3D-Printed Robot to Break Android PINs

Neat project. The reason it works is that the Android system doesn't start putting in very long delays between PIN attempts after a whole bunch of unsuccessful attempts. The iPhone does.

Posted on September 27, 2013 at 6:21 AM • 40 Comments

Comments

Jason KeirsteadSeptember 27, 2013 7:14 AM

A good example of why it is important to have your security profile set to factory reset after X bad attempts, usually 10 or 15

kashmarekSeptember 27, 2013 7:16 AM

This comment is about the target web page in the link provided in the story. My browser (FireFox) locks up for 30 seconds when hitting that link. I lose control of the mouse pointer and buttons. This has happened on one or two other web pages over the past several months as well.

What causes this behavior? I can't even click outside of the browser window to get control back.

TomSeptember 27, 2013 7:20 AM

Lots wrong with this story.

The Galaxy S3 (Android 4.1 + TouchWiz overlay - and I assume other Samsung phones do similar) doesn't put in a delay. But after four wrong attempts, it threatens that four more wrong attempts will cause it to wipe the phone clean. So this would actually be a robot for automatically wiping android phones.

The author of the linked article claims that it can grind through 'all 10,000 possible PINs' in 20 hours. The problem is that that is not the number of possible PINs - there is no reason to pick a 4-digit PIN on an Android phone. The PIN can be anything from 4-16 characters long.

My other phone, running Cyanogenmod 10.1 (Android 4.3), does put in a 30-second delay after five incorrect attempts. I guess this still only adds up to 15 hours when attempting all 10,000 4-digit PINs, though

So I'm not sure what the basis of this story is...

BrianSeptember 27, 2013 8:14 AM

@Jim L

I can't find the reference right now, but I believe the pattern unlock is actually quite a bit less safe than a PIN. The problem the article I'm remembering discussed is that the swipe pattern has FAR fewer choices for each value than a PIN. In a PIN, each digit has 10 choices and there are 10 choices for the next value in a pattern unlock. The article actually ran the numbers, but it intuitively makes a lot of sense.

DavidSeptember 27, 2013 8:20 AM

My google Nexus S (made by Samsung), running
Jelly Bean 4.1.2, puts in a 30 *minute* delay after 5
unsuccessful password attempts.

I say password rather than pin, because it is not
limited to 4 characters and can include things besides
numbers -- e.g., letters and special characters. I don't
know what the maximum length is; mine is 8 characters
long.

WaelSeptember 27, 2013 8:36 AM

@ Jim, @ Brian,

As far back as a few months ago, pattern lock was less safe to use than a PIN. It can be bypassed without root privilege. Search for "bypassing android pattern lock". Basically you can delete the file containing this information through an adb command (USB connection to your computer, USB debug enabled on MD). Type

adb shell rm /data/system/gesture.key
Reboot the phone, unplug the cable, and you'r set. I have not verified that works on 4.3 ( or 4.2 for that matter)

And your pattern lock is bypassed...

PIN bypassing requires root access. If anyone knows otherwise, I'd be interested in the information...

So if you try this and it works on your phone, then don't use pattern lock.

1234September 27, 2013 9:35 AM

the Android system doesn't start putting in very long delays between PIN attempts after a whole bunch of unsuccessful attempts. The iPhone does.

What prevents an attacker from dumping the flash and brute-forcing the PIN on that, thereby avoiding software-imposed delays and resets after 10 incorrect entries?

Brian M.September 27, 2013 9:44 AM

@1234:

The Android debugging system has to be explicitly enabled through the device settings. For version 4.2 and above, the developer options are actually initially hidden.

1234September 27, 2013 9:57 AM

The Android debugging system has to be explicitly enabled through the device settings. For version 4.2 and above, the developer options are actually initially hidden.

But how would that stop an attacker from opening the device, accessing and dumping the flash, and brute-forcing the dump? Is there some obscured on-chip secret key in Android or iOS?

Mike the goatSeptember 27, 2013 10:41 AM

1234: nope, it's all in the clear on the flash (unless you are using FDE via dm-crypt) so yes you could dump it via JTAG or by unsoldering and getting at it directly

Mike the goatSeptember 27, 2013 10:47 AM

1234: I guess you could also use fastboot or recovery to flash a shim that dumps the flash over USB too if you had sufficient reason to.

LorenRSeptember 27, 2013 10:54 AM

Not all Android phones are open to this robot attack (I will not address the other listed attacks in the comments). At least some vendors enhance the standard OSS in this area. Before Motorola Mobility was acquired by Google, at least some phones (Cliq2 running 2.3.6) shipped from them with the following escalation:

5 wrong unlock trys started a 30 second lockout;
5 additional wrong unlock trys started another 30 second lockout; repeat until the wrong unlock try count hits ~25; then it forces you to use the google authorization linked to the device to unlock it.

Regards,
Loren

WaelSeptember 27, 2013 11:51 AM

@ Mike the goat,

you could dump it via JTAG...

JTAG is disabled on production units. If it's one of the items pen testers check for before singing off on the device. But booboos do happen once in a while. Also, some partitions are fully encrypted or partially encrypted. And the CPU has hardware protected keys...

Ian McNeeSeptember 27, 2013 12:04 PM

This posting seems a little snarky, almost like a dig at Android in response to the rather more significant flaws found in Apple's Touch ID system. Out of the box vanilla Android devices can be secured with far longer PINs or alpha-numeric passcodes that would make this particular attack impractical.

What this really demonstrates is that short or simple PINs, passcodes, swipe patterns, etc. amplify any weaknesses in an authentication system. But at least the security conscious Android user has the option of using a long passcode, there currently is no way that an iPhone 5S user can strengthen Touch ID against compromise - other than perhaps extensive use of disposable gloves and cleaning cloths!

GweihirSeptember 27, 2013 12:16 PM

And what we can see here is that in this sense Android is very much Linux-like: Every distribution does its own thing in some aspects.

Some_Guy_In_A_DinerSeptember 27, 2013 1:39 PM

Yeah, I think the corps have screwed us. They don't care about security at all. I feel like I have to rethink all of the technology I come in contact with. These mobile phones have gotten way out of hand. (No pun intended. :P)

Mike the goatSeptember 27, 2013 3:22 PM

Wael: looking at my n4 it seems /data is just plain ext4.

0000000 0000 0000 0000 0000 0000 0000 0000 0000
*
0000400 2c20 000d a300 0034 0000 0000 f2a2 0016
0000410 0477 000d 0000 0000 0002 0000 0002 0000
0000420 8000 0000 8000 0000 1fd0 0000 93bb 5241
0000430 93bb 5241 002a ffff ef53 0001 0002 0000
0000440 0000 0000 0000 0000 0000 0000 0001 0000

Mike the goatSeptember 27, 2013 3:33 PM

Wael: I can also confirm JTAG works on the N4 with the right hardware. Perhaps others won't be as lucky with different phones as the nexus were intended to be uh, mod friendly. I agree with you re encryption though - if the owner was to use the included dm-crypt based FDE you would be shit out of luck as far as making sense of the dumped data (well, except if you managed to steal the phone while it was running and do a colf boot RAM dump to grab the key, which has been successfully done on a Nexus with stock encryption enabled). Guess none of us here are silly enough to put anything remotely trusted on a mobile device, right? (I have a friend who keeps his PGP secret key ring on his phone so he can read encrypted emails on the run and I shudder every time he uses APG in front of me)

WaelSeptember 27, 2013 4:59 PM

@ Mike the goat,

Thanks for saving me the time. I don't have access to a Lauterbach for a few weeks.

Guess none of us here are silly enough to put anything remotely trusted on a mobile device, right?

lol! I am sure your question is rhetoric!
I'm guilty of that! As they say,
The carpenter's door is broken,
Doctors are the worst patients, and
The shoemakers' kids run barefooted...
Security people...
Should make a limerick out of it, but @ Clive Robinson will complain.

Clive RobinsonSeptember 27, 2013 5:31 PM

@ Wael,

I don't mind a little ditty.
As long as it's whitty.
But do you have the time?
To try your hand at rhyme.

Mike the goatSeptember 27, 2013 5:55 PM

Wael: I must admit I bricked my N4 (somehow corrupted the boot loader) and had to resort to JTAG. Sure you have to solder onto the header but it does work. Re security - I *try* and practice what I preach but my cell phone is somewhere that I draw the line at being undefendable and instead I don't trust it at all. I don't use full disk encryption as my cell is almost always switched on when I am out of the home or office and given how easy cold boot key retrieval is I didn't think it was worth the bother. Ditto with having a PIN/pattern lock. I store nothing worth stealing on the phone and don't use NFC based wallets etc. So it's really a risk minimization strategy. I do keep the android tor client installed though and have root so it can transparently proxy things through tor when browsing (not because I need anonymizing but because I don't - driving my cell phone casual web surfing through gives the snoops a bit more noise to the signal they are after)'... incidentally from what i have noticed it leaks DNS queries so be careful of Orbot. Although its a pain in the ass I printed my OPIE keys out on inkjet DIY business card paper (the A4 or legal sheets that perforate into a bunch of cards) twenty keys to a card (two sided ten to a side) and keep one card in my wallet for times I need remote ssh access. It works quite well and doesn't need any fobs or tokens like one commercial two factor solution that uses an Android or iPhone app.

My home computing opsec leaves a lot to be desired but that is in part due to other people's computers! My wife has an unpatched Win7 machine that seems to get owned every week. I have put it on a private VLAN to try and segregate it ;-)

Mike the goatSeptember 27, 2013 6:00 PM

Generating rhyme, like factoring primes
Needs more than just skill,
It requires some time.
In today's society that may just surprise
As everything's instant in a consumerist's eyes
But just as Bronte could not write Wuthering Heights in a day,
I suspect that nobody can quickly break 2048 bit RSA
Not even the NSA

Man, that was crap. No wonder I am in IT and not poetry.

AspieSeptember 27, 2013 6:15 PM

@Jose

Wonderful mini robot, a lock picking one...? for safeboxes?

Yep. I used to pick locks and crack safes for a living. There are kits to do the latter via servos and close contact transducer. Nothing fancy; try every combination until the lock opens. Thing is Group 2 locks are so poorly made that the 100 positions translates in reality to about 30.

Richard Feynman noted this in one of his autobiogs Surely You're Joking Mr. Feynman.

Some things never change.

AspieSeptember 27, 2013 7:00 PM

@Aspie

... I feel compelled to add that I was licensed and there were strict rules regarding contents of protected spaces accessed.

So ... on a more humorous note the entertainment industry spins things differently about the NSA, probably a mixture of exaggerated bragging and lack of real information.

There's nothing like myth to preserve an undeserved mystique and puff up the pride of the suits involved.

WaelSeptember 28, 2013 1:23 AM

@ Mike the goat,

For some reason I smile every time I type your name :)

my cell phone is somewhere that I draw the line at being undefendable and instead I don't trust it at all.
With the likes of carrierIQ sitting on the phone, that's the right thing to do. Me? I gave up on privacy long ago...

The only way I know to have privacy is not to have a cell phone, bank accounts, social security numbers, grocery store loyalty cards, land line phones, drivers licenses, a car, an apartment... Just pay with cash if you can get a job;)
Basically you can't exist on paper. Would be a difficult life.


Tom R.September 28, 2013 7:19 AM

@kashmarek

That didn't happen to me with the link, but the same/similar thing happens to me (browser disappearing, everything locking up, mouse unresponsive, etc.) virtually every time I go to LinkedIn. I have no idea what the cause is, I only know it's rather frustrating.

WaelSeptember 28, 2013 9:44 AM

@ Clive Robinson,

ditty...
Nice! My brain is blocked now. The opportunity will come though...

At Mike the goat,

generating rhyme, like factoring primes
Not bad for an IT pro ;)

Mike the goatSeptember 28, 2013 12:59 PM

Wael: haha, yes in the words of Bob Dylan "I'm a poet, and I know it; hope I don't blow it"

Re my pseudonym, I am glad it makes you smile. That's sort of the intent. I used to have a giant plaster of paris statue of Pan (the great goat God of the Greeks) copulating with a shegoat on my desk until some douchebag in upper management said it was unprofessional and forced me to remove it. It sat in the break room until a female (christian fundamentalist) secretary took offense and it somehow just disappeared. Yes, she stole my goat statue! I also had a 3D printed BSD Daemon with a sausage covered in Windows logos on his trident that also went missing. No doubt it was the same person who kept stealing stationery.

Re phones it would be nice if someone with some security credibility could sit down and engineer an OS from the ground up for mobile devices that implements just enough functionality to be useful without being overbearing. I was fond of Symbian not because of its design or code quality but because of its philosophy. Guess in the current climate of having features as the primary driver of sales isn't conducive to rolling out a mature and well tested OS designed with security in mind. Hopefully this will change.

Re meatspace security. Illegals are very good at doing just that - living their whole lives "off the record". Unfortunately for most of us we are betrayed and inducted into the system as soon as we pop out of the womb. We get serialized (SSN#) and forensic data is collected. Perhaps I am being too paranoid but I expect that the heel prick test for phenylketonuria is also used for mass surveillance (in most states the cards are not destroyed and are archived). Add to this serialized medical implants, dental records, fingerprint collection at grade school under the guise of protecting your children from crime, etc.

It is indeed very hard to live without a paper trail.

WaelSeptember 28, 2013 2:48 PM

@ Mike the goat,

fingerprint collection at grade school under the guise of protecting your children from crime, etc...

I think I stated once that our fingerprints are taken at birth. Seems that's a slightly inaccurate statement. They take the footprint instead. Fingerprints are not fully developed at birth, I'm told. Maybe in school they create the connection.

Re phones it would be nice if someone with some security credibility could sit down and engineer an OS from the ground up for mobile devices that implements just enough functionality to be useful without being overbearing. I was fond of Symbian not because of its design or code quality but because of its philosophy.

Unfortunately, technology isn't the only factor. Without saying more, the safest for the time being is buying a "trade" phone, and using something like AOSP on it. "Trade" phones are unlocked phones that are not subsidized by carriers - you buy them directly from the manufacturer, not from a carrier store. You'll also need to block FOTA functionality. I don't foresee this technique to be safe in the future either. Reason is, the modem firmware is not open source... @ RobertT had a different tactic mentioned somewhere in the not so deep bowls of this blog....

Mike the goatSeptember 29, 2013 6:49 AM

Wael: yeah, I believe the footprints are probably useless. The PKU heel prick cards however could definitely be used to create a DNA database of every person born in the USA since the late 70s. Devious idea hey?

BlakemeisterSeptember 30, 2013 11:21 AM

Android will take up to 16 full ASCII characters (anything on the keyboard) for screen unlock. On Nexus devices (at least the GNex), there is an app that locks into the full dm-crypt engine and allows unlimited length for the pre-boot FDE password. On an encrypted device, Recovery can't see anything but read-only system files, without the FDE password. Removing all permissions from adb in /system/bin is wise as well.

Blake

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..