PIN-Cracking Robot To Be Showed Off At Defcon

Sparrowvsrevolution writes "At the Def Con hacker conference in Las Vegas early next month, security researchers Justin Engler and Paul Vines plan to show off the R2B2, or Robotic Reconfigurable Button Basher, a piece of hardware they built for around $200 that can automatically punch PIN numbers at a rate of about one four-digit guess per second, fast enough to crack a typical Android phone's lock screen in 20 hours or less. Engler and Vines built their bot, shown briefly in a preview video, from three $10 servomotors, a plastic stylus, an open-source Arduino microcontroller, a collection of plastic parts 3D-printed on their local hackerspace's Makerbot 3D printer, and a five dollar webcam that watches the phone's screen to detect if it's successfully guessed the password. The device can be controlled via USB, connecting to a Mac or Windows PC that runs a simple code-cracking program. The researchers plan to release both the free software and the blueprints for their 3D-printable parts at the time of their Def Con talk."

lock out?

[entirely_fluffy]

surely you are locked out after 3 unsuccessful attempts on Android?

Re:

[Joining Yet Again]

The fuck? It's that easy to cause hassle?

Yes, I know a destructive colleague could just smash the 'phone, but there's a psychological barrier between causing mischief by swiping your hand across a screen, and being a physical vandal.

Re:

[SQLGuru]

With newer phones being synced to the cloud, wiping my phone is less of an issue today than it was a few years ago......

Re:

[Bigby]

And that since it is a blackberry, which I would think would be connected to a BES, it is only wiping corporate "cloud" stored information. BTW, this feature is why BB has been so strong for the enterprise.

Re:lock out?

[Anonymous Coward]

"But every Android phone that Engler and Vines tested was set by default to use a much less stringent safeguard, delaying the user just 30 seconds after every five guesses. At that rate, the robot can still guess five PINs every 35 seconds, or all 10,000 possibilities in 19 hours and 24 minutes."

Not by default.

Re:lock out?

[stewsters]

By default all you need to is swipe to unlock. That's a far simpler robot.

Re:

[jodosh]

Both my nexus 4 and my wife's note 2 lock me out for 30 seconds after 5 incorrect guesses. After the time out I am free to make 5 more guesses before I hit another 30 second delay. So android users who use PINs to lock their phone do seem to be vulnerable to this brute-force attack. Seems easy enough for google to fix, double the timeout each time, maybe even have the option of having the phone email you with its location and a time stamp after 15 incorrect guesses.

Re:lock out?

[ColdWetDog]

Or, just don't hand your phone to people carrying silly looking robot parts that want to borrow your device for "19 hours".

Problem solved!

Re:

[jodosh]

I agree a PIN system that is all numbers has significant problems. (neither I or my wife use the PIN on our phones, but I enabled it to see how android dealt with repeated attemps.) http://www.datagenetics.com/blog/september32012/ [datagenetics.com] gets to the problem that people are bad at picking secure PINs (especially a 4-digit PIN.) This device has value however because a great many people who will enable a PIN will choose a 4 digit PIN.

Re:

[FatdogHaiku]

I'll guess it's "correcthorsebatterystaple"
http://xkcd.com/936/ [xkcd.com]

Re:

[Meski]

I agree with the xkcd principle in theory, if you've got a reasonably nice keyboard. Consider some of the more brain-dead keyboards that you run via a TV remote control by moving a cursor over a screen keyboard. I was doing it yesterday to run a web-browser and it was giving me the shits.

Re:

[neokushan]

Or just use a longer PIN than 4 digits. Even a 5 digit pin would extend 20 hours to about a week.

Re:

[Nerdfest]

Why have they made the assumption that a PIN is 4 digits? Mine is 8, and you can set a password instead if you wish.

Re:

[Zalbik]

Why have they made the assumption that a PIN is 4 digits? Mine is 8, and you can set a password instead if you wish.

Oh big deal, it will only take twice as long then! I'm certain if they are willing to wait 20 hours, they are willing to wait 30.

P.S.
Please note that the above post is intended as humor and should not be taken as a serious representation of mathematical reasoning.

Re:

[somersault]

And why not use the pattern-lock feature instead? Much more natural than typing in a PIN, and still very secure.

Re:

[wonkey_monkey]

And why not use the pattern-lock feature instead? Much more natural than typing in a PIN, and still very secure.

Don't forget to wipe your finger grease off the screen every time. In my case it's only enabled because Android insisted on it when I added a VPN, and the marks come in handy if I go out in sunlight without remembering to turn up the brightness.

Re:

[somersault]

True, but even even with a visible finger grease smear, my sister couldn't actually figure out the unlock pattern on my tablet. I'm not sure if you can re-use nodes, but if you can then it would help to make things even more confusing

Re:

[ahadsell]

You can't re-use nodes, but you _can_ put in crossing lines, which makes the grease smears less useful.

Re:

[Meski]

Because that is the minimum, and people are lazy.

Re:

[Digicrat]

This just follows with the obvious: Once somebody has physical access to your device, it will be compromised sooner or later.

If you're really paranoid, you can set an Android phone (at least if it's rooted) to wipe the phone after some number of failed unlock attempts using a program such as DelayedLock.

Re:

[lsatenstein]

"But every Android phone that Engler and Vines tested was set by default to use a much less stringent safeguard, delaying the user just 30 seconds after every five guesses. At that rate, the robot can still guess five PINs every 35 seconds, or all 10,000 possibilities in 19 hours and 24 minutes."

Not by default.

===
Why release such a product? Are they on an ego trip to help the street gangs that break into cars or attack people for their cellphones?

If they go beyond describing it, I would call them accomplices to crime the next time a criminal (builds and) uses one of their robots for a stolen cellphone.

Re:

[mercnet]

I thought if you forgot your pattern or pin, then it asks you to authenticate with your google account. If user remembers that, they can login to the phone. Wouldn't this prevent X number of guesses from being made?

It's 270 Days to Brute Force

[Kagato]

There's 389112 possible combinations. Most phones lock for 5 minutes after 3-5 tries. That's about 270 days minimum to fully brute the unlock.

Re:

[Guinness Beaumont]

That's why he used the term "fully", so it's a minimum time, assuming there are no other issues or delays.

Re:

[wonkey_monkey]

There's 389112 possible combinations.

Of what?

Re:

[NatasRevol]

It can wipe 360 of them per hour!

Re:

[AmiMoJo]

I know, you would hope that at least the headline would be correct. "Showed" is past tense, it should be "shown".

Double the delay every failed attempt

[grimJester]

I'm always amazed when passwords are locked out after just three or five attempts. Allowing a hundred would still protect against brute force, while never being a problem for an actual human being. Even better would be to start with a one second delay, doubling it every time, so a brute force attempt would take ages but a human only gets some time to think.

Re:

[Anonymous Coward]

I think 3-5 attempts before lock out is acceptable.

Allowing ~100 provides more guesses to a would be attacker who could well be someone who is aware or able to guess various pins you use/have used or the method you use to generate such pins i.e. it may be someone who knows the birthdays of your entire family and that you use birthdays as pins.

3-5 would still present a challange of which of their educated guesses to try first.

Further, in my experience, if I've tripped a lock out it's usually because I've for

Re:

[Opportunist]

The problem is that you can set someone up for a DoS with this approach. Want to lock a coworker out from his account and cause him to miss a deadline? Just log on as him three times, with a false password of course, and you delay him by whatever amount of time it takes IT to reset his password. Depending on their speed and skill, this may be some time, not to mention that if you do it repeatedly it might just give that coworker other problems when IT starts to complain about him and his inability to rememb

Re:

[bruce_the_loon]

Then IT will examine the logs and discover the source of the lockout. Lockouts are clearable on most systems without resetting the password and after the 2nd or 3rd time it happens, IT will get interested.

Re:

[Opportunist]

In today's open space cubicle driven offices it's usually trivial to use a computer of a coworker who's currently at lunch. And aside of VPN (which sadly 'til today is usually only secured by user/pass and less by IP or even device) there are quite a few other options that can make it trivial to hide your actual source.

Seriously, nothing's easier than mobbing a coworker by DoS. I've had to deal with it a few times so far (yes, such a problem is part of a CISOs job and yes, my solution was simply to NOT lock

Re:

[Anonymous Coward]

Tornados would be considerably less problematic if meteorologists could report God to HR for harassment when someone's house gets blown away.

Re:

[mutube]

I had a similar problem with a bank account with the Royal Bank of Scotland. They lock you out of your bank account after 3 failed attempts to enter the correct password for a given customer number. Unfortunately because this number was similar to one for another account I kept mistaking the last few digits when typing it in. A few tries using my correct password and it'd lock up and tell me to phone customer services (up to a 15 minute phone call) to find out my account wasn't locked at all. I asked but (u

Re:

[havarh]

Like iOS does it? Starting with 1 minute after 6 failed attempts, and then increasing the delay each time another pin code is entered.

Re:

[AmiMoJo]

The top three are:

111
123
456

Even three attempts already gets you 50% of all PIN codes.

Re:

[aztracker1]

Damn, now I need to change the combination on my luggage.

Re:

[SQLGuru]

So, if I watch you unlock your phone once, I can usually narrow each choice down to 4 digits based in the position of your finger (256 choices without knowing any).....if I can glimpse even one of your digits without knowing position, I can get that number down to 192. If I can identify that digit as early or late or middle, that drops to 128. If I have 100 tries, I don't really need to worry about being locked out.

If I have all but two of your digits, I don't have to worry about lockout at all.

Re:

[tsa]

2^n seconds would be better, where n is the number of attempts done.

Re:

[tsa]

Oh wait, that's what you said... sorry.

Gentlemen...

[Jawnn]

We can't have every clever Tom, Dick, and Harry breaking the privacy and security of people's mobile devices and whatnot. That's our job and we'll thank you to not meddle with our business. Besides, your "invention" is clearly a tool for teh terrorists and will be classified as a munition by the end of the week. See if you can "spot the fed" with a black bag over your head.
Your Friends,

The NSA

Re:

[fustakrakich]

I think it's a mistake to have these events hosted in the US. First, they can arrest a guy at the drop of a hat, and then they can use the Invention Secrecy Act [wikipedia.org] to block further disclosure. Let's try not to forget our friend Dimitry..

How is this news

[Anonymous Coward]

When I don't even see the word - cloud - in the story?
Cloud it up man! Send those pins to the cloud!

Re:

[Opportunist]

Hey, it has 3D printing, it has Arduino, it has Android, that trumps that petty "cloud" in buzzword compatibility by some leaps and bounds on /.

Get with the times, man.

Re:

[93 Escort Wagon]

Yeah, sometimes it does seem like the writers who used to work on the Smurfs are now writing "tech" stories...

Papa Cloud: "Why don't you cloud on down to the store and pick up some cloud-berries?"

Brainy Cloud: "I will, right after I finish clouding up the cloud-mobile!"

Cloudette: "We'll use them to cloud up the best cloud-cakes ever!"

a bit silly

[platypussrex]

different phones have lockouts, and delays for new guesses based on wrong guesses. TFA mentions the delays, but not the data wipes. The whole thing seems a bit silly. There are easier ways to hack into most phones than brute forcing the pin with a robot.

Re:

[Splab]

You know what? All that lock picking they practice is also stupid, you can force your way in with a crowbar a lot faster.

Or the ATM jackpot hack, whats the point when a gun and a bank gets the same result faster...

Re:

[Dynedain]

Not sure how a crowbar would help you gain access to a smartphone's contents.

Re:

[Splab]

Other than you missing the point by a mile or so, a crowbar can be used to beat the person to handing over the code.

Re:

[Bigby]

Like calling up the owner on their home/work phone and telling them you (the cell carrier) noticed that their phone was stolen. Then ask them for their pin so you can "find the location".

Done.

Re:

[fermion]

It is interesting in the fact that someone actually built something and put it into a form that others can replicate it. This exercise,no matter how silly the actual product, is always of value.

The thing with such devices is what is the return on investment. Is there anything of value on a typical phone that would justify the average 10 hours to break in, other to just say you did it? Well yes if you want to check on the text message of a lover who you think has other partners maybe, but it seems that u

monkey method

[globaljustin]

There are easier ways to hack into most phones than brute forcing the pin with a robot

For sure. Speaking in terms of a 'brute force' crack, i'd use the monkey method...

Assuming you could get past being 'locked out' after x incorrect attempts, i'd get 4-5 friends together and have one sit out and enter passwords while the rest play hold 'em or Goldeneye or w/e. You could rotate every 4 hours or whathaveyou

I know my solutions doesn't 'scale' but I don't think this robot scales any better, comparatively. That'

Update in the next android

[140Mandak262Jamuna]

The screen would be locked out after every failed unlock attempt for the duration of t millisecons, t = 1 * 2^(n) , where n = nth consecutive failed unlock attempt. My quick calculation shows the 50th unlock attempt would take 35000 years. The tenth unlock attempt would take 1 sec. Ravi S

Re:

[PIPBoy3000]

A patient prankster could make your phone unusable for a good long while. Similarly, setting your phone somewhere overnight that periodically tries to unlock the phone would mean you couldn't use it for 16 hours or so.

Re:

[FhnuZoag]

An impatient prankster can toss your phone into the loo and make your phone unusable for a good while longer.

Re:

[140Mandak262Jamuna]

If you have friends like them, you don't need enemies.

Joke's On Them

[BobNET]

My PIN is 9999, it'll be the last number it could possibly try!

And I'm sure in the 20 hours it takes to get that far, someone will notice and say "hey, Bob, why is there an android trying to break into your Android phone?"

Re:

[BForrester]

My PIN is 9999, it'll be the last number it could possibly try!

This alludes to a somewhat valid sidebar. A more intelligent algorithm would crack most passwords much more efficiently than a sequential brute force. E.g. prioritize
- digits in forward or reverse sequence
- repeated digits or repeated pairs
- digits that can represent dates

In fact, a quick google search (!) reveals that there are quite a few shortcuts they could build into the scheme before resorting to pure brute. There's no sense giving up on efficiency just because the speed is alr

Re:

[Bigby]

I would assume some simple optimizations would be added to the robot. Like, first try 0000, 1111, 1234, 0123, 9999, 6969, etc... Try all repeating and sequential digits first. Then try all possible dates in format MMDD and then DDMM. Then do the rest.

Ha! That's nothing!

[Nuffsaid]

My robot can crack a typical Android phone's screen with just one vigorous hit!

show, showed, shown

[Anonymous Coward]

to be shown

I just use adb and a USB cable

[Joining Yet Again]

Every developer has USB debugging enabled and 'phone rooted, after all.

Re:

[Pow]

Recent Jellybean versions require adb authentication. You have to accept adb client's private key from the phone and the phone has to be unlocked before you can do so.

Re:

[Richy_T]

ATMs I've used recently only take the card long enough to scan it and return it immediately.

R2B2

[Lucas123]

What a clever name /s. And what a great idea: Create a robot that can perform brute-force attacks on smart phone PINs. I wonder why someone would want to build that? At $200, I'm sure they'll be making a small fortune hawking it to every sleazy phone thief.

Re:

[93 Escort Wagon]

What a clever name /s. And what a great idea: Create a robot that can perform brute-force attacks on smart phone PINs. I wonder why someone would want to build that? At $200, I'm sure they'll be making a small fortune hawking it to every sleazy phone thief.

You could outsource this to India or China, have your employees follow exactly the same approach and save money - cheap human laborers can take care of all the intermediate steps the robots can't, and can do the robot's task as well. Seems like the robot is superfluous.

Time lock

[diakka]

Just program in a lock with a progressive time interval for each failed attempt. Each failed attempt causes you to have to wait longer to try again. If you limited failed attempts to say, 50 consecutive failed attempts per day, then you could easily stretech out the time to brute force crack the key to months.

Re:

[ArcadeMan]

First delay is 5 seconds, double the delay every time. We all know that story [wikipedia.org].

Bad design

[ArcadeMan]

Three servomotors? They built the thing like it was a delta 3D printer. They should have used 10 solenoids instead.

Re:

[Anonymous Coward]

Three servomotors? They built the thing like it was a delta 3D printer. They should have used 10 solenoids instead.

If all Android phones had the same screen size and input spacing, then yes, your solution would be more elegant. But they do not, so yours is not.

20 hours? I wouldn't worry

[FuzzNugget]

An Android phone will lock you out of entering a code, instead requiring email verification, after about 20-30 failed attempts. Good thing I also use a combo longer than 4 digits.

And what about most Android phones that are configured to use pattern lock? What about an Android phone that's encrypted, which uses a different entry panel and display for unlocking at boot time?

Nice toy, not really effective.

small upgrade to improve efficiency

[Ogive17]

R2B2 needs to scan the phone surface for finger smuges from previous unlocks. They could eliminate 6 or more digits, leaving 256 potential combinations.

Re:

[ImprovOmega]

Not quite. If there are exactly four smudges then you can deduce that it's a 4 digit password with no digits repeated, this makes 4! or 24 combinations. If there are only three smudges then one digit is repeated then there's 3*(4!/2!) = 36 possible combos. But then if there's two smudges you have either each one repeated twice or one repeated three times = 2*(4!/3!) + (4!/(2!*2!)) = 8 + 6 = 14. One smudge makes 1 combo of course. Worst case is 48 though.

Access to the hardware

[emddudley]

If you have access to the hardware, then the software security doesn't matter. Encryption aside, of course.

Countermeasures

[10101001 10101001]

So, um, randomize the locations of each number (and not always on a small 4x4 grid) and possibly use captcha-like effects to frustrate OCRing the display? Of course even better might be to do something like MS research suggested, using pictures. But instead of mere pictures, use a whole host of pictures. So, your password could be cat, dog, cat, fish, airplane, or whatever (not unlike some knew captchas). I'd imagine that'd also encourage longer passwords, as every login is a new chance to see even more

Far easier method

[wertarbyte]

Many Android devices support USB input devices - both my Galaxy S3 as well as my Nexus 7 happily accept USB keyboards even when requesting the encryption PIN during bootup. I programmed an ATMEL ATMega32U4 (microcontroller with USB interface) with a simple program that iterates through every possible PIN, waiting for 30 seconds after 5 or 10 tries. If the system continues booting, the controller recognizes this by "pinging" the CAPSLOCK LED: if "hitting" CAPSLOCK does not change the LED state, the system h

Multiple styluses

[mstefanro]

I assume using around 12 styluses of fixed position would have allowed for much faster bruteforce (10 for the digits, 2 for the ok buttons). Moving a stylus around is simply too slow compared to down-up movements.