If You Think That LG's Knock Code System Is Secure, Think Again

About five years ago, when LG was trying to advertise its then-new Knock Code phone unlocking mechanism, it implied in its video commercials that it brings 'perfect security.' In the 21st century, this is the equivalent of painting a target on your back, and sure enough, albeit five years later, security experts have now proven that Knock Code's security is not, in fact, perfect. Before we get to that, however, let's see what Knock Code is.

How does Knock Code work?

As you may know, many big names in the high-tech industry have embarked on a quest to create a world without passwords, and Knock Code is one potential solution offered by LG. It's an alternative method for unlocking some of the manufacturer's models, and it can be used instead of a password, a PIN, or an Android's pattern.

If you enable it, you are given four squares arranged in a 2x2 grid, and you need to pick the succession in which you're going to knock (or tap) them in order to unlock your phone. You can choose to unlock the device with between six and ten knocks, and LG reckons that memorizing them is easier than memorizing a string of letters or numbers.

At the same time, unlike your PIN code, your Knock Code can't be connected to something like your date of birth, so it's arguably more secure as well. In addition to this, when you are unlocking your phone, you can't actually see the Knock Code squares. You can even do it when the screen is off, which makes shoulder surfing much more difficult.

You can see the appeal, and according to experts from the New Jersey Institute of Technology, Ruhr University Bochum, and The George Washington University, in the US alone, between 700 thousand and 2.5 million LG device owners use the Knock Code mechanism. The researchers also found out, however, that the "perfect security" claims may have been a bit too optimistic.

It’s far too easy to predict people’s behavior

An extensive study into LG's Knock Codes produced a 23-page report. The researchers were very methodical about the experiments, and they used hundreds of test subjects to ensure that their data accurately represents the way people use the system. Unfortunately, if their findings are anything to go by, Knock Codes probably won't be replacing passwords any time soon.

People were just far too predictable when they were asked to create Knock Codes that are supposed to protect their data. Four simple codes accounted for about 18% of all codes created during the study, and although LG's adverts say that there are tens of thousands of different combinations, the thirty most popular sequences made up a whopping 42% of the created knock codes.

Obviously, how easy they are to guess is dependent on a number of different factors, but the researchers estimated that on average, potential attackers won't need that many attempts to successfully crack open a phone secured by a Knock Code. According to the study, around 51% of the Knock Codes could be cracked with thirty guesses or less, which is significantly more than the estimated rates for 4-digit and 6-digit PINs and passwords.

Will an updated Knock Codes system fix the issue?

Some of you may think that if users have a larger grid of squares when they create their knock codes, they will have more combinations to play with and will therefore be less likely to pick the same ones. It turns out that this isn't the case. Some of the participants were presented with a 2x3 grid, but after the researchers ran their knock codes through a simulated attack, they discovered that compared to 2x2 codes, a slightly larger portion of 2x3 codes could be guessed within a reasonable time frame.

Opinions are divided on the usability of Knock Codes

Obviously, these attacks were all carried out in controlled conditions. Before you draw any conclusions from the research, you need to look at your threat model and see how likely you are to be targeted by similar brute-force attempts in the real world.

Many people don't perceive this as much of a threat, and because of this, quite a few of the participants in the survey described Knock Codes' security as adequate. When it came to usability, however, things were a lot more divided.

About 20% of participants couldn't remember their knock codes mere ten minutes after they had created them, which shows that people are still not completely used to the idea. Then again, as we mentioned already, a not-inconsiderable number of users have already adopted the system and clearly thing that they represent a viable alternative.

Ultimately, LG made a mistake when it used the term "perfect security" in its adverts. Knock Codes can't offer perfect security, and in most cases, they can't even match the traditional PINs and passwords on that front. For some, however, they may offer a quick and intuitive alternative for unlocking a device. Whether you are one of those people is for you to decide.