Slashdot Mirror

← Back to Stories (view on slashdot.org)

PIN-Cracking Robot To Be Showed Off At Defcon

Posted by timothy on from the brute-force dept.

Sparrowvsrevolution writes "At the Def Con hacker conference in Las Vegas early next month, security researchers Justin Engler and Paul Vines plan to show off the R2B2, or Robotic Reconfigurable Button Basher, a piece of hardware they built for around $200 that can automatically punch PIN numbers at a rate of about one four-digit guess per second, fast enough to crack a typical Android phone's lock screen in 20 hours or less. Engler and Vines built their bot, shown briefly in a preview video, from three $10 servomotors, a plastic stylus, an open-source Arduino microcontroller, a collection of plastic parts 3D-printed on their local hackerspace's Makerbot 3D printer, and a five dollar webcam that watches the phone's screen to detect if it's successfully guessed the password. The device can be controlled via USB, connecting to a Mac or Windows PC that runs a simple code-cracking program. The researchers plan to release both the free software and the blueprints for their 3D-printable parts at the time of their Def Con talk."

76 of 114 comments (clear)

  1. lock out? by entirely_fluffy · · Score: 1

    surely you are locked out after 3 unsuccessful attempts on Android?

    1. Re:lock out? by Anonymous Coward · · Score: 5, Informative

      "But every Android phone that Engler and Vines tested was set by default to use a much less stringent safeguard, delaying the user just 30 seconds after every five guesses. At that rate, the robot can still guess five PINs every 35 seconds, or all 10,000 possibilities in 19 hours and 24 minutes."

      Not by default.

    2. Re:lock out? by stewsters · · Score: 3, Funny

      By default all you need to is swipe to unlock. That's a far simpler robot.

    3. Re:lock out? by mercnet · · Score: 1

      I thought if you forgot your pattern or pin, then it asks you to authenticate with your google account. If user remembers that, they can login to the phone. Wouldn't this prevent X number of guesses from being made?

    4. Re:lock out? by Joining+Yet+Again · · Score: 1

      The fuck? It's that easy to cause hassle?

      Yes, I know a destructive colleague could just smash the 'phone, but there's a psychological barrier between causing mischief by swiping your hand across a screen, and being a physical vandal.

    5. Re:lock out? by jodosh · · Score: 2

      Both my nexus 4 and my wife's note 2 lock me out for 30 seconds after 5 incorrect guesses. After the time out I am free to make 5 more guesses before I hit another 30 second delay. So android users who use PINs to lock their phone do seem to be vulnerable to this brute-force attack. Seems easy enough for google to fix, double the timeout each time, maybe even have the option of having the phone email you with its location and a time stamp after 15 incorrect guesses.

    6. Re:lock out? by Nerdfest · · Score: 2

      Why have they made the assumption that a PIN is 4 digits? Mine is 8, and you can set a password instead if you wish.

    7. Re:lock out? by SQLGuru · · Score: 1

      With newer phones being synced to the cloud, wiping my phone is less of an issue today than it was a few years ago......

    8. Re:lock out? by Digicrat · · Score: 1

      This just follows with the obvious: Once somebody has physical access to your device, it will be compromised sooner or later.

      If you're really paranoid, you can set an Android phone (at least if it's rooted) to wipe the phone after some number of failed unlock attempts using a program such as DelayedLock.

    9. Re:lock out? by Bigby · · Score: 1

      And that since it is a blackberry, which I would think would be connected to a BES, it is only wiping corporate "cloud" stored information. BTW, this feature is why BB has been so strong for the enterprise.

    10. Re:lock out? by Zalbik · · Score: 1

      Why have they made the assumption that a PIN is 4 digits? Mine is 8, and you can set a password instead if you wish.

      Oh big deal, it will only take twice as long then! I'm certain if they are willing to wait 20 hours, they are willing to wait 30.

      P.S.
      Please note that the above post is intended as humor and should not be taken as a serious representation of mathematical reasoning.

    11. Re:lock out? by somersault · · Score: 1

      And why not use the pattern-lock feature instead? Much more natural than typing in a PIN, and still very secure.

      --
      which is totally what she said
    12. Re:lock out? by ColdWetDog · · Score: 4, Funny

      Or, just don't hand your phone to people carrying silly looking robot parts that want to borrow your device for "19 hours".

      Problem solved!

      --
      Faster! Faster! Faster would be better!
    13. Re:lock out? by wonkey_monkey · · Score: 1

      And why not use the pattern-lock feature instead? Much more natural than typing in a PIN, and still very secure.

      Don't forget to wipe your finger grease off the screen every time. In my case it's only enabled because Android insisted on it when I added a VPN, and the marks come in handy if I go out in sunlight without remembering to turn up the brightness.

      --
      systemd is Roko's Basilisk.
    14. Re:lock out? by jodosh · · Score: 1

      I agree a PIN system that is all numbers has significant problems. (neither I or my wife use the PIN on our phones, but I enabled it to see how android dealt with repeated attemps.) http://www.datagenetics.com/blog/september32012/ gets to the problem that people are bad at picking secure PINs (especially a 4-digit PIN.) This device has value however because a great many people who will enable a PIN will choose a 4 digit PIN.

    15. Re:lock out? by FatdogHaiku · · Score: 1

      I'll guess it's "correcthorsebatterystaple"
      http://xkcd.com/936/

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    16. Re:lock out? by somersault · · Score: 1

      True, but even even with a visible finger grease smear, my sister couldn't actually figure out the unlock pattern on my tablet. I'm not sure if you can re-use nodes, but if you can then it would help to make things even more confusing

      --
      which is totally what she said
    17. Re:lock out? by ahadsell · · Score: 1

      You can't re-use nodes, but you _can_ put in crossing lines, which makes the grease smears less useful.

    18. Re:lock out? by lsatenstein · · Score: 1

      "But every Android phone that Engler and Vines tested was set by default to use a much less stringent safeguard, delaying the user just 30 seconds after every five guesses. At that rate, the robot can still guess five PINs every 35 seconds, or all 10,000 possibilities in 19 hours and 24 minutes."

      Not by default.

      ===
      Why release such a product? Are they on an ego trip to help the street gangs that break into cars or attack people for their cellphones?

      If they go beyond describing it, I would call them accomplices to crime the next time a criminal (builds and) uses one of their robots for a stolen cellphone.

      --
      Leslie Satenstein Montreal Quebec Canada
    19. Re:lock out? by Meski · · Score: 1

      I agree with the xkcd principle in theory, if you've got a reasonably nice keyboard. Consider some of the more brain-dead keyboards that you run via a TV remote control by moving a cursor over a screen keyboard. I was doing it yesterday to run a web-browser and it was giving me the shits.

    20. Re:lock out? by Meski · · Score: 1

      Because that is the minimum, and people are lazy.

    21. Re:lock out? by neokushan · · Score: 1

      Or just use a longer PIN than 4 digits. Even a 5 digit pin would extend 20 hours to about a week.

      --
      +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
  2. Double the delay every failed attempt by grimJester · · Score: 5, Interesting

    I'm always amazed when passwords are locked out after just three or five attempts. Allowing a hundred would still protect against brute force, while never being a problem for an actual human being. Even better would be to start with a one second delay, doubling it every time, so a brute force attempt would take ages but a human only gets some time to think.

    1. Re:Double the delay every failed attempt by Anonymous Coward · · Score: 1

      I think 3-5 attempts before lock out is acceptable.

      Allowing ~100 provides more guesses to a would be attacker who could well be someone who is aware or able to guess various pins you use/have used or the method you use to generate such pins i.e. it may be someone who knows the birthdays of your entire family and that you use birthdays as pins.

      3-5 would still present a challange of which of their educated guesses to try first.

      Further, in my experience, if I've tripped a lock out it's usually because I've forgotten the key for good.

      Having a timeout on an incorrect guess is a good idea if not already implemented.

    2. Re:Double the delay every failed attempt by havarh · · Score: 2

      Like iOS does it? Starting with 1 minute after 6 failed attempts, and then increasing the delay each time another pin code is entered.

    3. Re:Double the delay every failed attempt by Opportunist · · Score: 2

      The problem is that you can set someone up for a DoS with this approach. Want to lock a coworker out from his account and cause him to miss a deadline? Just log on as him three times, with a false password of course, and you delay him by whatever amount of time it takes IT to reset his password. Depending on their speed and skill, this may be some time, not to mention that if you do it repeatedly it might just give that coworker other problems when IT starts to complain about him and his inability to remember his own simple password.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:Double the delay every failed attempt by AmiMoJo · · Score: 1

      The top three are:

      111
      123
      456

      Even three attempts already gets you 50% of all PIN codes.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:Double the delay every failed attempt by bruce_the_loon · · Score: 1

      Then IT will examine the logs and discover the source of the lockout. Lockouts are clearable on most systems without resetting the password and after the 2nd or 3rd time it happens, IT will get interested.

      --
      Trying to become famous by taking photos. Visit my homepage please.
    6. Re:Double the delay every failed attempt by SQLGuru · · Score: 2

      So, if I watch you unlock your phone once, I can usually narrow each choice down to 4 digits based in the position of your finger (256 choices without knowing any).....if I can glimpse even one of your digits without knowing position, I can get that number down to 192. If I can identify that digit as early or late or middle, that drops to 128. If I have 100 tries, I don't really need to worry about being locked out.

      If I have all but two of your digits, I don't have to worry about lockout at all.

    7. Re:Double the delay every failed attempt by tsa · · Score: 1

      2^n seconds would be better, where n is the number of attempts done.

      --

      -- Cheers!

    8. Re:Double the delay every failed attempt by tsa · · Score: 1

      Oh wait, that's what you said... sorry.

      --

      -- Cheers!

    9. Re:Double the delay every failed attempt by aztracker1 · · Score: 1

      Damn, now I need to change the combination on my luggage.

      --
      Michael J. Ryan - tracker1.info
    10. Re:Double the delay every failed attempt by Anonymous Coward · · Score: 1

      Tornados would be considerably less problematic if meteorologists could report God to HR for harassment when someone's house gets blown away.

    11. Re:Double the delay every failed attempt by Opportunist · · Score: 1

      In today's open space cubicle driven offices it's usually trivial to use a computer of a coworker who's currently at lunch. And aside of VPN (which sadly 'til today is usually only secured by user/pass and less by IP or even device) there are quite a few other options that can make it trivial to hide your actual source.

      Seriously, nothing's easier than mobbing a coworker by DoS. I've had to deal with it a few times so far (yes, such a problem is part of a CISOs job and yes, my solution was simply to NOT lock an account after 3 attempts but use a very different approach, not unlike the "delay by a minute" spiel detailed above, with some goodies tacked onto it to find that asshat that tries to mob a coworker. I have exactly zero tolerance for such crap and it cost more than one ass his comfy chair).

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    12. Re:Double the delay every failed attempt by mutube · · Score: 1

      I had a similar problem with a bank account with the Royal Bank of Scotland. They lock you out of your bank account after 3 failed attempts to enter the correct password for a given customer number. Unfortunately because this number was similar to one for another account I kept mistaking the last few digits when typing it in. A few tries using my correct password and it'd lock up and tell me to phone customer services (up to a 15 minute phone call) to find out my account wasn't locked at all. I asked but (understandably) they wouldn't unlock the other account at my request.

      I must have done that at least 5 or 6 times. How annoying must that have been for whoever that account belonged to?

      --
      Python coder | PyQt Applications | Writer
  3. Gentlemen... by Jawnn · · Score: 2

    We can't have every clever Tom, Dick, and Harry breaking the privacy and security of people's mobile devices and whatnot. That's our job and we'll thank you to not meddle with our business. Besides, your "invention" is clearly a tool for teh terrorists and will be classified as a munition by the end of the week. See if you can "spot the fed" with a black bag over your head.
    Your Friends,

    The NSA

    1. Re:Gentlemen... by fustakrakich · · Score: 1

      I think it's a mistake to have these events hosted in the US. First, they can arrest a guy at the drop of a hat, and then they can use the Invention Secrecy Act to block further disclosure. Let's try not to forget our friend Dimitry..

      --
      “He’s not deformed, he’s just drunk!”
  4. How is this news by Anonymous Coward · · Score: 3, Funny

    When I don't even see the word - cloud - in the story?
    Cloud it up man! Send those pins to the cloud!

    1. Re:How is this news by Opportunist · · Score: 1

      Hey, it has 3D printing, it has Arduino, it has Android, that trumps that petty "cloud" in buzzword compatibility by some leaps and bounds on /.

      Get with the times, man.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:How is this news by 93+Escort+Wagon · · Score: 1

      Yeah, sometimes it does seem like the writers who used to work on the Smurfs are now writing "tech" stories...

      Papa Cloud: "Why don't you cloud on down to the store and pick up some cloud-berries?"

      Brainy Cloud: "I will, right after I finish clouding up the cloud-mobile!"

      Cloudette: "We'll use them to cloud up the best cloud-cakes ever!"

      --
      #DeleteChrome
  5. a bit silly by platypussrex · · Score: 2

    different phones have lockouts, and delays for new guesses based on wrong guesses. TFA mentions the delays, but not the data wipes. The whole thing seems a bit silly. There are easier ways to hack into most phones than brute forcing the pin with a robot.

    1. Re:a bit silly by Splab · · Score: 1

      You know what? All that lock picking they practice is also stupid, you can force your way in with a crowbar a lot faster.

      Or the ATM jackpot hack, whats the point when a gun and a bank gets the same result faster...

    2. Re:a bit silly by Bigby · · Score: 1

      Like calling up the owner on their home/work phone and telling them you (the cell carrier) noticed that their phone was stolen. Then ask them for their pin so you can "find the location".

      Done.

    3. Re:a bit silly by fermion · · Score: 1
      It is interesting in the fact that someone actually built something and put it into a form that others can replicate it. This exercise,no matter how silly the actual product, is always of value.

      The thing with such devices is what is the return on investment. Is there anything of value on a typical phone that would justify the average 10 hours to break in, other to just say you did it? Well yes if you want to check on the text message of a lover who you think has other partners maybe, but it seems that under such intimate contact there may be other ways than to steal the phone and set a robot on it. In other cases, as mentioned, after several tries people often have the phone set to wipe. I mean that is just cheating lover 101.

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
    4. Re:a bit silly by Dynedain · · Score: 1

      Not sure how a crowbar would help you gain access to a smartphone's contents.

      --
      I'm out of my mind right now, but feel free to leave a message.....
    5. Re:a bit silly by Splab · · Score: 1

      Other than you missing the point by a mile or so, a crowbar can be used to beat the person to handing over the code.

  6. Update in the next android by 140Mandak262Jamuna · · Score: 5, Insightful

    The screen would be locked out after every failed unlock attempt for the duration of t millisecons, t = 1 * 2^(n) , where n = nth consecutive failed unlock attempt. My quick calculation shows the 50th unlock attempt would take 35000 years. The tenth unlock attempt would take 1 sec. Ravi S

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Update in the next android by PIPBoy3000 · · Score: 1

      A patient prankster could make your phone unusable for a good long while. Similarly, setting your phone somewhere overnight that periodically tries to unlock the phone would mean you couldn't use it for 16 hours or so.

    2. Re:Update in the next android by FhnuZoag · · Score: 1

      An impatient prankster can toss your phone into the loo and make your phone unusable for a good while longer.

    3. Re:Update in the next android by 140Mandak262Jamuna · · Score: 1

      If you have friends like them, you don't need enemies.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  7. Joke's On Them by BobNET · · Score: 5, Funny

    My PIN is 9999, it'll be the last number it could possibly try!

    And I'm sure in the 20 hours it takes to get that far, someone will notice and say "hey, Bob, why is there an android trying to break into your Android phone?"

    1. Re:Joke's On Them by BForrester · · Score: 2

      My PIN is 9999, it'll be the last number it could possibly try!

      This alludes to a somewhat valid sidebar. A more intelligent algorithm would crack most passwords much more efficiently than a sequential brute force. E.g. prioritize
        - digits in forward or reverse sequence
        - repeated digits or repeated pairs
        - digits that can represent dates

      In fact, a quick google search (!) reveals that there are quite a few shortcuts they could build into the scheme before resorting to pure brute. There's no sense giving up on efficiency just because the speed is already bottlenecked by mechanical limitations.
      http://danielamitay.com/blog/2011/6/13/most-common-iphone-passcodes

    2. Re:Joke's On Them by Bigby · · Score: 1

      I would assume some simple optimizations would be added to the robot. Like, first try 0000, 1111, 1234, 0123, 9999, 6969, etc... Try all repeating and sequential digits first. Then try all possible dates in format MMDD and then DDMM. Then do the rest.

  8. Ha! That's nothing! by Nuffsaid · · Score: 5, Funny

    My robot can crack a typical Android phone's screen with just one vigorous hit!

    --
    Nuffsaid
    ________

    Don't know about his cat, but Schroedinger is definitely dead.
  9. show, showed, shown by Anonymous Coward · · Score: 1

    to be shown

  10. I just use adb and a USB cable by Joining+Yet+Again · · Score: 1

    Every developer has USB debugging enabled and 'phone rooted, after all.

    1. Re:I just use adb and a USB cable by Pow · · Score: 1

      Recent Jellybean versions require adb authentication. You have to accept adb client's private key from the phone and the phone has to be unlocked before you can do so.

  11. R2B2 by Lucas123 · · Score: 1

    What a clever name /s. And what a great idea: Create a robot that can perform brute-force attacks on smart phone PINs. I wonder why someone would want to build that? At $200, I'm sure they'll be making a small fortune hawking it to every sleazy phone thief.

    1. Re:R2B2 by 93+Escort+Wagon · · Score: 1

      What a clever name /s. And what a great idea: Create a robot that can perform brute-force attacks on smart phone PINs. I wonder why someone would want to build that? At $200, I'm sure they'll be making a small fortune hawking it to every sleazy phone thief.

      You could outsource this to India or China, have your employees follow exactly the same approach and save money - cheap human laborers can take care of all the intermediate steps the robots can't, and can do the robot's task as well. Seems like the robot is superfluous.

      --
      #DeleteChrome
  12. Time lock by diakka · · Score: 1

    Just program in a lock with a progressive time interval for each failed attempt. Each failed attempt causes you to have to wait longer to try again. If you limited failed attempts to say, 50 consecutive failed attempts per day, then you could easily stretech out the time to brute force crack the key to months.

    --
    -- Knowledge shared is power lost. -- Aleister Crowley
    1. Re:Time lock by ArcadeMan · · Score: 1

      First delay is 5 seconds, double the delay every time. We all know that story.

      --
      Get free satoshi (Bitcoin) and Dogecoins
  13. Bad design by ArcadeMan · · Score: 1

    Three servomotors? They built the thing like it was a delta 3D printer. They should have used 10 solenoids instead.

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:Bad design by Anonymous Coward · · Score: 1

      Three servomotors? They built the thing like it was a delta 3D printer. They should have used 10 solenoids instead.

      If all Android phones had the same screen size and input spacing, then yes, your solution would be more elegant. But they do not, so yours is not.

  14. It's 270 Days to Brute Force by Kagato · · Score: 1

    There's 389112 possible combinations. Most phones lock for 5 minutes after 3-5 tries. That's about 270 days minimum to fully brute the unlock.

    1. Re:It's 270 Days to Brute Force by wonkey_monkey · · Score: 1

      There's 389112 possible combinations.

      Of what?

      --
      systemd is Roko's Basilisk.
  15. Re:that's great, but by NatasRevol · · Score: 1

    It can wipe 360 of them per hour!

    --
    There are two types of people in the world: Those who crave closure
  16. Re:i hate robots. by AmiMoJo · · Score: 1

    I know, you would hope that at least the headline would be correct. "Showed" is past tense, it should be "shown".

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  17. 20 hours? I wouldn't worry by FuzzNugget · · Score: 1

    An Android phone will lock you out of entering a code, instead requiring email verification, after about 20-30 failed attempts. Good thing I also use a combo longer than 4 digits.

    And what about most Android phones that are configured to use pattern lock? What about an Android phone that's encrypted, which uses a different entry panel and display for unlocking at boot time?

    Nice toy, not really effective.

  18. small upgrade to improve efficiency by Ogive17 · · Score: 1

    R2B2 needs to scan the phone surface for finger smuges from previous unlocks. They could eliminate 6 or more digits, leaving 256 potential combinations.

    --
    "Action without philosophy is a lethal weapon; philosophy without action is worthless."
    1. Re:small upgrade to improve efficiency by ImprovOmega · · Score: 1

      Not quite. If there are exactly four smudges then you can deduce that it's a 4 digit password with no digits repeated, this makes 4! or 24 combinations. If there are only three smudges then one digit is repeated then there's 3*(4!/2!) = 36 possible combos. But then if there's two smudges you have either each one repeated twice or one repeated three times = 2*(4!/3!) + (4!/(2!*2!)) = 8 + 6 = 14. One smudge makes 1 combo of course. Worst case is 48 though.

  19. Re:ATM by Richy_T · · Score: 1

    ATMs I've used recently only take the card long enough to scan it and return it immediately.

  20. Access to the hardware by emddudley · · Score: 1

    If you have access to the hardware, then the software security doesn't matter. Encryption aside, of course.

  21. Countermeasures by 10101001+10101001 · · Score: 1

    So, um, randomize the locations of each number (and not always on a small 4x4 grid) and possibly use captcha-like effects to frustrate OCRing the display? Of course even better might be to do something like MS research suggested, using pictures. But instead of mere pictures, use a whole host of pictures. So, your password could be cat, dog, cat, fish, airplane, or whatever (not unlike some knew captchas). I'd imagine that'd also encourage longer passwords, as every login is a new chance to see even more cute kittens, or whatever. :)

    --
    Eurohacker European paranoia, gun rights, and h
  22. monkey method by globaljustin · · Score: 1

    There are easier ways to hack into most phones than brute forcing the pin with a robot

    For sure. Speaking in terms of a 'brute force' crack, i'd use the monkey method...

    Assuming you could get past being 'locked out' after x incorrect attempts, i'd get 4-5 friends together and have one sit out and enter passwords while the rest play hold 'em or Goldeneye or w/e. You could rotate every 4 hours or whathaveyou

    I know my solutions doesn't 'scale' but I don't think this robot scales any better, comparatively. That's kind of my point...they're kind of off kilter with their approach, but I am all for robots advancements...

    --
    Thank you Dave Raggett
  23. Far easier method by wertarbyte · · Score: 1

    Many Android devices support USB input devices - both my Galaxy S3 as well as my Nexus 7 happily accept USB keyboards even when requesting the encryption PIN during bootup. I programmed an ATMEL ATMega32U4 (microcontroller with USB interface) with a simple program that iterates through every possible PIN, waiting for 30 seconds after 5 or 10 tries. If the system continues booting, the controller recognizes this by "pinging" the CAPSLOCK LED: if "hitting" CAPSLOCK does not change the LED state, the system has started to decrypt the device because of a correct PIN, which is then stored in the devices EEPROM. I created the device using an teensy development board and the LUFA framework. Not as spectacular as a robot, but effective as well.

    --
    Life is just nature's way of keeping meat fresh.
  24. Multiple styluses by mstefanro · · Score: 1

    I assume using around 12 styluses of fixed position would have allowed for much faster bruteforce (10 for the digits, 2 for the ok buttons). Moving a stylus around is simply too slow compared to down-up movements.