"Brute force" and "robot" are two words we never want to hear used in conjunction, but here we are--a pair of security researchers recently built a robot using 3D-printed parts to hack the four digit pin codes many of us use to lock our smartphones. Okay, so a robot cracking passwords isn't quite as scary as, say, a robot cracking fingers. The robot is still a good demonstration of how easy it is to brute force a phone's lock screen.
R2B2, or Robotic Reconfigurable Button Basher, cost about $200 to put together. The password puncher is built from three $10 servos, an Arduino, some MakerBot-printed plastic parts, and a webcam that keeps an eye on the phone's screen. R2B2 can punch in the 10,000 possible combinations of a 0-9 four digit code in 19 hours and 24 minutes.
And that under-20-hours figure was with security limitations in place. By default, Android phones delay users from inputting a pin for 30 seconds after five wrong combinations. Not really much of a deterrent. With that 30 seconds baked in, it only takes R2B2 19 hours and 24 minutes to crack a password assuming that the very last pin tested is the correct one, and that all pins are created equal.
They aren't, of course. Forbes writes "Given that the robot’s software can be programmed to guess PINs in any order the user chooses, it may be able to crack phones far faster than that 20 hour benchmark. One analysis of common PINs showed that more than 26% of users choose one of twenty common PINs. If R2B2 is set to try easily-guessed PINs first, it could crack one in four Android users’ phones in less than five minutes, and half of those phones in less than an hour."
R2B2's creators want to show that four digit pins just aren't very secure. Granted, there are other ways to hack a phone that are even more expedient. And added security elements can shore up PIN weaknesses. iOS, for example, locks out users for much longer with repeated incorrect PIN attempts. But longer PINs would be substantially stronger--it could take R2B2 80 days to crack a six digit PIN.