PIN-Cracking Robot To Be Showed Off At Defcon

Sparrowvsrevolution writes "At the Def Con hacker conference in Las Vegas early next month, security researchers Justin Engler and Paul Vines plan to show off the R2B2, or Robotic Reconfigurable Button Basher, a piece of hardware they built for around $200 that can automatically punch PIN numbers at a rate of about one four-digit guess per second, fast enough to crack a typical Android phone's lock screen in 20 hours or less. Engler and Vines built their bot, shown briefly in a preview video, from three $10 servomotors, a plastic stylus, an open-source Arduino microcontroller, a collection of plastic parts 3D-printed on their local hackerspace's Makerbot 3D printer, and a five dollar webcam that watches the phone's screen to detect if it's successfully guessed the password. The device can be controlled via USB, connecting to a Mac or Windows PC that runs a simple code-cracking program. The researchers plan to release both the free software and the blueprints for their 3D-printable parts at the time of their Def Con talk."

delay

did someone forget to insert a 5 second delay on incorrect passwords or even one that increases 2 seconds every false try? Possibly disable the delay the first error if the phone is actually ringing?

Pretty standard blocks for brute forcing passwords.

Double the delay every failed attempt

[grimJester]

I'm always amazed when passwords are locked out after just three or five attempts. Allowing a hundred would still protect against brute force, while never being a problem for an actual human being. Even better would be to start with a one second delay, doubling it every time, so a brute force attempt would take ages but a human only gets some time to think.