Skip to content

T1461 Lockscreen Bypass

An adversary with physical access to a mobile device may seek to bypass the device’s lockscreen.

Biometric Spoofing

If biometric authentication is used, an adversary could attempt to spoof a mobile device’s biometric authentication mechanism123.

iOS partly mitigates this attack by requiring the device passcode rather than a fingerprint to unlock the device after every device restart and after 48 hours since the device was last unlocked 4. Android has similar mitigations.

Device Unlock Code Guessing or Brute Force

An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (“shoulder surfing”) the device owner’s use of the lockscreen passcode.

Exploit Other Device Lockscreen Vulnerabilities

Techniques have periodically been demonstrated that exploit vulnerabilities on Android 5, iOS 6, or other mobile devices to bypass the device lockscreen. The vulnerabilities are generally patched by the device/operating system vendor once they become aware of their existence.

Item Value
ID T1461
Sub-techniques
Tactics TA0027
Platforms Android, iOS
Version 1.1
Created 25 October 2017
Last Modified 03 February 2019

Mitigations

ID Mitigation Description
M1012 Enterprise Policy Enterprises can provision policies to mobile devices to require a minimum complexity (length, etc.) for the device passcode. Enterprises can provision policies to mobile devices to cause the device to wipe all data if an incorrect passcode is entered too many times. Both policies would mitigate brute-force, guessing, or shoulder surfing of the device passcode. If desired, enterprises can provision policies to mobile devices to disallow biometric authentication. However, biometric authentication can help make “using a longer, more complex passcode far more practical because you don’t need to enter it as frequently.”7
M1001 Security Updates -
M1006 Use Recent OS Version -

References

Back to top