3]:





For a more complete imitation of the finger of a living person - for example, when the smartphone's fingerprint sensor is still detecting heat - the 3D model is put on (leaning against) the finger of a living person.



The owner of the device, even having forgotten the screen lock password, can unlock the device himself using his fingerprint. This can be used in certain cases, when the owner cannot provide a password, but is nevertheless willing to help the researcher unlock his device.



The researcher should keep in mind the generations of sensors used in various models of mobile devices. Older models of sensors can be triggered by almost any finger, not necessarily belonging to the owner of the device. On the contrary, modern ultrasonic sensors scan very deeply and clearly. In addition, a number of modern sub-screen sensors are simply CMOS cameras that cannot scan image depth, which makes them much easier to deceive.



Protection recommendation: If a finger, then only an ultrasonic sensor. But do not forget that putting your finger against your will is much easier than your face.

Method 6: "dash" (Mug attack)

This method is described by the British police [4]. It consists of secretly tracking a suspect. At the moment when the suspect unlocks his phone, the agent in civilian clothes pulls it out of the owner's hands and does not allow the device to lock again until it is handed over to the experts.



Defense recommendation: I think if they are going to use such measures against you, then it is bad. But here you need to understand that accidental blocking devalues ​​this method. And, for example, repeatedly pressing the lock button on the iPhone launches SOS mode, which in addition turns off FaceID and turns on the password code requirement.

Method 7: errors in device control algorithms

In the news feeds of specialized resources, you can often find messages that when certain actions are taken with the device, its screen is unlocked. For example, the lock screen of some devices can be unlocked on an incoming call. The disadvantage of this method is that the identified vulnerabilities, as a rule, are promptly eliminated by manufacturers.



An example of an approach to unlocking mobile devices released earlier than 2016 is battery drain. When the battery is low, the device will unlock and prompt you to change your power settings. In this case, you need to quickly go to the page with security settings and disable the screen lock [5].



Protection recommendation: do not forget to update the OS of your device in a timely manner, and if it is no longer supported, change your smartphone.

Method 8: vulnerabilities in third-party programs

Vulnerabilities identified in third-party applications installed on the device can also provide access to the data of the locked device in whole or in part.



An example of such a vulnerability is iPhone data theft by Jeff Bezos, the main owner of Amazon. A vulnerability in the WhatsApp messenger, exploited by unknown persons, led to theft of confidential data in the device's memory [6].



Researchers can use such vulnerabilities to achieve their goals - to extract data from locked devices or to unlock them.



Security recommendation: You need to update not only the OS, but also the application programs that you use.

Method 9: corporate phone

Corporate mobile devices can be unlocked by company system administrators. For example, corporate Windows Phone devices are linked to a company's Microsoft Exchange account and can be unlocked by its administrators. For corporate Apple devices, there is a Mobile Device Management service similar to Microsoft Exchange. Its administrators can also unlock the corporate iOS device. In addition, corporate mobile devices can only be connected to specific computers specified by the administrator in the mobile device settings. Therefore, without interacting with the company's system administrators, such a device cannot be connected to the investigator's computer (or software and hardware complex for forensic data extraction).



Security recommendation: MDM is both good and bad in terms of security. The MDM administrator can always reset the device remotely. Either way, you shouldn't store sensitive personal data on a corporate device.

Method 10: information from sensors

By analyzing the information received from the sensors of the device, you can guess the password for the device using a special algorithm. Adam J. Aviv demonstrated the possibility of such attacks using the data obtained by the smartphone's accelerometer. In the course of research, the scientist was able to correctly determine the symbolic password in 43% of cases, and the graphic password in 73% [7].



Security recommendation: Pay close attention to which applications you grant permission to track different sensors.

Method 11: face unlock

As in the case of a fingerprint, the success of unlocking a device using FaceID technology depends on which sensors and which mathematical apparatus are used in a particular mobile device. Thus, in the work "Gezichtsherkenning op smartphone niet altijd veilig" [8], the researchers showed that some of the smartphones under study were unlocked by simply showing the owner's photo to the smartphone camera. This is possible when only one front camera is used for unlocking, which does not have the ability to scan the image depth data. After a series of high-profile publications and videos on YouTube, Samsung was forced to add a warning to the firmware of its smartphones. Face Unlock Samsung:





More advanced smartphone models can be unlocked using a mask or self-learning device. For example, the iPhone X uses a special TrueDepth technology [9]: the device's projector, using two cameras and an infrared emitter, projects a grid of more than 30,000 points onto the wearer's face. Such a device can be unlocked using a mask, the contours of which mimic the contours of the wearer's face. IPhone Unlock Mask [10]:





Since such a system is very complex and does not work under ideal conditions (natural aging of the owner occurs, changes in the face configuration due to the expression of emotions, fatigue, health, etc.), it is forced to constantly self-learn. Therefore, if another person holds the unlocked device in front of him, his face will be remembered as the face of the owner of the device and in the future he will be able to unlock the smartphone using the FaceID technology.



Protection recommendation: do not use unlocking by "photo" - only systems with full-fledged face scanners (Apple's FaceID and analogues on Android devices).



The main recommendation is not to look at the camera, just look away. Even if you close one eye, the chance to unlock drops dramatically, as with hands on your face. In addition, only 5 attempts are given to unlock by face (FaceID), after which you will need to enter a password.

Method 12: using leaks

Databases of leaked passwords are a great way to understand the psychology of the owner of a device (provided that the researcher has information about the email addresses of the owner of the device). In the above example, a search for an email address returned two similar passwords used by the owner. It can be assumed that the password 21454162 or its derivatives (for example, 2145 or 4162) could be used as the mobile device lock code. (A search by the owner's email address in the databases of leaks shows what passwords the owner could have used, including to block his mobile device).





Protection recommendation: act proactively, track data on leaks and promptly change passwords noticed in leaks!

Method 13: typical passwords to lock devices

As a rule, not one mobile device is confiscated from the owner, but several. Often there are about a dozen such devices. In this case, you can guess the password for the vulnerable device and try to apply it to other smartphones and tablets seized from the same owner.



When analyzing data extracted from mobile devices, such data is displayed in forensic programs (often - even when extracting data from locked devices using various types of vulnerabilities).





As you can see in the screenshot of a part of the working window of the UFED Physical Analyzer program, the device is locked with a rather unusual PIN code fgkl.



Do not neglect other user devices. For example, by analyzing the passwords stored in the cache of the web browser of the mobile device owner's computer, one can understand the principles of password generation that the owner adhered to. You can view the saved passwords on your computer using a utility from NirSoft [11].



Also, the computer (laptop) of the owner of the mobile device may have Lockdown files that can help to gain access to the locked Apple mobile device. This method will be discussed later.



Security recommendation: use different, unique passwords everywhere.

Method 14: typical PIN codes

As noted earlier, users often use typical passwords: phone numbers, bank cards, PIN codes. This information can be used to unlock the provided device.



If all else fails, you can use the following information: researchers conducted an analysis and found the most popular PIN codes (the given PIN codes cover 26.83% of all passwords) [12]:



Application of this list of PIN-codes to a blocked device will allow it to be unblocked with a probability of ~ 26%.



Security recommendation: check your PIN against the table above and, even if it doesn't match, change it anyway, because 4 digits is too small for 2020.

Method 15: typical graphic passwords

As described above, having data from CCTV cameras on which the owner of the device is trying to unlock it, you can choose an unlock pattern from five attempts. In addition, in the same way as there are standard PIN-codes, there are also typical patterns that can be used to unlock blocked mobile devices [13, 14].



Simple patterns [14]:





Patterns of medium difficulty [14]:





Complex patterns [14]:









On some mobile devices, in addition to the picture code, an additional PIN code may be set. In this case, if you can not pick up the graphics code, a researcher can click on the button Dop.PIN code (the PIN-code is optional) after entering an incorrect graphical code and try to pick up the PIN-code is optional.



Security recommendation: it is better not to use graphic keys at all.

Method 16: alphanumeric passwords

If the device can use an alphanumeric password, then the owner could use the following popular passwords as the lock code [16]:

• 123456
• password
• 123456789
• 12345678
• 12345
• 111111
• 1234567
• sunshine
• qwerty
• I love you
• princess
• admin
• welcome
• 666666
• abc123
• football
• 123123
• monkey
• 654321
• ! @ # $% ^ & *
• charlie
• aa123456
• donald
• password1
• qwerty123

Security recommendation: use only complex, unique passwords with service characters and different case. Check if you are using one of the passwords above. If you are using it, change it to a more reliable one.

Method 17: cloud or local storage

If it is not technically possible to extract data from a locked device, forensic experts can search for its backups on the computers of the device owner or in the corresponding cloud storage.



Often, owners of Apple smartphones, connecting them to their computers, do not realize that at this time a local or cloud backup of the device can be created.



Google and Apple cloud storage can save not only data from devices, but also passwords saved by the device. Extracting these passwords can help in guessing the mobile device lock code.



From the Keychain stored in iCloud, you can retrieve the owner-set password for the device backup, which is highly likely to match the screen lock PIN.



If law enforcement agencies contact Google and Apple, companies can transfer the available data, which will likely greatly reduce the need to unlock the device, since the data will already be in the hands of law enforcement officers.



For example, after the terrorist attack in Pensokona, copies of data stored in iCloud were transferred to the FBI. From Apple's statement:

“Within hours, following the first FBI request on December 6, 2019, we provided a wide range of information related to the investigation. From December 7-14, we received six additional legal inquiries and provided information in response, including iCloud backups, account information, and transactions for multiple accounts.



We responded to every request immediately, often within hours, communicating with the FBI offices in Jacksonville, Pensacola and New York. At the request of the investigation, many gigabytes of information were obtained, which we passed on to the investigators. " [17, 18, 19]

Security recommendation: Anything you send to the cloud unencrypted can and will be used against you.

Method 18: Google account

This method is suitable for removing the picture password that locks the screen of a mobile device running the Android operating system. To use this method, you need to know the username and password from the device owner's Google account. Second condition: the device must be connected to the Internet.



If you enter the wrong picture password several times in a row, the device will prompt you to recover the password. After that, you need to log into the user account, which will unlock the device screen [5].



Due to the variety of hardware solutions, Android operating systems and additional security settings, this method is only applicable to a number of devices.



If the researcher does not have a password for the device owner's Google account, he can try to recover it using standard methods for recovering passwords from such accounts.



If the device is not connected to the Internet at the time of the study (for example, the SIM card is blocked or there is not enough money on it), then such a device can be connected to Wi-Fi using the following instructions:

• press the "Emergency Call" icon
• dial * # * # 7378423 # * # *
• select Service Test - Wlan
• connect to an available Wi-Fi network [5]

Protection recommendation: do not forget to use two-factor authentication wherever possible, and in this case, it is better to be bound to the application, and not by SMS code.

Method 19: guest account

On mobile devices running Android 5 and higher, there can be multiple accounts. To access the data of the additional account, there may be no PIN or graphic code lock. To switch, you need to click on the account icon in the upper right corner and select another account:





For an additional account, access to some data or applications may be restricted.



Protection recommendation: it is important to update the OS here. On modern versions of Android (9 and up with the July 2020 security patches), the Guest account generally does not provide any functionality.

Method 20: specialized services

Companies involved in the development of specialized forensic programs, including offering services for unlocking mobile devices and extracting data from them [20, 21]. The capabilities of these services are fantastic. Using them, you can unlock top models of Android and iOS devices, as well as devices in recovery mode (which the device switches to after exceeding the number of incorrect password attempts). The disadvantage of this method is its high cost.



A snippet of the Cellebrite website that describes which devices they can retrieve data from. The device can be unlocked in the development laboratory (Cellebrite Advanced Service (CAS)) [20]:





For such a service, the device must be provided to the regional (or head) office of the company. Departure of a specialist to the customer is possible. As a rule, it takes one day to crack the screen lock code.



Security recommendation: It is almost impossible to protect yourself, other than using a strong alphanumeric password and changing devices annually.



Continued here: part two



PS Experts of the Group-IB Laboratory talk about these cases, tools and many other useful tricks in the work of a computer forensic scientist as part of the Digital Forensics Analyst training course... After completing the 5-day or advanced 7-day courses, graduates will be able to more effectively conduct forensic research and prevent cyber incidents in their organizations.



PPS Group-IB 's hottest Telegram channel about information security, hackers, APTs, cyber attacks, scammers and pirates. Investigations step by step, practical cases using Group-IB technologies and recommendations on how not to become a victim. Connect!