Sticking with the theme this week, I have been bored and haven’t
been able to sleep well. I decided to try my hand at brute forcing the PIN on
my Samsung Galaxy S3. Annoyingly enough
the Android operating system thought people would do this and after 5 failed
attempts you have to wait 30 seconds. Luckily, that doesn't change so
automating will be easy. I have seen Hak5’s rubber ducky do this attack as it
simply emulates a keyboard. So I decided to try it with my Arduino, and it
works just fine. If you went from 0000 -
9999 that would take roughly 16 hours, the odds are you would get it before
then.
I also tried to play with other authentication types on my
phone. The most interesting was the pattern type which now forces you to create
a backup PIN. If this is set and you can’t get the pattern you can brute force
the backup PIN all day and it doesn't have the 30 second delay. After 5 failed
swipe attempts you get the option to enter your backup PIN. See the image
below. That makes for much faster brute forcing.
The Arduino Sketch below first tries the top 20 PIN’s and
then starts its brute force cycle. Yes, it will repeat those 20 eventually but we
will try those first, just in case.
For this attack to
work you will need an Arduino Leonardo, or an Arduino that can act as a HID (Human
Interface Device), an USB OTG (on-the-go) cable and a target device. I always
set my HID sketches to work with a switch as I do not want to race the clock
trying to upload a new sketch.
In all seriousness this would be a last resort type of thing
for me, it’s going to take a long time. I would try to narrow it down somehow,
like eliminate the 0 range such as 0000-0999. Do most people start with a zero
maybe not?
Finally, the backup PIN brute force in my opinion is a real issue; you could brute force that fairly quickly.
