Wednesday, January 15, 2014

Brute forcing Android PIN’s with an Arduino and Authentication Weakness

Sticking with the theme this week, I have been bored and haven’t been able to sleep well. I decided to try my hand at brute forcing the PIN on my Samsung Galaxy S3.  Annoyingly enough the Android operating system thought people would do this and after 5 failed attempts you have to wait 30 seconds. Luckily, that doesn't change so automating will be easy. I have seen Hak5’s rubber ducky do this attack as it simply emulates a keyboard. So I decided to try it with my Arduino, and it works just fine.  If you went from 0000 - 9999 that would take roughly 16 hours, the odds are you would get it before then.

I also tried to play with other authentication types on my phone. The most interesting was the pattern type which now forces you to create a backup PIN. If this is set and you can’t get the pattern you can brute force the backup PIN all day and it doesn't have the 30 second delay. After 5 failed swipe attempts you get the option to enter your backup PIN. See the image below. That makes for much faster brute forcing.

The Arduino Sketch below first tries the top 20 PIN’s and then starts its brute force cycle. Yes, it will repeat those 20 eventually but we will try those first, just in case.

For this attack to work you will need an Arduino Leonardo, or an Arduino that can act as a HID (Human Interface Device), an USB OTG (on-the-go) cable and a target device. I always set my HID sketches to work with a switch as I do not want to race the clock trying to upload a new sketch.
In all seriousness this would be a last resort type of thing for me, it’s going to take a long time. I would try to narrow it down somehow, like eliminate the 0 range such as 0000-0999. Do most people start with a zero maybe not?

Finally, the backup PIN brute force in my opinion is a real issue; you could brute force that fairly quickly. 


  1. This is great news for me. I'm locked out of my S3 and have been seeking a solution for about a week now. How do I get my hands on this?

  2. You probably could get away with a Teensy and a usb2go cable. Google has all you need to find it.

  3. Can you provide a circuit diagram? Or is all you are doing there is starting the program on a switch?

    1. All I did was add a switch so it started when I wanted it too. Not as soon as it powered up.

    2. Perfect, I can figure that one out then. Thanks! This is going to solve a huge problem for me!

  4. Replies
    1. I do not have a diagram, this is the circuit I used

  5. Wouldn't it be closer to 18 hours?

  6. did you connect it with the 3.3 v pin or 5 v pin ??