This will be a Mini Course on Attacking Devices with RF from a hackers perspective
I wanted to learn about hacking devices using radio frequencies(RF) as their communication mechanism , so I looked around the Internet and only found a few scattered tutorials on random things which were either theoretical or narrowly focused. So I bought some hardware and some tools and decided to figure it out myself. The mission was to go from knowing nothing to owning whatever random devices I could find which offer up a good target with multiple avenues of attack and capability for learning. The devices and tools needed are posted below. As we attack more devices, we will post more info on those devices. You can follow us online at the following if your really bored: Twitter: @Ficti0n , GarrGhar
I brainstormed with a friend the following attack avenues for this device:
Ring the doorbell(Our Hello World)
Trigger the motion sensors
Remotely disable the motion sensors
Jam frequencies for Denial Of Service
This blog will cover all of the attacks performed, including code, data captures, so you can follow along even if you don't have all of the exact devices but want to play around with it yourself. These are the the topics covered so you can decide if you want to read further or watch the associated videos linked below.
Using HackRF for RF Replay attacks
Using Yardstick One for Replay attacks
Demodulating and decoding signals for use with RF attacks
Discovering and troubleshooting issues
Coding tools in python and RFCat
RF Jamming Attacks
Video Series PlayList Associated with this blog:
Initial Profiling of our Device:
What does our device do in normal operation?
Taking a look at all the components, there is a receiving station which sets off alarms based on opening doors, motion from a motion sensor and the pressing of a doorbell.
How do they Connect?
All of these devices are only connected to each other via wireless, they are not connected to any sort of local network or wires. So they are all communicating in an unknown frequency we need determine before we can start hacking them.
Determining the Frequency:
To profile our device for the frequency its transmitting on we can use the FCID located on the back of any of the transmitters. We can do this by going to https://fccid.io/ and typing in the FCID from the back of our device. This will provide data sheets, and test reports which contain the information needed to sniff our devices radio transmissions. This site also contains internal device pictures which are useful if you wanted to try hardware hacking. For example looking for Integrated Circuits(IC) numbers or debug interfaces. In this case we only care about the RF frequencies our device is using which happens to be the 315MHz as show below from the fccid website.
Replay attacks with HackRF To Trigger / Disable Sensors:
Armed with the frequency range only and no other information we decided to see if we can just blindly capture and replay a transmissions raw form to perform actions without the legitimate transmitters and without understanding anything.
Below is a photo of the HackRF One hardware used in the first attack and linked above.
Install HackRF Software:
Install on OS X for HackRF is as simple as using Brew install, on Linux use the package manager for your distro:
brew install hackrf
Plug in HackRF and type hackrf_info to confirm its working
Our Hello World attack is a simple replay attack of a raw capture to perform a normal operation initiated by HackRF instead of the device. We can perform this attack without understanding anything about the capture and decoding of signals.
With the HackRF device and 2 simple commands we will capture the transmission and then replay it as if it was from the initial device in its raw format.The following 2 commands are listed below.The -r is used to receive and the -t is used to transmit (RX, TX) you will also notice a -R on the transmit command which continuously repeats in TX mode denoted by "Input file end reached. Rewind to beginning" within the transmit output below. We use this in case the first transmission is not seen by the device. The other switches are for gain.
By using these commands we can capture the motion sensor transmission and replay it in raw format to create a false alarm, we can also capture the doorbell transmission and trigger an alarm.Output of the commands needed to do this are shown below. The video associated with this blog shows the audio and visual output from the alarm system as well as a video form of this blog.
While this is a good POC that we can communicate with the door alert system, this did not provide much of a learning opportunity nor did it drastically reduce the effectiveness of the security system. It only provides false alarms of standard functionality. Lets try doing this the more complicated way by profiling the device a bit more, capturing traffic, reducing the wave patterns to binary, converting to hex and then sending it over another device for a bit more precision and learning opportunity.This will also open up other attack vectors. This sounds complicated, but honestly its not complicated just a bit tedious to get right at first.
Further Profiling our Devices Functionality:
We are easily able to replay functionality when initiating actions ourselves with our HackRF, but what else is going on with the radio transmissions? In order to monitor the transmissions in a very simple way we can use tools such as GQRX with either our HackRF device or an inexpensive SDR Dongle and view the 315MHz radio frequency to see whats happening.
GQRX Install:
You can grab GQRX from the following location for OSX,on linux whatever package manager your distro uses should be sufficient for installing GQRX:
Plug in your SDR dongle of choice (HackRF or RTL-SDR, load up GQRX, and select your device, in this case a cheap 19 dollar RTL SDR:
Select OK and the interface will load up, I made the following changes.
I changed the mode under receiver options on the right hand side to AM for Amplitude modulation.
I changed the MHz at the top to 315000000 since that is what we saw on the fccid.io data sheets.
I then hit play and could view the 315 MHz frequency range.
When triggering any of the transmit devices I saw a spike in the frequency close to the 315 MHz range.I then held down the doorbell button since this transmit device would just keep replaying over and over while pressed. While this was repeating I dragged the bar to match the frequency exactly. Which was actually roughly 314.991.600 give or take.
I then triggered the motion sensor and saw a similar spike in frequency, but I also noticed the motion sensor transmitter sends a 2nd transmission after about 6 seconds to shut off the light on the receiver hub that no more motion is happening. A little testing showed thiswill disable the alarm from triggering during a limited time period.
Can we replay the Motion Sensor Turn off??
I tried to repeat the simple replay attack of turning off the motion sensor with HackRF, however unless your capture timing is perfect to reduce any extra data the sensor disable is rather spotty and still sometimes triggers an alarm. Even with a short capture the raw file was 40mb in size. If you were to try to breach a building and disable its sensors there is a 50% chance or so the motion sensor will be triggered.So this is not a sufficient method of disabling the motion sensor alarm. I only want a 100% chance of success if I was to try to bypass a security system.So we need another technique.I read online a bit and found something about decoding signal patterns into binary which sounded like a good way to reduce the extra data for a more reliable alarm bypass and decided to start with the simple doorbell as a test due to its ease of use, prior to working with less reliable transmissions based on motion and timing.
Decoding Signal Patterns for Sending With The YardStick One:
Below is a picture of the yard Stick tool used in the following attacks
Documented Process:
Based on my online research in order to capture a signal and retransmit using a yardstick we need to do the following:
Record the transmission with the SDR dongle and GQRX
Demodulate and Decode with Audacity into binary (1s & 0s)
Convert the Binary to Hex (0x)
Replay with YardStick in python and RFCat libraries
Troubleshooting Extra Steps:
However I found a few issues with this process and added a few more steps below. I am not trying to pretend everything worked perfectly. I ran into a few problems and these trouble shooting steps fixed the issues I ran into and I will list them below and explain them in this section as we walk through the process:
Record your YardStick Replay with GQRX and adjust the frequency again based on output
Compare your transmission waveform to that of the original transmitters waveform to insure your 1's & 0's were calculated properly
Add somepadding in form of \x00 to the end of your Hex to make it work.
Adjust the number of times you repeat your transmissions
Record Transmission with GQRX:
OK so first things first, load your GQRX application and this time hit the record button at the bottom right side prior to triggering the doorbell transmitter. This will save a Wav file you can open in audacity.
Install Audacity:
You can download audacity at the following link for OSX as well as other platforms. http://www.audacityteam.org/download/You should also be able to use your distro's package management to install this tool if it is not found on the site.
If you open up your wav file and zoom in a little with Command+1 or the zoom icon you should start to see a repeating pattern similar to this:
We need to decode one of these to trigger the doorbell. So we will need to zoom in a bit further to see a full representation of one of these patterns.Once we zoom in a bit more we see the following output which is wave form representation of your transmission. The high points are your 1's and the low points are your 0's:
Decode to binary:
So the main issue here is how many 1's and how many 0's are in each peak or valley?? Originally I was thinking that it was something like the following formatted in 8 bit bytes, but this left over an extra 1 which seemed odd so I added 7 0's to make it fit correctly.(Probably incorrect but hey it worked LOLs)
What the above binary means is that the first high peek was One 1 in length, the first low peek was One 0 in length and the larger low and high's were Three 111s in length. This seemed reasonable based on how it looks.
Try converting it yourself, does it look like my representation above?
Convert to Hex:
In order to send this to the receiver device we will need to convert it to hex. We can convert this to hex easily online at the following URL:
Or you can use radare2 and easily convert to hex by formatting your input into 8 bit byte segments followed by a "b" for binary as follows and it will spit out some hex values you can then use to reproduce the transmission with the yardstick:
In order to send this with the YardStick you will need to use a python library by the name of RFCat which interfaces with your Yardstick device and can send your Hex data to your receiver.We can easily do this with python. Even if you do not code it is very simple code to understand.In order to install RFCat you can do the following on OSX:(Linux procedures should be the same)
Plug in your device and run the following to verify:
rfcat -r
Setting up your python Replay Attack:
First convert our hex from 0xB8 format to \xB8 format and place it in the following code:
Hex Conversion for the python script:
\xb8\x8b\xb8\x88\x8b\xbb\x80
I provided a few notations under the code to help understanding but its mostly self explanatory:
#--------Ring the doorbell--------#:
from rflib import *
d = RfCat() #1
d.setFreq(315005000)#2
d.setMdmModulation(MOD_ASK_OOK) #3
d.setMdmDRate(4800) #4
print "Starting"
d.RFxmit("\xb8\x8b\xb8\x88\x8b\xbb\x80"*10) #5
print 'Transmission Complete'
#--------End Code --------#
#1 Creating a RfCat instance
#2 Setting your Frequency to the capture range from your GQRX output
#3 Setting the modulation type to ASK Amplitude shift keying
#4 Setting your capture rate to that of your GQRX capture settings
#5 Transmit your Hex 10 times
Ring Doorbell with Yardstick (First Attempt):
Plug your YardStick into the USB port and run the above code. This will send over your command to ring the doorbell.
Destroy:ficti0n$ python Door.py
Starting
Transmission Complete
However, this will fail and we have no indication as to why it failed. There are no program errors, or Rfcat errors. The only thing I could think is that that we sent the wrong data, meaning we incorrectly decoded the wave into binary. So I tried a bunch of different variations on the original for example the short lows having Two 1's instead of One and all of these failed when sending with the Yardstick.
Doorbell with Yardstick (TroubleShooting):
I needed a better way to figure out what was going on. One way to verify what you sent is to send it again with the Yardstick and capture it with your RTL-SDR device in GQRX. You can then compare the pattern we sent with the yardstick, to the original transmission pattern by the transmitter device.
The first thing you will notice when we capture a Yardstick transmission is the output is missing the nice spacing between each transmission as there was in the original transmission. This output is all mashed together:
If we keep zooming in we will see a repeating pattering like the following which is our 10 transmissions repeating over and over:
If we keep zooming in further we can compare the output from the original capture to the new capture and you will notice it pretty much looks the same other then its hard to get the zoom levels exactly the same in the GUI:
Hmmm ok so the pattern looks correct but the spacing between patterns is smashed together. After a bit of searching online I came across a piece of code which was unrelated to what I was trying to do but sending RF transmissions with \x00\x00\x00 padding at the end of the hex.This makes sense in the context of our visual representation above being all mashed up. So I tried this and it still failed.I then doubled it to 6 \x00's and the doorbell went off. So basically we just needed padding.
Also I should note that you can put as much padding as you want at the end.. I tried as much as 12 \x00 padding elements and the doorbell still went off. I also then tried a few variations of my binary decoding and some of those which were slightly off actually rang the doorbell. So some variance is tolerated at least with this device.Below is the working code :)
Our Hello World test is a SUCCESS. But now we need to move on to something that could bypass the security of the device and cause real world issues.
The following updated code will ring the doorbell using padding:
Ok so originally our simple HackRF replay had about a 50% success rate on turning off the motion sensor due to extraneous data in the transmission replay and timing issues. Lets see if we can get that to 100% with what we learned about decoding from the doorbell. We will instead decode the signal pattern sent from the transmitter to the receiver when shutting off the alert light, but without extra data. We will send it directly with a Yardstick over and over again and potentially use the devices own functionality to disable itself. This would allow us to walk past the motion sensors without setting off an alert.
The question is can we take the transmission from the Motion Sensor to the Receiver Hub which says motion has ended and use that to disable the Motion Sensor based on a slight delay between saying "there is no motion" and being ready to alert again and bypass the motion sensors security.Lets give it a try by capturing the "motion has ended" transmission with GQRX when the motion sensor sends its packet to the receiver 6 seconds after initial alert and decode the pattern..
Below is a screenshot of the "Motion has ended) transmission in audacity:
So this sequence was a bit different, there was an opening sequence followed by a repeating sequence.Lets decode both of these patterns and then determine what we need to send in order to affect the devices motion turnoff functionality.Below is the zoomed in version of the opening sequence and repeating sequence followed by an estimation of what I think the conversion is.
The opening sequence appears to have all the highs in single 1's format and most of the lows in 3 000's format, below is the exact conversion that I came up with adding some 0's at the end to make the correct byte length…
See what you can come up with,does it match what I have below?
Next up is our repeating pattern which has a similar but slightly different structure then the opening pattern. This one starts with a 101 instead of 1000 but still seems to have all of its 1's in single representations and most of its lows in sets of 3 000's. Below the screenshot is the the binary I came up with.. Write it out and see if you get the same thing?
Hex Conversion:(Used the online tool, R2 didn't like this binary for some reason)
\xA2\xA2\x88\xA2\x8A\x28\xA8\xA2\x8A\x28
Testing / Troubleshooting:
I first tried sending only the repeating sequence under the assumption the opening sequence was a fluke but that did not work.
I then tried sending only the opening sequence and that didn't work either.
I combined the first part with a repeating 2nd part for 10 iterations
The alert light immediately turned off on the device when testing from an alerting state, and from all states stopped alerting completely
Note(My light no longer turns off, I think I broke it or something LOL, or my setup at the time was different to current testing)
In order to send the first part and the second part we need to send it so that we have padding between each sequence and in a way that only the second part repeats, we can do that the following way:
Add the second patterns HEX values and add that with 6 \x00
Now multiply the second part by 10 since in the wave output this part was repeating
Below is the full code to do this, it is the same as the doorbell code with the new line from above and a While 1 loop that never stops so that the device is fully disabled using its own functionality against it :)
SUCCESS
As a quick test if you intentionally trip the sensor and immediately send this code the BEEP BEEP BEEP will be cut short to a single BEEP also the light may turn off depending how its configured. In all cases the motion sensor capability will be disabled. If you turn this script on at any time the sensor is completely disabled until you stop your transmission:
Bypassing the sensors worked, but then I got thinking, so what if the company puts out a new patch and I am no longer able to turn off the sensors by using the devices functionality against itself? Or what if I wanted to bypass the door alert when the door is opened and it breaks the connection?The door alert does not have a disable signal sent back to the receiver, it always alerts when separated.
RF Jamming and the FCC:
One way we can do this is with RF Jamming attacks. However, it should be noted that Jamming is technically ILLEGAL in the US on all frequencies. So in order to test this in a Legal way you will need a walk in Faraday cage to place your equipment and do some testing. This way you will not interfere with the operation of other devices on the frequency that you are jamming.
"We caution consumers that it is against the law to use a cell or GPS jammer or any other type of device that blocks, jams or interferes with authorized communications, as well as to import, advertise, sell, or ship such a device. The FCC Enforcement Bureau has a zero tolerance policy in this area and will take aggressive action against violators. "
Notes On the reality of Criminals:
It should also be noted that if a criminal is trying to break into your house or a building protected by an alert system that uses wireless technologies, he is probably not following FCC guidelines. So assume if you can attack your alarm system in the safety of a Faraday cage.Your alarm system is vulnerable to attack by any criminal. A fair assumption when penetration testing an alarm system your considering for install.You may want devices which are hardwired in as a backup.
There has always been Jammers for things like Cellphones, WiFi networks. With the introduction of affordable software defined radio devices an attacker can jam the 315 frequency to disable your alert system as a viable attack.A simple python script can kill a device in the 315 range and make it in-operable.
Jamming in Python:
I found the below script to be 100% effective while testing within a Faraday enclosure. Basicallythe device pauses in its current operational state, idle state or a alert light state, the device will remain in that state indefinitely until the jamming attack is stopped and the devices are manually reset.
Use a Faraday cage for your security testing:
If you use the below code make sure you use precautions such as Faraday cages to ensure the legal guidelines are met and you are not interfering with other devices in your area. You must assume that radios used by police, fire departments and other public safety activities could be blocked if you are not enclosing your signal. This code is purely for you to test your devices before installing them for the security of your assets.
I call the below program RF_EMP,not because its sending an electronic pulse but because similar to an EMP its disabling all devices in its range.Which is why you need to use a Faraday cage so as not to interfere with devices you do not own.
Below is a simple manually configurable version of this script.
#--------RF_Emp.py Simple Version --------#:
# For use within Faraday Enclosures only
from rflib import *
print "Start RF Jamming FTW"
d = RfCat()
d.setMdmModulation(MOD_ASK_OOK)
d.setFreq(315000000)
d.setMdmSyncMode(0)
d.setMdmDRate(4800)
d.setMdmChanSpc(24000)
d.setModeIDLE()
d.setPower(100)
d.makePktFLEN(0)
print "Starting JAM Session, Make sure your in your Faraday Enclosure..."
d.setModeTX() # start transmitting
raw_input("Unplug to stop jamming")
print 'done'
d.setModeIDLE() # This puts the YardStick in idle mode to stop jamming (Not convinced this works)
#--------End Code --------#
Notes on using Virtual Machines:
You can do your RF testing on a virtual machine with pre-installed tools but its kind of sketchy and you might want to throw your Yardstick against the wall in a fury of anger when you have to unplug it after every transmission. After a few fits of blind rage I decided to install it natively so my tools work every time without removing the dongle after each transmission.
Whats next:
This is it for the first blog.. Other topics will be discussed later, such as attacking devices in a blackbox assessment and configuring your own key fobs. Rolling code devices and bypassing their protections. Monitoring and attacking car components. If you have anything to add or would like to help out.. Feel free to comment and add to the discussion.
We've all been there. You accidentally enter the wrong password into your phone too many times, and suddenly, you're locked out of the device for good. Maybe your kid or a friend of yours took your phone and, as a joke or an accident, entered the wrong code one too many times. Maybe it's your secondary phone and it's been sitting in a drawer for a couple months and now you need it – but you forgot the code. With photos of our friends and family, our entire music collection, and our contacts library saved on our devices, one can't just be expected to hard reset the phone if something goes wrong with the passcode on the device.
Being locked out of our phones feels a lot like being locked out of our entire life. That said, you don't have to worry about trying to find a way out from phone purgatory. If you've accidentally triggered a permanent lockout of your phone, or you're not quite there yet but you know you've forgotten the password, you might feel the need to start panicking. Maybe you haven't forgotten the code to your phone, but you're looking for a smarter way to unlock the device when you're using it day-to-day. If you're curious about how phone unlocks work, whether trying to get into your locked device or just trying to make sure you don't accidentally lock yourself out, you've come to the right guide. With any luck, we'll be able to get you back into your phone without losing an ounce of data. And for those users who haven't lost their passcodes but are simply trying to use their phones in a smarter, more secure way, we have some tips for you too. This is how to unlock your Android phone.
Forgotten Passcodes
You've picked up your phone to check your text messages or your email, only to realize that something is wrong with your passcode. Despite knowing that you've set the password to be, let's say, your first child's birthday, nothing seems to be working. Your phone continues to tell you the password is wrong, but you've checked the spelling three times. Finally, your phone alerts you that you've been locked out of the device for the time being. What to do when you need your phone to pay for groceries, call an Uber, or check Instagram while waiting in line at the bank. If you've forgotten your passcode, you aren't completely out of luck just yet.
Try Variations on Your Passcode
Are you entirely sure you aren't misremembering your password? The first piece of advice we would give you is to ensure your passcode isn't being mixed up, or that you aren't forgetting a key piece of your passcode that happens to come at the end of the phrase. Plenty of us often forget about little tweaks to passwords we've added in order to ensure that our devices are as secure as possible. Here are some tips to making sure you're remembering every piece of your passcode:
Capital letters: If you're using a passcode phrase, you might've forgotten to add in any capital letters to your text. Make sure you remember to place the capital letters correctly as well; we've all forgotten the correct word or letter to capitalize in passcodes like this.
Numbers: Sometimes you forget about the number you added on your passcode a couple days ago. If your passphrase spells out "WaterInJuly382," you'll want to make sure you remember to enter the "382" part of the password. Don't be surprised if you accidentally forget to add the numbers onto your passcode. It happens to the best of us.
Special characters: Just like the capital letters, sometimes we add special characters into our passcodes to make them as complex as possible, only to forget the characters just hours later. Think back to decide whether you added an exclamation point, a dollar sign, or any other special character to your code in order to protect your data. It might make the difference between a lost passcode and saving your data.
Find My Mobile (Samsung Devices Only)
Are you using a Galaxy S9 or a Galaxy Note 8? You might be in luck: Samsung's own Find My Mobile tool features an additional feature not offered by Google's own Find My Device tool. Find My Mobile is similar to Find My Device or Find My Phone on iOS, but developed by Samsung specifically for their devices. For the most part, it does the same stuff you'd expect: Find My Mobile can locate your phone using GPS, make the device ring when you lose it in your couch cushions, and can even backup your data remotely using the web app offered by Samsung. More importantly, however, is the app's ability to unlock your device from your computer even if you've forgotten the passcode for the device.
There's a catch: if you haven't set up your Samsung account on your Galaxy S-device, you won't be able to do this. Like most of Samsung's tools, you need a Samsung account to log into the site and to unlock your device. Assuming you have set up your Samsung account—and haven't forgotten the passcode to that account—you should be able to unlock your device using the Find My Mobile web app here. All you need to do is sign in with your Samsung account, select the option to remotely unlock your device, and you'll be all set to go.
It's important to note that unlocking your device remotely does clear the biometric data off your device, so any fingerprints or iris scans you have saved on your device will have to be added back to your phone – small price to pay for saving your device's data in the long run.
As we mentioned, Google has a similar utility for all Android phones called "Find My Device," which only features the option to lock your device, not unlock it. If you've forgotten your passcode, all Find My Device will do is locate the device by GPS, re-lock the screen, and erase data; it won't be able to unlock the screen from the cloud.
Last Resort: Resetting Your Device
Unfortunately, thanks to the security enhancements added to Android 5.0 and above, most modern devices that aren't made by Samsung will have to be reset in order to bypass the password. Yes, this means you'll need to set your phone up again from scratch, re-downloading apps, music, and any other content you have saved on your mobile device. Being locked out of your device makes it difficult to back up any content on your phone, but if you already have some backup methods put in place, you can trigger them by plugging your phone. Both Google Drive backups (Pixel only) and Google Photos backups are often triggered by plugging your phone into a charger, so making sure your device is plugged in is ideal for guaranteeing that your software is saved. We recommend waiting until morning to reset your device if you're locked out; plenty of these backups happen overnight, including most SMS backups if you have an SMS backup app installed and running on your device.
Because you can't access the settings menu to factory reset your phone, you'll need to either use the hardware buttons on your phone to trigger a reset or use Google's Find My Device page in a web browser to reset the phone. Here's how to do each step:
If you're using Google's Find My Device page, load the URL here, sign into your Gmail account, and make sure your phone is selected. On the right side of the display, you'll see a Google Maps layout with a display showing the current location of your phone. On the left side of the display, you'll see a tab with three options: Play Sound, Lock, and Erase. Hit the Erase option to automatically trigger a device reset. Remember that your phone has to be powered on and connected to the internet in order to use this method.
Now, if you don't have access to the phone and can't use Find My Device to restore the phone over the web, you'll need to rely on the second method. To manually erase the device and reset the phone, you'll need to use the hardware buttons to load into your device's recovery system. This is accomplished a little differently on every phone, so your best option is to search for your phone model on Google with the keywords "boot into recovery." Some devices, like Samsung's lineup of phones, are fairly easy to boot into recovery with; you turn off the phone and press and hold a specific button combination to boot into recovery. Other phones, like Google's Pixel 2 XL, are much more finicky, requiring you to press and hold on one key and press and release another at the right time in order to boot into recovery. There are so many various methods for each Android phone, it's basically a requirement to search for the correct method for your phone to do this.
Once you've booted into recovery mode, use your device's volume up and volume down buttons to scroll through the list until you reach "Wipe Data/Factory Reset." Use the power button to select this option, then confirm your selection on the next display. Your phone will begin to reset; make sure the phone is charged enough to ensure it can last at least 30 minutes without dying. Once your phone has rebooted back to the menu screen, you can set up your device by logging back into the Google account you use for your phone. It is vitally important you use the same Google account you used on your phone prior to resetting. Android has a built-in security protocol known as Factory Reset Protection that requires a recently-reset phone to have the same Google account as previously used on the device in order to prevent a thief from immediately using the stolen phone. If you don't have the password for your Google account, you can reset it, but that means you won't be able to log into your phone for 24 hours after the reset.
Backup + Factory Reset
Probably the best combination of things to do does require you plan ahead, and set up a backup of your phone's data to the Google Cloud. This way, even if you have to reset the phone for whatever reason, a reasonably current set of your phone's data will be available, intact, and ready to get your phone back into action. I will walk you through how to set this up. You will need a Google account for this.
To set up backup, follow these steps.
Go to Settings on your phone.
Select System->Backup.
Select Google backup.
Select "Backup Now"
Your phone will now copy the critical data to your Google account.
Restoring from backup is simple. After you reset your phone and attach your Google account to the phone again, it will automatically restore your data from backup. Running a backup takes only a few minutes on a WiFi connection, or even less if you keep your phone regularly backed up – get into the habit of setting off a backup every night when you go to bed and you will always have a near-realtime backup of your phone.
(Want to backup more than just your phone? You can with one of these speedy 4-TB portable hard drives from Toshiba. You can back up all the computers in your household, and still have room for a thousand movies.)
Unlocking Your Phone with Speed
If you aren't having trouble getting into your phone, but you want to make sure your phone is secure while simultaneously unlocking your phone with some serious speed in order to make your day easier, we have some advice. There are plenty of options for unlocking your device, and they all help to make unlocking your phone easier and to prevent a situation where you forget the code for your phone.
Smart Lock
Smart Lock is one of our favorite tools on Android that is unavailable on other platforms. It makes it easy to make sure your phone is always secure, while simultaneously working to stay out of your way when you want access to your device. Basically, Smart Lock offers Android users several ways to unlock their phones when they're using it, while keeping it locked when it's not near them. To turn on smart lock, you'll need to open up your settings menu on your Android device and head into the Security submenu. Under "Device Security," you'll find an option for Smart Lock. Type in your passcode or password to enter Smart Lock, and you'll be greeted with (as of writing) five unique options for unlocking your phone. Let's break each of these down:
On-body detection: This setting allows you to unlock your device once before disabling the lock for as long as the phone is in your hand or on your person. Using your smartphone's array of sensors, the device tracks when your device is in use, so you can turn the display off but keep the phone unlocked while it's in your hand. When your phone realizes that it's been set down, your phone will automatically re-lock, requiring a password. This isn't the most secure method Smart Lock offers, but it is pretty cool.
Trusted places: Sure, it's one thing to keep your phone locked when you're out on the town, but what about when you're sitting in your apartment watching Netflix and you just want to be able to use your phone without constantly worrying about your password? Trusted places works to use the GPS in your phone to detect that you're in a secure location of your choosing, and automatically keeps your phone unlocked for you. As soon as you leave your location, your phone relocks, keeping things safe and secure for you and your device.
Trusted devices: This might be the best of the five Smart Lock options, because it's ideal for keeping your devices safe when you're nearby and keeping your phone locked when you've left. Do you own a smartwatch, a fitness tracker, a set of wireless headphones, or any other device that syncs over Bluetooth? Trusted devices might be the option for you, allowing you to keep your phone unlocked when your phone is paired with your gadgets. Smartwatches and fitness trackers are ideal for this, but it also helps you keep your phone unlocked when driving in your Bluetooth-equipped car, when running with Bluetooth headphones, or when paired with a set of Bluetooth speakers.
Trusted face: Plenty of phones have had a face unlock feature, though none of them are quite as secure as the FaceID method on the iPhone X. Still, if you want, you can enable Trusted Face on your device in order to allow your camera to automatically unlock your phone when it recognizes you. However, Trusted Faces is much more easily fooled than the above methods, especially since a photo of you—or even a lookalike—could unlock your phone without having to use any security. Use this one with caution.
Voice Match: Voice Match is a bit different than the other options on this list, because largely speaking, it's used to activate Google Assistant more than unlock your device. Here's the deal: turning on Voice Match allows you to access your Google Assistant every time you say "OK Google," even while the screen is off. Once you've enabled that ption, you have a second choice: "Unlock with Voice Match," which allows you to automatically unlock your phone when the sound of your voice saying "OK Google" matches the saved voice model on your device.
You can enable just one or all five of these, so don't worry if you like the idea of Trusted Devices but don't want to use On-Body Detection. If Smart Lock makes you feel like you can't properly keep your smartphone secured while enabling these settings, you don't need to worry. Every Android smartphone with Smart Lock enabled has the ability to lock the device manually, requiring a passcode or fingerprint in order to use the device properly. At the bottom of your lock screen is a small lock icon that allows you the choice of manually locking your phone. How you use it is actually a little different depending on your device; for example, Samsung devices have you press the icon to lock the app, but the Pixel phones have you press and hold the icon.
Once you've done this, your phone will give you a small notification alerting you that your device has been manually locked, and that the device will stay locked until you're ready to manually unlock with either your fingerprint (if you've turned this on) or your passcode. Manually locking your phone disables all smart locks, so even if you turn on a trusted Bluetooth device, you'll have to either input your passcode or password, or use your fingerprint to unlock the device if you have biometric security enabled. We'll talk more about fingerprints in the section below, and more specifically, how you can keep your biometric data from being used against you on upcoming versions of Android.
Smart Lock is one of those features that seems like a no-brainer, since it's so damn easy to setup and use to your benefit. That said, using Smart Lock obviously raises security concerns overall, since it does keep your phone unlocked more often. You'll want to play around with Smart Lock to find the right combination of security and ease of use for you. Maybe that means unlocking the device when it's attached to your car's Bluetooth and when you're at home, but keeping it secured at work and leaving on-body detection disabled. Whatever the right combination is for you will likely be a personal decision, but with five different modes of Smart Lock available, you have plenty of options and combinations to choose from.
Fingerprints
Almost every Android device in 2018 has a fingerprint sensor equipped on the body of the device, allowing you to easily access your content without having to go through the hassle of entering your passcode every time you use your phone. Fingerprints aren't a perfect unlocking method, but they're fast, secure, and can be equipped with up to four fingerprint entries on most phones. If you aren't using the fingerprint sensor on your device, you should enable it if only to create a backup option. Even if you prefer to unlock your phone by using an unlock method like a PIN, pattern, or password, fingerprints are perfect if you're ever in danger of accidentally locking the device without knowing the proper password.
If you aren't one to use fingerprints to unlock your phone, one step you could take to ensure you never forget your passcode is set the fingerprint on your phone to unlock with a finger that isn't your thumb or index finger. For example, try using your pinky finger or your ring finger as a way to program a fingerprint without making it obvious. You'll always have the option to use your fingerprint as a backup if you forget your code, but otherwise, you'll be good to go when it comes to always having a way to unlock your phone. You could also try using the fingerprint of someone you intensely trust, like a partner or a child, if only to keep a backup that doesn't happen to be with you all the time. This is especially good if you're worried about being forced to unlock your phone by law enforcement, a pressing matter that is becoming more prevalent all the time.
Finally, if you're still worried about logging your fingerprints on your Android device due to security concerns, the upcoming release of Android P has a security feature built-in that allows you to quickly disable fingerprint scanning if you find yourself at risk of being forced to unlock your device. Called "lockdown" in the settings menu, the option allows you to immediately disable both fingerprints and Smart Lock, just by using the option that appears within the power menu on the lock screen. It only disables those features for one lock, but if you're in a place where you're worried your biometric or smartwatch lock features might be used against you, it's a great option to feel more secure.
Notes and Reminders
If you're the type of person who likes to use a complex password on their phone and balks at the idea of using any of the smart unlock features we highlighted above, you might want to consider using the lock screen text display as a way to leave yourself helpful notes and tips to make remembering your password that much easier. Every Android device on the market today has support for placing a message on the lock screen, and you can display some pretty long messages. While most people use this as a way to label their phone (the example in Android is "Joe's Android"), you can also use it to set what amounts to old password hints from Windows and other desktop operating systems.
So, for example, if you've set your password as the name and birthdate of your daughter (ie., "elizabeth1217"), you could set the reminder on your lock screen as "ebbirth", for "elizabeth1217." This can be done for any password, even if it's a random phrase. "Candy90erring60Blinders," for example, could be hinted at on your lock screen with "Reese's, Jewelry, Sunlight." You'll still have to work to remember the numbers and the correct words that match up with the other content, but it can go a long way in helping you to remember what your password is without giving it away. Again, this is totally optional, a way for users to remember their long passwords without having to deal with giving it away or writing it down.
Password Managers
This final tip is for those among us who have a reputation for forgetting passwords and passcodes. If you're always worried about losing your password to your phone and getting locked out, you might want to try using a password manager like Lastpass or 1Password, which allows you to save all your passwords in one place with a single unlock, typically requiring a fairly long phrase in order to gain access to your passcodes. We recommend Lastpass for password manager beginners, because it's free and works with all your devices out of the box. We recommend writing the passcode down somewhere safe and secure in your house, then saving your phone's password inside of Lastpass for safekeeping. It might seem like an odd choice, and certainly won't speed up the unlocking process if you do manage to forget your password, but it's always good to have a backup unlock method to keep your phone's data safe.
***
Losing access to your phone is a nightmare. It's where all of your personal data, from bank account information to photos of your family and friends, lives and is kept safe. Being locked out of your data can feel like the end of the world, but luckily, it doesn't have to be. Whether you're worried about locking yourself of your account, or you've recently updated your phone's password and want to make sure you don't lose it, there are plenty of options to ensure you don't lose access. And even if you have, you aren't completely out of luck, thanks to the various options that exist for getting back into your account.
If you're looking for a way to unlock your phone faster, there's all sorts of opportunities to make sure your Android device is ready for you to login without having to enter your password every time. Biometric security has become fairly commonplace in the mobile arena, and likewise, Smart Lock on Android has made it easy to keep your device secure when it needs to be and unlocked when it doesn't. Overall, the security options on Android have become so plentiful that there's no reason not to keep some kind of security on your Android device. Just make sure you remember the password before you save the account information.