Brute Forcing an Android Phone

phonecracking

[Brett's] girlfriend is very concerned about cell phone security — So much so that she used a PIN so secure, even she couldn’t remember it.

Beyond forgetting the PIN, the phone also had encryption enabled, the bootloader locked, and zero permissions for the Android Device Manager to change the PIN. Lucky for her, [Brett] had purchased an STM32F4Discovery Development Board a few months ago, and was itching for a suitable project for it.

Now unfortunately, Android allows you to pick a PIN of anywhere between 4 and 8 digits, which as you can guess, results in a massive number of possible permutations. She was pretty sure it was only 6 digits, and that she didn’t use a 1, 2, or 3… and she thought it started with a 4 or a 7… and she didn’t think any of the digits were repeated… This helped narrow it down a bit, from 1 million possibilities to about 5,000 — assuming all of the boundary conditions she remembers are in fact correct.

[Brett] started by writing a C library to generate permutations of the PIN, testing the board on his own phone to make sure it works with a known PIN, and boom, they were in business.

28,250 PIN attempts later, they decided they were not. Did we mention you can only enter 5 PINs in every 30 seconds?

Head on over to his blog for the whole project, as its well worth the read!

http://www.youtube.com/watch?v=WTVO7_Sai9w

We‘ve covered lots of brute force hacking methods over the years, from the simplest solution of using a Teensy, to our favorite, an elaborate robotic finger that used servos and a DVD drive sled! 

Comments

  1. Robert The Bruce says:

    Weak, it’d only take about 21 years to brute force all the 7 and 8 digit codes.

  2. yourmother says:

    he could have unlocked it via something like cydia impactor within seconds if the device hadn’t been patched.

  3. Ian Lee says:

    Doesn’t this belong under fail of the day? Valiant attempt, though.

  4. Sven says:

    Isn’t there an unlock service for, you know, actual purchased phones that you didn’t steal or buy from a thief? Or was it the data content on the phone that was the target? Photos and such?

  5. barry99705 says:

    If you’re going to use a pin, have another way to get in.

    https://www.google.com/android/devicemanager?u=0

  6. Edward says:

    Confusing writeup at his blog.

    First he says “This limited me to a guessing rate of about 510 guesses per minute.”

    At the end he says “failure was due to simply having too large of a solution space to try with the rate limit of 510 guesses per hour. “,

    What is it? 510 per minute or 510 per hour?

    How did he get 510? 60 * 2 =120, 30 second blocks of time. 5 * 120 = 600 attempts?

    What am I missing?

  7. v00 says:

    If you don’t mind voiding the warranty, the best way of breaking these is to get the CPU on jtag and watch what happens when you hit the okay button. At some point it must be doing a comparison between what you entered and the actual code, and you could either decode the actual code or twiddle the bits on the CPU to get it to let you in.

  8. Edward says:

    He should have done a Factory Reset on the girlfriend. :-)

  9. chris says:

    Is ADB disabled? If not then they could just manually extract or reset it from the command line.

    • Aaron says:

      ADB has to be manually enabled now. you have to go to settings, about phone and tap on the build number 6 times and you get a message that says “developer mode enabled” or something like that. then development options shows up under settings and there is a checkbox for adb in there.

  10. Javier Falbo says:

    You dont need any of this. Google Play gives you online PIN capture by installing applications to do it, like device manager. Even if you dont remember the PIN you could have access to the phone.

  11. Jim says:

    Can you still install software on the device through the Play Store website? If so maybe you can find an app that allows you to access your device remotely (without needing to set something up of course).

  12. ejonesss says:

    8 digits gives 100000000 combinations that is 100 million.

  13. Occam49 says:

    Next up, this guy will discover that after 50,000 consecutive failed attempts Android will announce that he has won the persistent looser award.

  14. bthy says:

    Volume Up + Power for factory reset didn’t work ?

  15. andarb says:

    It’s hard for me to believe that someone is THAT worried about the security of a phone. What is she worried someone will find? No one really cares that much about her selfies. :p

    But he does specifically use the word ‘lovely’ a few times in relation to her… that might explain a few things.

  16. My colleagues showed off a delta robot for doing this at DEFCON. Their presentation is posted here: https://www.defcon.org/images/defcon-21/dc-21-presentations/Engler-Vines/DEFCON-21-Engler-Vines-Electromechanical-PIN-Cracking.pdf. All of the files required to replicate their work should be available here: http://isecpartners.github.io/tools/ under R2B2.

  17. anon says:

    I can see it now – guy spends days coding a solution to unlock her phone. Finally manages to get the phone unlocked, only to be dumped when he discovers she’s been cheating on him *insert Bad Luck Brian*. The PIN was obviously to keep him from going through her text history. Be an alpha and kick that bitch to the curb

    • static says:

      Interesting, but wouldn’t “real” Alpha sense it was time to take action without further investigation? ;)

    • dokir says:

      Lol, gotta laugh at the idea of the GF sweating bullets while pretending to be thankful. Of course, if that was the case she doesn’t have much to be afraid of because she was put in a position to give deliberately bade password guidance for shaping the attack.

  18. static says:

    I ever had was a standard inexpensive phone. I get a new one at a bargain price whenever the contract is renewed, because by that time the battery is getting tired. They transfer every thing from the old phone to the new one for me. I don’t know f t any PIN is copied or if it’s required to to the transfer or not, but if it isn’t would buying a new phone be a solution to get the data back? In the event it would it be a lesson to keep a copy of the PIN somewhere(not forgetting where), regularly transfer photos, have an old fashion address book you write in, newer ones even have a field for email too. Forward texts with important stuff to a web mail email address, if you don’t have email through a separate ISP In the event the phone has a hard reset that absolutely destroys all the data, you have a phone to sell to offset the cost of the new one. Or let your geek boyfriend to have to do something useful with as a small tablet computer.

  19. potatoman412 says:

    Wow. I gotta commend the effort and add this helpful hint. If one is looking for an insanely long backup number look no further than under your phone’s battery ;) There is usually a serial # or Part # there that would suffice and it is right there if you are ever locked out. Seems like a rational concession to an overly eager phone encrypting life partner. Perhaps they should be the one doing all this though to begin with since they are sooooooo concerned about privacy and know everything else except the concepts behind it winky face. We have one around my house as well that is really great at breaking things and leaving them on my desk to fix. She really got to me with the laptop ac adapter ripouts until i forced her to use the modemplug trick. Kudos really, on keeping a level head with the whole ordeal.

  20. maname says:

    Why not just ask the NSA?

  21. Freddy says:

    How about doing a modified factory update? It doesn’t wipe the phone usually, and if you can get it to delete the correct file or run a command, you can disable the lock screen. He doesn’t list the phone model, but some phones let you load a factory update over USB once you boot up into download mode or the locked recovery. You’d have to find a way to fool the phone into running a modified factory update. Not the easiest thing to do but not impossible either.

  22. Hirudinea says:

    This is a prime example of why you should always use a password you can easily remember, I myself use the length of my erect penis in millimetres, or course that’s only good for 4 digit passwords.

  23. If she you, her, or others have not touched or cleaned the screen in the virtual-keypad area you might try a forensic technique to tell what numbers she touched. You need her face powder brush from her makeup kit and some baby powder from the baby’s diaper bag. Lightly dust the area and use a cheapish UV black light from Walmart sporting goods dept. to fluoresce the area (the black light baseball cap-light for $8). The finger tips should show up minimizing what characters to try and what not to try. It may even jog her memory if she knew what characters she likely touched. The order is not known however.

    Failing that. Take her to one of those Hypnotherapy psychiatrists that does hypnosis for stop smoking and other things. They can have her regress back to when she last successfully logged in and she can read off out loud what numbers she touched that day.

  24. vonskippy says:

    I’d recommend a pad of Post-It Notes and a Nice Pen for her xmas gift. Is it really that hard to use some (any) method to remember passwords (keepass, sticky-note, etc)?

    • NewCommentor1283 says:

      i used a pen and paper the other day to copy/forward/convert
      the contents of an email (activation code, text)
      from one end of the room to the other.
      people were confused and suprised.
      they had the genuine look of learning on thier faces!

      i think they learned the ultimate compatibility hack;
      if you can read it, then you can read it! simple!

      take that you file-formats!

      PS: quarter page of text in picture format embedded into DOCX
      then embedded into PDF is stupid.
      i dont care who the heck you think you are.
      if you do this you are asinine.

      PPS: thats loading the DLL files for THREE programs to view ONE file.

  25. Drain says:

    Does she work somewhere with a security camera? You could look over the footage (assuming at some point she unlocks her phone during the day there) and get some more information about the PIN, if not the PIN itself.

  26. Marc says:

    Six digits Eh? Hmmmm, a date perhaps, someone’s birthday or anniversary or whatever.

  27. Ren says:

    I guess the password wasn’t 8765309….

  28. oh its so funny how paranoid people are, whats the actual likelihood that anyone gives a crap about you, usually the perceived danger of “hackers” and “thieves” are way over proportioned compared to the actual likelihood of anything happening to you. Then you create some annoyingly stupid password/pincode that no one could every guess or remember and you write it on a post it not and place it next to your device for you to remember, completely negating the purpose of a frigging password/pin in the first place. then you turn to your boyfriend/husband for to play free tech support and rack thier brains trying to beat a dead horse because you want to save your selfies and text messages.

  29. Phil says:

    Somewhat OT, but certainly related.
    Here’s a simple way to generate a PIN which is extremely easy to remember, but relatively difficult to brute-force guess.

    Use an old obsolete phone number, something which you used so much in the past that you’ll never forget it, but something which you will never use again so it’s not something in your phone’s database. It could be your phone number while growing up, a former business where you worked, or something similar.

    If you’d like something slightly more secure (although it’s barely worth the extra effort in terms of actual added security) add one to each digit. For example, use 867-5309 (the Jenny number) as a seed. The PIN becomes 9786410 – something you can easily generate on the fly and remember, but not something easy for somebody to guess – whether they know you, or by brute force.

    Worst password advice ever – MetroPCS actually suggested that I use my birthdate as a password, one of the worst 8 digit PINs possible. The month only goes from 01 to 12, the days only go from 01 to 31, and the year is a maximum range of about 80 years. Not to mention that a person’s birthdate is relatively easy to find.

  30. Ross says:

    Eh… just use a USB Rubber Ducky to do the same thing… only a lot easier! http://hakshop.myshopify.com/products/usb-rubber-ducky

  31. Chris Roper says:

    Is the PIN code not stored on the SIM card rather than the Phone? Try putting in a different SIM card with a known PIN and see if you can access the contents of the Phone that way.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 92,330 other followers