PIN-punching $200 robot can brute force every Android numeric screen-password in 19 hours


#1

[Permalink]


#2

So inelegant.


#3

You could defeat the robot it by having an exponentially increasing lock out after each wrong password.


#4

It seems to me this could very easily be ameliorated (or at least made overwhelmingly impractical) by putting a sliding delay in.

So, for example, if the user enters an incorrect PIN, the phone pauses for 1 second before allowing them to retry. Each subsequent failure doubles the length of time. So it'd be 0:01, 0:02, 0:04, 0:08, 0:16, 0:32, 1:04 (64 seconds), 2:08 (128 seconds), 4:16 (256 seconds), 8:32 (512 seconds), 17:04 (1024 seconds) and so on.


#5

That wouldn't really "Defeat" the robot, it would just make it more time-consuming, making the process much less viable. 32 wrong guesses would have the delay at 136 years or so.


#6

I'm going to build a robot that punches the phone's owner repeatedly until it divulges the PIN.


#7

Assuming there is no lock out/phone reset set up for repeated failed attempts. Or a app set up to report location of the repeated attempts to log in.


#8

Every numeric password in 19 hours. Right. Uh huh.

It would take 19 years for mine. Unlike iOS, Android isn't limited to 4 digits.


#9

No one here read the OP, right? That is so fun and clever!


#10

My method works on all models of phone.


#11

What makes you think iOS is limited to 4 digits?

Also did you see the part where even 4 digit iOS PINs can't be broken because of the increasing time delay?


#12

My two year old manages to activate the increasing time delay on my iPhone on a regular basis by mashing the unlock buttons to see what happens.


#13

iOS is not limited to 4 digits either (there is a setting to change it)


#14

That was mentioned in the BB post. That's what Apple does.


#15

This topic was automatically closed after 5 days. New replies are no longer allowed.