clever/you - thoughts about mobile

PINs and Needles

It’s well known that the more complex your password the more secure you will be. Exactly how to achieve that complexity is a matter of some debate, but at least we can all agree that 1234 isn’t going to cut it as your Gmail password.

Alongside complexity sits enforcement: some providers, like Google, simply require a minimum password length. Others are stricter: Apple’s list of requirements is too long to reproduce here, but includes such gems as “passwords must not contain more than 3 consecutive identical characters” and “passwords must have at least one capital letter”.

Despite all this complexity enforcement, many users do indirectly use 1234 to access not just their Gmail, but their social networks, photos, text messages, and more. I am of course talking about the PIN, unchanged since its debut thirty-five years ago, and often the only thing protecting a cellphone.

A Short Historical Detour

The modern PIN was invented by a Scot - either John Shepherd-Baron or James Goodfellow depending on your sources, who both claim some credit to inventing the modern day ATM. Shepherd-Baron’s machine required users to authenticate themselves with a four digit numeric code. Why four digits? Shepherd-Baron claimed his wife vetoed a six digit PIN, as four digits was the most she could remember¹.

Even though ISO 9564 (the international standard for ATM systems) specifies PINs of up to 12 digits should be supported, the overwhelming majority of users and banks have stuck with Shepherd-Baron’s original suggestion of 4 digits.

But what does this have to do with phones? Twenty years ago, when SIM cards were actually the size of credit cards, making calls on the go could be an expensive business - your monthly plan was much more likely to come with 50, rather than 500, minutes. A way was needed to secure a phone and prevent someone running up a huge bill on a phone without the subscriber’s knowledge. A PIN was deemed to be the best option - after all, users were familiar with them from banking - and in 1992 in was mandated that phones should support a four digit security code.

What’s important to note is that at this point PINs didn’t really protect any data outside of an address book: phones made calls, and that was that. As time went on, more and more personal information made its way onto mobile, until we ended up with our phones basically containing carbon copies of our entire lives: our calendars, e-mails, social networks, photos, and more.

PIN Locking

Because a four digit PIN is self evidently not very secure (with only 9,999 combinations to try) both ATMs and mobile phones will lock users out after n number of incorrect attempts. Smartphones can even be setup to erase the entire devices after a set number of tries.

If you have had the misfortune of locking yourself out of your phone you’ll know you typically need to obtain a PUK (‘PIN Unlocked Key’) from your mobile operator. Here we see the first problem with PIN codes: you only need to read about Mat Honan’s recent experience to see that it’s not out of the question for an impostor to convince a customer service rep they’re you.

In fact, this is exactly what News Corporation did in the recent phone hacking scandal - by ringing up telcos and pretending to be subscribers, News of the World employees were able to convince telcos to release PIN codes to them, allowing unfettered access to voicemail accounts.

PIN Breaking

Whilst a four digit PIN is undeniably very insecure, there is of course one thing I’ve omitted - to make any use of it you’re going to need physical access to the phone in question.Still, this doesn’t offer us much hope, given how often phones can be misplaced, left at a desk, or stolen. Let’s assume we have access to the phone we want: how can we get into it?

Guess

Guessing is a risky gamble if you’re entering the codes directly onto the phone, as you may well be locked out. However, it’s not quite as risky as you might think - a University of Cambridge research paper suggests a significant minority use highly guessable PINs such as 1234 or their birthdate/year. Still, guessing is a very clumsy approach.

Brute Force

Given that a phone will typically lock you out after several incorrect attempts you may think you don’t have to worry about brute force. This was certainly true in the past - for a long time, PINs were stored directly on the SIM card. However, smartphones now typically store the PIN in flash memory - once you’ve imaged the phone onto another computer you can carry out an offline dictionary attack, given you as many attempts as you require.

Because a four digit PIN is so short, brute-forcing it is extremely straightforward. How straightforward? Here are some of Apple’s own estimates on how long it would take to crack an iOS 5 device with varying passcode complexities:

Android is not immune either - several forensic houses have documented brute force approaches that can break ten digit PINs in an hour or so. The only

Social Engineering

Whilst not limited to just PINs, the fact users have certain expectations around PINs and phone locking means some very simply social engineering tricks can work exceptionally well. Users are not conditioned to treat phone PINs in the same way as their banking PINs - banks have spent considerable sums of money educating users to ‘shield’ their PINs by covering up keypads.

Phones can also be swapped out with identical devices that display ‘dummy’ lock screens - customs apps that look and behave like a traditional look screen but with one major difference. Rather than unlocking the phone, these apps will transmit the PIN being entered by the user back to you. It’s also going to display an ‘incorrect PIN’ error regardless of what the user entered, and after three attempts it will ‘lock’ the phone.

So?

You may well wonder whether you need to care about any of this. You might never let your phone out of your sight, and the idea that somebody might go to the trouble of duplicating your phone to get access to your PIN may seem laughable.

On the other hand, at this very moment several highly paid executives of News Corporation are awaiting trial for perjury and conspiracy to pervert the course of justice, all relating to offences involving breaking into services protected by four digit PINs. Many of victims were not celebrities, but ordinary people who for whatever reason found themselves in the news.

We’re Stuck in a Hole

Unfortunately, the PIN isn’t going away. Why? Because an expectation has been established: PINs are quick and easy to enter, and allow access to your phone in seconds. Apple is more than happy for you to use an alpha-numeric password, but wave goodbye to your 9-button keypad and hello to a full QWERTY keyboard.

Not to say that manufacturers aren’t trying different things: Google have introduced facial recognition lock screens for Android, although their effectiveness is dubious at best (Jellybean now has an option to require ‘eye blinking’ whilst unlocking, which perhaps tells you how badly the first iteration worked when presented with a photo).

So what can we do to improve PIN security? Whilst users requiring the highest levels of security may well accept using a highly complex password instead, I suspect the average smartphone owner will not. Biometrics are one potential avenue, but without custom hardware such as fingerprint readers the technology simply isn’t there yet.

One thing is certain: until we part ways with the PIN we’ll continue to live in the strange situation whereby your e-mails, social networks, and other sensitive accounts will require a complex password to view through a desktop, but allow total unfettered access with a simple four digit code on your phone.