Forgot your password?
typodupeerror
Security

PIN-Cracking Robot To Be Showed Off At Defcon 114

Posted by timothy
from the brute-force dept.
Sparrowvsrevolution writes "At the Def Con hacker conference in Las Vegas early next month, security researchers Justin Engler and Paul Vines plan to show off the R2B2, or Robotic Reconfigurable Button Basher, a piece of hardware they built for around $200 that can automatically punch PIN numbers at a rate of about one four-digit guess per second, fast enough to crack a typical Android phone's lock screen in 20 hours or less. Engler and Vines built their bot, shown briefly in a preview video, from three $10 servomotors, a plastic stylus, an open-source Arduino microcontroller, a collection of plastic parts 3D-printed on their local hackerspace's Makerbot 3D printer, and a five dollar webcam that watches the phone's screen to detect if it's successfully guessed the password. The device can be controlled via USB, connecting to a Mac or Windows PC that runs a simple code-cracking program. The researchers plan to release both the free software and the blueprints for their 3D-printable parts at the time of their Def Con talk."
This discussion has been archived. No new comments can be posted.

PIN-Cracking Robot To Be Showed Off At Defcon

Comments Filter:
  • surely you are locked out after 3 unsuccessful attempts on Android?
    • Re:lock out? (Score:5, Informative)

      by Anonymous Coward on Tuesday July 23, 2013 @08:15AM (#44360165)

      "But every Android phone that Engler and Vines tested was set by default to use a much less stringent safeguard, delaying the user just 30 seconds after every five guesses. At that rate, the robot can still guess five PINs every 35 seconds, or all 10,000 possibilities in 19 hours and 24 minutes."

      Not by default.

      • by stewsters (1406737) on Tuesday July 23, 2013 @08:22AM (#44360205)
        By default all you need to is swipe to unlock. That's a far simpler robot.
      • by jodosh (1260096)
        Both my nexus 4 and my wife's note 2 lock me out for 30 seconds after 5 incorrect guesses. After the time out I am free to make 5 more guesses before I hit another 30 second delay. So android users who use PINs to lock their phone do seem to be vulnerable to this brute-force attack. Seems easy enough for google to fix, double the timeout each time, maybe even have the option of having the phone email you with its location and a time stamp after 15 incorrect guesses.
        • by ColdWetDog (752185) on Tuesday July 23, 2013 @10:57AM (#44361661) Homepage

          Or, just don't hand your phone to people carrying silly looking robot parts that want to borrow your device for "19 hours".

          Problem solved!

      • by Nerdfest (867930)

        Why have they made the assumption that a PIN is 4 digits? Mine is 8, and you can set a password instead if you wish.

        • by Zalbik (308903)

          Why have they made the assumption that a PIN is 4 digits? Mine is 8, and you can set a password instead if you wish.

          Oh big deal, it will only take twice as long then! I'm certain if they are willing to wait 20 hours, they are willing to wait 30.

          P.S.
          Please note that the above post is intended as humor and should not be taken as a serious representation of mathematical reasoning.

        • And why not use the pattern-lock feature instead? Much more natural than typing in a PIN, and still very secure.

          • And why not use the pattern-lock feature instead? Much more natural than typing in a PIN, and still very secure.

            Don't forget to wipe your finger grease off the screen every time. In my case it's only enabled because Android insisted on it when I added a VPN, and the marks come in handy if I go out in sunlight without remembering to turn up the brightness.

            • True, but even even with a visible finger grease smear, my sister couldn't actually figure out the unlock pattern on my tablet. I'm not sure if you can re-use nodes, but if you can then it would help to make things even more confusing

              • by ahadsell (248479)

                You can't re-use nodes, but you _can_ put in crossing lines, which makes the grease smears less useful.

        • by Meski (774546)
          Because that is the minimum, and people are lazy.
      • by Digicrat (973598)

        This just follows with the obvious: Once somebody has physical access to your device, it will be compromised sooner or later.

        If you're really paranoid, you can set an Android phone (at least if it's rooted) to wipe the phone after some number of failed unlock attempts using a program such as DelayedLock.

      • "But every Android phone that Engler and Vines tested was set by default to use a much less stringent safeguard, delaying the user just 30 seconds after every five guesses. At that rate, the robot can still guess five PINs every 35 seconds, or all 10,000 possibilities in 19 hours and 24 minutes."

        Not by default.

        ===
        Why release such a product? Are they on an ego trip to help the street gangs that break into cars or attack people for their cellphones?

        If they go beyond describing it, I would call them accomplices to crime the next time a criminal (builds and) uses one of their robots for a stolen cellphone.

    • by mercnet (691993)
      I thought if you forgot your pattern or pin, then it asks you to authenticate with your google account. If user remembers that, they can login to the phone. Wouldn't this prevent X number of guesses from being made?
    • There's 389112 possible combinations. Most phones lock for 5 minutes after 3-5 tries. That's about 270 days minimum to fully brute the unlock.

  • by grimJester (890090) on Tuesday July 23, 2013 @08:12AM (#44360131)
    I'm always amazed when passwords are locked out after just three or five attempts. Allowing a hundred would still protect against brute force, while never being a problem for an actual human being. Even better would be to start with a one second delay, doubling it every time, so a brute force attempt would take ages but a human only gets some time to think.
    • by Anonymous Coward

      I think 3-5 attempts before lock out is acceptable.

      Allowing ~100 provides more guesses to a would be attacker who could well be someone who is aware or able to guess various pins you use/have used or the method you use to generate such pins i.e. it may be someone who knows the birthdays of your entire family and that you use birthdays as pins.

      3-5 would still present a challange of which of their educated guesses to try first.

      Further, in my experience, if I've tripped a lock out it's usually because I've for

      • The problem is that you can set someone up for a DoS with this approach. Want to lock a coworker out from his account and cause him to miss a deadline? Just log on as him three times, with a false password of course, and you delay him by whatever amount of time it takes IT to reset his password. Depending on their speed and skill, this may be some time, not to mention that if you do it repeatedly it might just give that coworker other problems when IT starts to complain about him and his inability to rememb

        • Then IT will examine the logs and discover the source of the lockout. Lockouts are clearable on most systems without resetting the password and after the 2nd or 3rd time it happens, IT will get interested.

          • In today's open space cubicle driven offices it's usually trivial to use a computer of a coworker who's currently at lunch. And aside of VPN (which sadly 'til today is usually only secured by user/pass and less by IP or even device) there are quite a few other options that can make it trivial to hide your actual source.

            Seriously, nothing's easier than mobbing a coworker by DoS. I've had to deal with it a few times so far (yes, such a problem is part of a CISOs job and yes, my solution was simply to NOT lock

        • by mutube (981006)

          I had a similar problem with a bank account with the Royal Bank of Scotland. They lock you out of your bank account after 3 failed attempts to enter the correct password for a given customer number. Unfortunately because this number was similar to one for another account I kept mistaking the last few digits when typing it in. A few tries using my correct password and it'd lock up and tell me to phone customer services (up to a 15 minute phone call) to find out my account wasn't locked at all. I asked but (u

    • by havarh (1429591)
      Like iOS does it? Starting with 1 minute after 6 failed attempts, and then increasing the delay each time another pin code is entered.
    • by AmiMoJo (196126) *

      The top three are:

      111
      123
      456

      Even three attempts already gets you 50% of all PIN codes.

    • by SQLGuru (980662)

      So, if I watch you unlock your phone once, I can usually narrow each choice down to 4 digits based in the position of your finger (256 choices without knowing any).....if I can glimpse even one of your digits without knowing position, I can get that number down to 192. If I can identify that digit as early or late or middle, that drops to 128. If I have 100 tries, I don't really need to worry about being locked out.

      If I have all but two of your digits, I don't have to worry about lockout at all.

    • by tsa (15680)

      2^n seconds would be better, where n is the number of attempts done.

  • by Jawnn (445279) on Tuesday July 23, 2013 @08:13AM (#44360133)
    We can't have every clever Tom, Dick, and Harry breaking the privacy and security of people's mobile devices and whatnot. That's our job and we'll thank you to not meddle with our business. Besides, your "invention" is clearly a tool for teh terrorists and will be classified as a munition by the end of the week. See if you can "spot the fed" with a black bag over your head.
    Your Friends,

    The NSA
    • I think it's a mistake to have these events hosted in the US. First, they can arrest a guy at the drop of a hat, and then they can use the Invention Secrecy Act [wikipedia.org] to block further disclosure. Let's try not to forget our friend Dimitry..

  • by Anonymous Coward on Tuesday July 23, 2013 @08:13AM (#44360137)

    When I don't even see the word - cloud - in the story?
    Cloud it up man! Send those pins to the cloud!

    • Hey, it has 3D printing, it has Arduino, it has Android, that trumps that petty "cloud" in buzzword compatibility by some leaps and bounds on /.

      Get with the times, man.

    • Yeah, sometimes it does seem like the writers who used to work on the Smurfs are now writing "tech" stories...

      Papa Cloud: "Why don't you cloud on down to the store and pick up some cloud-berries?"

      Brainy Cloud: "I will, right after I finish clouding up the cloud-mobile!"

      Cloudette: "We'll use them to cloud up the best cloud-cakes ever!"

  • by platypussrex (594064) on Tuesday July 23, 2013 @08:15AM (#44360161)
    different phones have lockouts, and delays for new guesses based on wrong guesses. TFA mentions the delays, but not the data wipes. The whole thing seems a bit silly. There are easier ways to hack into most phones than brute forcing the pin with a robot.
    • by Splab (574204)

      You know what? All that lock picking they practice is also stupid, you can force your way in with a crowbar a lot faster.

      Or the ATM jackpot hack, whats the point when a gun and a bank gets the same result faster...

      • by Dynedain (141758)

        Not sure how a crowbar would help you gain access to a smartphone's contents.

        • by Splab (574204)

          Other than you missing the point by a mile or so, a crowbar can be used to beat the person to handing over the code.

    • by Bigby (659157)

      Like calling up the owner on their home/work phone and telling them you (the cell carrier) noticed that their phone was stolen. Then ask them for their pin so you can "find the location".

      Done.

    • by fermion (181285)
      It is interesting in the fact that someone actually built something and put it into a form that others can replicate it. This exercise,no matter how silly the actual product, is always of value.

      The thing with such devices is what is the return on investment. Is there anything of value on a typical phone that would justify the average 10 hours to break in, other to just say you did it? Well yes if you want to check on the text message of a lover who you think has other partners maybe, but it seems that u

    • There are easier ways to hack into most phones than brute forcing the pin with a robot

      For sure. Speaking in terms of a 'brute force' crack, i'd use the monkey method...

      Assuming you could get past being 'locked out' after x incorrect attempts, i'd get 4-5 friends together and have one sit out and enter passwords while the rest play hold 'em or Goldeneye or w/e. You could rotate every 4 hours or whathaveyou

      I know my solutions doesn't 'scale' but I don't think this robot scales any better, comparatively. That'

  • by 140Mandak262Jamuna (970587) on Tuesday July 23, 2013 @08:22AM (#44360209) Journal
    The screen would be locked out after every failed unlock attempt for the duration of t millisecons, t = 1 * 2^(n) , where n = nth consecutive failed unlock attempt. My quick calculation shows the 50th unlock attempt would take 35000 years. The tenth unlock attempt would take 1 sec. Ravi S
    • A patient prankster could make your phone unusable for a good long while. Similarly, setting your phone somewhere overnight that periodically tries to unlock the phone would mean you couldn't use it for 16 hours or so.
  • by BobNET (119675) on Tuesday July 23, 2013 @08:25AM (#44360233)

    My PIN is 9999, it'll be the last number it could possibly try!

    And I'm sure in the 20 hours it takes to get that far, someone will notice and say "hey, Bob, why is there an android trying to break into your Android phone?"

    • My PIN is 9999, it'll be the last number it could possibly try!

      This alludes to a somewhat valid sidebar. A more intelligent algorithm would crack most passwords much more efficiently than a sequential brute force. E.g. prioritize
      - digits in forward or reverse sequence
      - repeated digits or repeated pairs
      - digits that can represent dates

      In fact, a quick google search (!) reveals that there are quite a few shortcuts they could build into the scheme before resorting to pure brute. There's no sense giving up on efficiency just because the speed is alr

    • by Bigby (659157)

      I would assume some simple optimizations would be added to the robot. Like, first try 0000, 1111, 1234, 0123, 9999, 6969, etc... Try all repeating and sequential digits first. Then try all possible dates in format MMDD and then DDMM. Then do the rest.

  • by Nuffsaid (855987) on Tuesday July 23, 2013 @08:28AM (#44360251)
    My robot can crack a typical Android phone's screen with just one vigorous hit!
  • by Anonymous Coward

    to be shown

  • Every developer has USB debugging enabled and 'phone rooted, after all.

    • by Pow (107003)

      Recent Jellybean versions require adb authentication. You have to accept adb client's private key from the phone and the phone has to be unlocked before you can do so.

  • by Lucas123 (935744)
    What a clever name /s. And what a great idea: Create a robot that can perform brute-force attacks on smart phone PINs. I wonder why someone would want to build that? At $200, I'm sure they'll be making a small fortune hawking it to every sleazy phone thief.
    • What a clever name /s. And what a great idea: Create a robot that can perform brute-force attacks on smart phone PINs. I wonder why someone would want to build that? At $200, I'm sure they'll be making a small fortune hawking it to every sleazy phone thief.

      You could outsource this to India or China, have your employees follow exactly the same approach and save money - cheap human laborers can take care of all the intermediate steps the robots can't, and can do the robot's task as well. Seems like the robot is superfluous.

  • Just program in a lock with a progressive time interval for each failed attempt. Each failed attempt causes you to have to wait longer to try again. If you limited failed attempts to say, 50 consecutive failed attempts per day, then you could easily stretech out the time to brute force crack the key to months.

  • Three servomotors? They built the thing like it was a delta 3D printer. They should have used 10 solenoids instead.

    • by Anonymous Coward

      Three servomotors? They built the thing like it was a delta 3D printer. They should have used 10 solenoids instead.

      If all Android phones had the same screen size and input spacing, then yes, your solution would be more elegant. But they do not, so yours is not.

  • An Android phone will lock you out of entering a code, instead requiring email verification, after about 20-30 failed attempts. Good thing I also use a combo longer than 4 digits.

    And what about most Android phones that are configured to use pattern lock? What about an Android phone that's encrypted, which uses a different entry panel and display for unlocking at boot time?

    Nice toy, not really effective.

  • R2B2 needs to scan the phone surface for finger smuges from previous unlocks. They could eliminate 6 or more digits, leaving 256 potential combinations.
    • Not quite. If there are exactly four smudges then you can deduce that it's a 4 digit password with no digits repeated, this makes 4! or 24 combinations. If there are only three smudges then one digit is repeated then there's 3*(4!/2!) = 36 possible combos. But then if there's two smudges you have either each one repeated twice or one repeated three times = 2*(4!/3!) + (4!/(2!*2!)) = 8 + 6 = 14. One smudge makes 1 combo of course. Worst case is 48 though.
  • If you have access to the hardware, then the software security doesn't matter. Encryption aside, of course.
  • So, um, randomize the locations of each number (and not always on a small 4x4 grid) and possibly use captcha-like effects to frustrate OCRing the display? Of course even better might be to do something like MS research suggested, using pictures. But instead of mere pictures, use a whole host of pictures. So, your password could be cat, dog, cat, fish, airplane, or whatever (not unlike some knew captchas). I'd imagine that'd also encourage longer passwords, as every login is a new chance to see even more

  • Many Android devices support USB input devices - both my Galaxy S3 as well as my Nexus 7 happily accept USB keyboards even when requesting the encryption PIN during bootup. I programmed an ATMEL ATMega32U4 (microcontroller with USB interface) with a simple program that iterates through every possible PIN, waiting for 30 seconds after 5 or 10 tries. If the system continues booting, the controller recognizes this by "pinging" the CAPSLOCK LED: if "hitting" CAPSLOCK does not change the LED state, the system h
  • I assume using around 12 styluses of fixed position would have allowed for much faster bruteforce (10 for the digits, 2 for the ok buttons). Moving a stylus around is simply too slow compared to down-up movements.

"Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats." -- Howard Aiken

Working...