If you are looking for an excuse that involves robots to sign up for MDM mobile security software like AlertBoot, look no further: researchers will be debuting a PIN-cracking robot at the 2013 DefCon in Las Vegas. The robot not only brute-forces your PIN, its schematics can be obtained for free and the necessary hardware can be 3D-printed.
It’s not scandalous at all. After all, wouldn’t it just be a physical manifestation of password-cracking software?
Robotic Reconfigurable Button Basher
Why create such a robot? Why upload instructions for creating it? According to an interview of the researchers at forbes.com:
“There’s nothing to stop someone from guessing all the possible PINs,” says Engler, a security engineer at San Francisco-based security consultancy iSec Partners. “We often hear ‘no one would ever do that.’ We wanted to eliminate that argument. This was already easy, it had just never been done before.”
I don’t know about “never been done before.” I’ve run across another robot that does the same thing, except it was cracking a safe and not a smartphone. Plus, the same forbes.com article has a video of a similar robot cracking the PIN on a Garmin GPS.
I’ll also have you know that yours truly has brute-forced a 5-wheel combination bicycle lock while watching all four seasons of Battlestar Galactica. The lock gave way in about 6 hours, although there are easier, faster ways. For example, the thief who stole my friend’s bicycle managed to bypass the same lock in 10 seconds using a bolt cutter.
Regardless, Engler is right. The argument does pop up quite often. And while some might point towards the use of a bolt cutter as an indication that “no one would ever do that,” the truth is that the bolt cutter is used because it works. When the only option is to punch in the correct PIN, that’s what people will attack. (Although, you can’t really discount the use of a bolt cutter when it comes to accessing smartphones).
Not All Devices Can Be Brute-forced
The researchers in the forbes.com article noted that not all devices would be susceptible to the robot’s attack. Apple’s iPads and iPhones, for example, feature rate-limiting by default. That’s when you have to wait increasing minutes between erroneous PIN entries. (Apparently, most Android devices don’t come with rate-limiting turned on.)
Furthermore, an even better form of security is found in the auto-wipe feature: enter the wrong PIN more than 10 times and the device’s contents are erased without any chance of recovery.
Because of the potentially disastrous nature of such a setting, however, it’s not turned on by default by any devices, as far as I know (the one exception might be BlackBerry devices; my memory fails me at the moment).
Thankfully, companies that are engaged in BYOD and COPE can turn on auto-wipe (well, technically, remote-wipe) on mobile devices by creating the correct policy in an MDM solution like AlertBoot Mobile Security.
This will further limit the chances of a data breach – unless the smartphone user decided to etch their PIN to the back of their device or some other nonsense.
Related Articles and Sites: