Slashdot Mirror

← Back to Stories (view on slashdot.org)

PIN-Cracking Robot To Be Showed Off At Defcon

Posted by timothy on from the brute-force dept.

Sparrowvsrevolution writes "At the Def Con hacker conference in Las Vegas early next month, security researchers Justin Engler and Paul Vines plan to show off the R2B2, or Robotic Reconfigurable Button Basher, a piece of hardware they built for around $200 that can automatically punch PIN numbers at a rate of about one four-digit guess per second, fast enough to crack a typical Android phone's lock screen in 20 hours or less. Engler and Vines built their bot, shown briefly in a preview video, from three $10 servomotors, a plastic stylus, an open-source Arduino microcontroller, a collection of plastic parts 3D-printed on their local hackerspace's Makerbot 3D printer, and a five dollar webcam that watches the phone's screen to detect if it's successfully guessed the password. The device can be controlled via USB, connecting to a Mac or Windows PC that runs a simple code-cracking program. The researchers plan to release both the free software and the blueprints for their 3D-printable parts at the time of their Def Con talk."

16 of 114 comments (clear)

  1. Double the delay every failed attempt by grimJester · · Score: 5, Interesting

    I'm always amazed when passwords are locked out after just three or five attempts. Allowing a hundred would still protect against brute force, while never being a problem for an actual human being. Even better would be to start with a one second delay, doubling it every time, so a brute force attempt would take ages but a human only gets some time to think.

    1. Re:Double the delay every failed attempt by havarh · · Score: 2

      Like iOS does it? Starting with 1 minute after 6 failed attempts, and then increasing the delay each time another pin code is entered.

    2. Re:Double the delay every failed attempt by Opportunist · · Score: 2

      The problem is that you can set someone up for a DoS with this approach. Want to lock a coworker out from his account and cause him to miss a deadline? Just log on as him three times, with a false password of course, and you delay him by whatever amount of time it takes IT to reset his password. Depending on their speed and skill, this may be some time, not to mention that if you do it repeatedly it might just give that coworker other problems when IT starts to complain about him and his inability to remember his own simple password.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:Double the delay every failed attempt by SQLGuru · · Score: 2

      So, if I watch you unlock your phone once, I can usually narrow each choice down to 4 digits based in the position of your finger (256 choices without knowing any).....if I can glimpse even one of your digits without knowing position, I can get that number down to 192. If I can identify that digit as early or late or middle, that drops to 128. If I have 100 tries, I don't really need to worry about being locked out.

      If I have all but two of your digits, I don't have to worry about lockout at all.

  2. Gentlemen... by Jawnn · · Score: 2

    We can't have every clever Tom, Dick, and Harry breaking the privacy and security of people's mobile devices and whatnot. That's our job and we'll thank you to not meddle with our business. Besides, your "invention" is clearly a tool for teh terrorists and will be classified as a munition by the end of the week. See if you can "spot the fed" with a black bag over your head.
    Your Friends,

    The NSA

  3. How is this news by Anonymous Coward · · Score: 3, Funny

    When I don't even see the word - cloud - in the story?
    Cloud it up man! Send those pins to the cloud!

  4. a bit silly by platypussrex · · Score: 2

    different phones have lockouts, and delays for new guesses based on wrong guesses. TFA mentions the delays, but not the data wipes. The whole thing seems a bit silly. There are easier ways to hack into most phones than brute forcing the pin with a robot.

  5. Re:lock out? by Anonymous Coward · · Score: 5, Informative

    "But every Android phone that Engler and Vines tested was set by default to use a much less stringent safeguard, delaying the user just 30 seconds after every five guesses. At that rate, the robot can still guess five PINs every 35 seconds, or all 10,000 possibilities in 19 hours and 24 minutes."

    Not by default.

  6. Re:lock out? by stewsters · · Score: 3, Funny

    By default all you need to is swipe to unlock. That's a far simpler robot.

  7. Update in the next android by 140Mandak262Jamuna · · Score: 5, Insightful

    The screen would be locked out after every failed unlock attempt for the duration of t millisecons, t = 1 * 2^(n) , where n = nth consecutive failed unlock attempt. My quick calculation shows the 50th unlock attempt would take 35000 years. The tenth unlock attempt would take 1 sec. Ravi S

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  8. Joke's On Them by BobNET · · Score: 5, Funny

    My PIN is 9999, it'll be the last number it could possibly try!

    And I'm sure in the 20 hours it takes to get that far, someone will notice and say "hey, Bob, why is there an android trying to break into your Android phone?"

    1. Re:Joke's On Them by BForrester · · Score: 2

      My PIN is 9999, it'll be the last number it could possibly try!

      This alludes to a somewhat valid sidebar. A more intelligent algorithm would crack most passwords much more efficiently than a sequential brute force. E.g. prioritize
        - digits in forward or reverse sequence
        - repeated digits or repeated pairs
        - digits that can represent dates

      In fact, a quick google search (!) reveals that there are quite a few shortcuts they could build into the scheme before resorting to pure brute. There's no sense giving up on efficiency just because the speed is already bottlenecked by mechanical limitations.
      http://danielamitay.com/blog/2011/6/13/most-common-iphone-passcodes

  9. Ha! That's nothing! by Nuffsaid · · Score: 5, Funny

    My robot can crack a typical Android phone's screen with just one vigorous hit!

    --
    Nuffsaid
    ________

    Don't know about his cat, but Schroedinger is definitely dead.
  10. Re:lock out? by jodosh · · Score: 2

    Both my nexus 4 and my wife's note 2 lock me out for 30 seconds after 5 incorrect guesses. After the time out I am free to make 5 more guesses before I hit another 30 second delay. So android users who use PINs to lock their phone do seem to be vulnerable to this brute-force attack. Seems easy enough for google to fix, double the timeout each time, maybe even have the option of having the phone email you with its location and a time stamp after 15 incorrect guesses.

  11. Re:lock out? by Nerdfest · · Score: 2

    Why have they made the assumption that a PIN is 4 digits? Mine is 8, and you can set a password instead if you wish.

  12. Re:lock out? by ColdWetDog · · Score: 4, Funny

    Or, just don't hand your phone to people carrying silly looking robot parts that want to borrow your device for "19 hours".

    Problem solved!

    --
    Faster! Faster! Faster would be better!