Wednesday, August 1, 2012

Cracking Android gesture patterns

On Android devices, the gesture lock pattern is stored in the /data/system/gesture.key file in a rather insecure  format. The file consists of the SHA-1 hash of the gesture pattern - unsalted! Since the gesture pattern space is relatively small, it is feasible to create a rainbow table with all the possible patterns and the corresponding hashes. In fact such rainbow tables already exist. To retrieve the gesture lock pattern, once you have acquired the gesture.key file (through the JTAG hardware interface or through adb), you can look the hash up in the rainbow table:

$ wget 'http://www.android-forensics.com/tools/AndroidGestureSHA1.rar'
$ unrar AndroidGestureSHA1.rar
$ grep `xxd -p gesture.key` AndroidGestureSHA1.rar
56742391;04 05 06 03 01 02 08 00;4895B0FDC65F7802D165140BF1A77B982BD98779 

There it is, '56742391'. As was demonstrated, the gesture lock pattern is very easy to recover, and you shouldn't rely on it for security!

~ Dmitry

1 comment:

  1. on windows what is the equivalent of: grep `xxd -p gesture.key` AndroidGestureSHA1.rar the command grep exists:

    C:\Users\Luser\Downloads>grep `xxd -p xc.txt` AndroidGestureSHA1.rar
    Error: Invalid option -p

    C:\Users\Luser\Downloads>dir xc.txt
    Volume in drive C is Windows8_OS
    Volume Serial Number is 4AF2-91A4

    Directory of C:\Users\Luser\Downloads

    12/01/2013 08:28 PM 20 xc.txt
    1 File(s) 20 bytes
    0 Dir(s) 793,492,500,480 bytes free

    C:\Users\Luser\Downloads>dir AndroidGestureSHA1.rar
    Volume in drive C is Windows8_OS
    Volume Serial Number is 4AF2-91A4

    Directory of C:\Users\Luser\Downloads

    12/02/2013 08:40 PM 26,713,032 AndroidGestureSHA1.rar
    1 File(s) 26,713,032 bytes
    0 Dir(s) 793,492,500,480 bytes free

    C:\Users\Luser\Downloads>


    not xc.txt = gesture.key

    i follow this:
    http://resources.infosecinstitute.com/android-forensics-cracking-the-pattern-lock-protection/?goback=.gde_4161792_member_267222081#!

    and worked!!!

    thanks

    ReplyDelete