clock menu more-arrow no yes

Filed under:

Researchers build $200 robot to mash buttons and crack Android PINs

New, 44 comments
Android lockscreen pin
Android lockscreen pin

Security researchers have built a robot with one goal in mind: to crack your smartphone's PIN. Using 3D-printed parts, servomotors, a plastic stylus, an Arduino microcontroller, and a cheap webcam, Justin Engler and Paul Vines created a $200 robot that can automate the entry of numeric smartphone PIN codes, cracking a regular four-digit Android PIN in under 20 hours.

Engler and Vines will unveil their Robotic Reconfigurable Button Basher (R2B2) prototype at the BlackHat USA 2013 conference in Las Vegas later this week, hoping to raise attention to the insecurity of four-digit PINs and the small amount of time needed to gain access to confidential information. Smartphone security may have evolved to include pattern unlocks, face detection, and standard passwords, but four-digit PINs are already standard — you'll punch them in at an ATM, a variety of smartphone apps will use them to protect your data, and Apple uses them to secure iOS devices. Google allows Android users to set a PIN using up to 16 digits and R2B2 demonstrates why people should use them.

"If I’m a CEO, a four-digit PIN is a problem."

While Apple's iOS platform employs safeguards to limit the number of incorrect PIN entries, blocking attempts for hours at a time if the user enters one incorrect PIN too many, R2B2 can crack a device with a four-digit PIN running stock Android in under a day. In contrast, an Android device using a six-digit code could would take over two months. On the Android devices Engler and Vines tested, the software would delay entries for just 30 seconds after every five incorrect guesses.

Moving forward, the researchers plan to keep upgrading the robot so it can work with PINs used in various smartphone apps, and even look into whether it can be used to crack hotel safes, ATMs, or combination locks. Given all three have strict safeguards against brute-force manual attacks — most ATMs, for example, would hold your card after three incorrect entries — we're not sure they'll have much luck. In the spirit of openness, the robots creators will offer the part lists, detailed build instructions, and 3D printer files when they give their BlackHat talk.