Brute Forcing A Mobile’s PIN Over USB With A $3 Board

Mobile PINs are a lot like passwords in that there are a number of very common ones, and [Mobile Hacker] has a clever proof of concept that uses a tiny microcontroller development board to emulate a keyboard to test the 20 most common unlock PINs on an Android device.

Trying the twenty most common PINs doesn’t take long.

The project is based on research analyzing the security of 4- and 6-digit smartphone PINs which found some striking similarities between user-chosen unlock codes. While the research is a few years old, user behavior in terms of PIN choice has probably not changed much.

The hardware is not much more than a Digispark board, a small ATtiny85-based board with built-in USB connector, and an adapter. In fact, it has a lot in common with the DIY Rubber Ducky except for being focused on doing a single job.

Once connected to a mobile device, it performs a form of keystroke injection attack, automatically sending keyboard events to input the most common PINs with a delay between each attempt. Assuming the device accepts, trying all twenty codes takes about six minutes.

Disabling OTG connections for a device is one way to prevent this kind of attack, and not configuring a common PIN like ‘1111’ or ‘1234’ is even better. You can see the brute forcing in action in the video, embedded below.

51 thoughts on “Brute Forcing A Mobile’s PIN Over USB With A $3 Board

    1. If the person trying to get into the phone knows you’re Polish (or sees “Wpisz swój PIN” or similar on your lock screen) and knows this information, 2137 will probably be amongst their attempts.

      1. Another good reason to have a custom bootloader with filesystem access, you can reset this stuff using the file browser in TWRP for example. My tablet has a glitch where the unlock pattern will not work, its too laggy to complete successfully before the screen times out (IIRC). But in TWRP I can go and delete the store and it will start up no password.

        This is great in conjunction with another hack to allow unlimited attempts and you can leave it cracking. Another tip would be to see if there are any smudges on the screen on the number spots, then you can concentrate on those digits only.

        1. You are correct about being able to delete the file in which the pin is saved in the /data partition, in older devices, that is. But you must know where that file is on your specific file system, and that changes. Also, it can be available in TWRP and OrangeFox by script, but doesn’t work on all devices.

          *Also, it’s a custom recovery – not bootloader. You can’t change the bootloader on your device. Some, such as Samsung, update the BL version with FW updates, but you can’t change your bootloader, only unlock it to flash a custom recovery. Recovery is what the “R” in TWRP stands for – “Team Win Recovery Project”.

          Not tryna be a jerk, but people may read your comment and spend lots of time researching how to get a “custom bootloader” for nothing because you’re using the incorrect terms. Maybe, advance beyond noob status before tryna flex on hacking sites, smh

    1. That last comment was supposed to be in the main area. Also when dealing with people of a certain age: any date from 1940-1970 etc is likely to be a pin. You might not be surprised how many people have a year and ‘harley’ or a pet’s name as their password. See also combination locks with 4 wheels

      1. Our school IT contractor Fred was terrible. Nothing ever worked right and he wouldn’t do basic things like change the default resolution from 640×480 on teacher’s computers even after they complained and requested him to change it. (And admin locked users from changing resolution). Fred’s password was also Fred7.

        Truly a security mastermind.

    1. He was probably unaware that “test” has special meaning. He should have said “tried” or “typed” or something instead. From context it seems certain he used those terms interchangeably.
      It is trivial to “type” 10,000 combos and do so in the time specified.
      It would be difficult to test more than the first few due to mitigations like the lockout you mention.

    2. This is probably a hoax. The animated GIF above shows only 8 or 9 tries before being successful and the phone shown in the video on [Mobile Hacker]’s Instagram seems to run an ancient Android, it displays “Try again in 30 seconds”. I wonder how many tears were shed after trying to unlock daddy’s phone this way.

    3. Yeah this kind of thing is as dumb as most hacker movie shticks. You have not been able to brute a keypad like this nearly anywhere since idunno.. the 1980s? I’m looking forward to the guy who inevitably comes in with an example of something that is still built this way though lol

  1. Another possible fix is to ignore USB devices connected when the screen is locked. Moreover, it’s done that way in GrapheneOS [tested on pixel 4a 5g] and can be enabled by that user in DivestOS (settings → search → restrict USB → allow USB connections when unlocked) [tested on one plus 5]. Also, the pin there is not limited to 4 or 6 digits.

    1. :shrug Depends on whether the devs have considered such an attack.

      All I can say – it certainly does not work on GrapheneOS, possibly – on Calyx and can be metigated on DivestOS (settings → search → restrict USB → allow USB connections when unlocked). Also, the pin there is not limited to 4 or 6 digits.

  2. Some Android OS variants does not let external devices unlock the lock screen. Last CM for example I have on a phone (Im not using anymore) does not react to any mouse events on the lockscreen, I have to drag up it using the touchscreen first.

  3. I made a script to try different last 2 digits (of the 4 digit pin) over ADB for my phone because I forgot the complete pin. It took a single night to unlock the phone. It was in 2014. Back then the timeout lasted for 30s no matter how many wrong passwords you inputted

  4. Uh… pretty much every phone nowadays automatically starts doubling the wait time between failed PIN attempts after the first few incorrect PINs, so very quickly you end up having to wait several minutes to an hour or more between each new attempt, making this attack almost impossible unless you guess the correct pin within a handful of tries. A lot of phones even have an option to wipe the device if X number of incorrect PINs are tried.

  5. He’s not brute forcing the “mobile’s pin”, he’s brute forcing the pin number for an app installed ON the mobile phone! That’s a very important part of the equation, and a the article should be updated to reflect such. Unless you intended for the article to be clickbait, which is how it stands right now.

  6. You can miss PIN only 3x, phone code only 10x but not that fast. After every miss you need more time to try again.
    This in video is impossible even on old phones.
    If he is lucky he can get it in first 9x but i doubt about it.

  7. Very interesting comment from “Miles” , I will try this trick soon on different devices to see which ones it can work on. TNX!
    By the way I had already written a similar thing with a Teensy, some years ago, when I was just starting with programming.
    It does exactly the same thing , however then tries all the years from 1900 and up (this is because I have noticed in my decades of experience as a technician, that many users use their year of birth, or of close relatives, as already pointed out the users who use pins are often from older generations) , and then if the two combinations do not work try a brute force 0000-9999 , but as already pointed out these techniques hardly work with Android’s time lock…

  8. There must exist cell phone theft rings. So assume you jack 10 or even 100 phones. My p-stat is a little rusty but the chances of you cracking at least a couple after a few tries is probably wayyyy higher than you’d expect. Even with lock outs and stuff and so what if you brick the rest trying.
    This may be the only thing I can think of as a positive for forced obsolesce when your phone batter craps out after 3 years – new phone new security (finger prints etc)

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.