PIN-punching $200 robot can brute force every Android numeric screen-password in 19 hours

Justin Engler and Paul Vines will demo a robot called the Robotic Reconfigurable Button Basher (R2B2) at Defcon; it can work its way through every numeric screen-lock Android password in 19 hours. They built for for less than $200, including the 3D printed parts. It doesn't work on screen-patterns (they're working on that) nor on Ios devices (which exponentially increase the lockout times between unsuccessful password attempts). They're also whomping up new versions that can simulate screen-taps with electrodes, which will run much faster. They're also working on versions that can work against hotel-room safes, ATMs, and other PIN-pad devices. It's a good argument for a longer PIN (six-digit PINs take 80 days to crack), and for using robust and random PINs (26% of users use one of 20 PINs).

Engler and Vines built their bot, shown briefly in the video above, from three $10 servomotors, a plastic stylus, an open-source Arduino microcontroller, a collection of plastic parts 3D-printed on their local hackerspace’s Makerbot 3D printer, and a five dollar webcam that watches the phone’s screen to detect if it’s successfully guessed the password. The device can be controlled via USB, connecting to a Mac or Windows PC that runs a simple code-cracking program. The researchers plan to release both the free software and the blueprints for their 3D-printable parts at the time of their Def Con talk.

In addition to their finger-like R2B2, Engler and Vines are also working on another version of their invention that will instead use electrodes attached to a phone’s touchscreen, simulating capacitative screen taps with faster electrical signals. That bot, which they’re calling the Capacitative Cartesian Coordinate Brute-force Overlay or C3BO, remains a work in progress, Engler says, though he plans to have it ready for Def Con.

PIN-Punching Robot Can Crack Your Phone's Security Code In Less Than 24 Hours (Video) [Andy Greenberg/Forbes]

(via Hacker News)