a few weeks ago I held a talk at UnFUCK, a small University con from students for students. I had decided to give a short talk on “Owning Stuff via USB” aka how to use our TR14 Badge! During the preparations and while building my demos, I tested my new USB RubberDucky. One rather “trivial” demo was actually to use it as a keyboard on an Android phone.
Android has been able to use the USB OTG features for quite a while now, where most people enjoy being able to connect a USB stick to a phone, some others might have already used a keyboard on a tablet. OTG enables a USB device to play master and hence connect two USB devices to each other. For this the fifth PIN on a micro USB cable is used (it’s simply pulled down to ground). To be able to use USB OTG you both need a special cable (micro USB to female USB A) and a master device with all the necessary drivers. Depending on the Android device and the client (USB stick/HDD, keyboard) you want to connect you might need a rooted phone.When trying the RubberDucky on Android for the first time, I had a S3, a Nexus 4, a Nexus 5 and an SE Xperia Z1. All of these devices detected the Ducky as a keyboard and I was able to write stuff on the phone. But I hadn’t aimed at “just typing text”, I wanted to type numbers or rather PINs –> One can use the external keyboard while unlocking the device. The Ducky’s user guide contains an example script for bruteforcing PINs on Android. But how?
- Type 0000
- Hit Return
- Wait 200ms
- Type 0001
- Hit Return
And so on? Not quite. You’ve only got five tries before a small window will pop up, and you’ll need to wait 30 seconds. Luckily, these 30 seconds will never increase, and you’ve always got five tries between your breaks.
- Five goes at typing and hitting return
- Wait 200ms
- Hit Return
- Wait 31 seconds
- Hit Space
- Wait 200ms
- Five goes at….
The extra return will confirm the “Please wait 30 seconds” dialog and the space button will wake up the device. I used a space, as it won’t be printed into the PIN field, but is a simple input which will wake up the phone and turn the screen back on. As we’re iterating, our worst case scenario on a four digit PIN is 10000 tries.
Let’s Do the Maths
Each PIN try will take us something like 300ms, so it’s 300ms * 10000 tries, 3000 seconds or 50 minutes. Waiting every 5 tries means waiting 2000 times. Every wait block will cost us 31.6 seconds, times 2000….61.200 seconds or 17 hours. So we’d need 18 hours to crack a 4 digit PIN.
For me, personally 18 hours is nothing! Just imagine you’re phone was stolen during the trip home from work, at 6PM, your data will be accessible by lunchtime the next day. 18 hours is a time frame in which you might not even have noticed the loss of your phone.
A few lengths in comparison
- 4 digits, 10000tries, 18.4 hours
- 5 digits, 100000tries, 7.7 days
- 6 digits, 1000000tries, 77.3 days
- 10 digits , 10000000000tries, 2.2k years
As you can see, even a 5digit code is still breakable in a short time. And not to forget: these are the worst case times, they assume we’re cracking something like “99999”, they also include the fact that you don’t know how long the PIN actually is (you still have to try 4 and 5 digit PINs, even if it’s actually 6 digits long). I bet you, just by sorting the numbers (trying numbers that represent dates since 1900 and certain patterns) we could shorten the necessary time significantly.
A quick note: All these values are only correct, if you know the length of the PIN, otherwise you’ll have to add the time you need for the shorter ones!
Something New on Samsung S3
On my private S3 running Android 4.3 (my first victim), I actually use a pattern to unlock. So to be able to crack a PIN, I had to remove the pattern, set to PIN and reset my pattern afterwards. While setting this pattern I was asked to enter a “recovery PIN” (in case I forget the pattern), which I had never even heard anything of (I can say that I’ve seen it in Android 4.3 but I can’t quite say when the features was added). Being in bruteforce mode, I decided to just crack this PIN, too, just for fun. Sadly enough, the result was not very funny. The recovery PIN dialog does not contain any throttle. Now no throttle means:
- 4 digits, 10000tries, 50 min
- 5 digits, 100000tries, 9.2 hours
- 6 digits, 1000000tries, 4.2 days
- 7 digits, 10000000tries, 46.2 days
- 10 digits, 10000000000tries, 168 years
So by using the pattern for convenience and the same PIN I’d otherwise be using, I’ve just reduced the necessary time for breaking into my phone by over 90%. Now that’s what I call optimization!
What do these new durations mean for us? Assume you’re at an awesome security con, and leave you’re mobile at the hotel, “for security reasons”. Now 50 minutes is the time you need to reach the venue, have a coffee, a few snacks for breakfast and a nice little chat. Your very own evil maid will have started with owning your phone, just after you’ve left your hotel room! At the 5 digit-PIN-mark, or 9.2 hours, you’ll have enjoyed a great day of talks and are just having your dinner. So, yet again, you’ve just lost all your data without even wasting a single thought on your phone’s whereabouts. If the conference started on monday/tuesday, 4.2 days is the time window in which you don’t come back to your room (or at least not in a “conscious” state, !due to all the knew knowledge you’ve collected!). Finally, not even your 6 digit PIN was able to protect your data during a single conference.
Checking my other victim devices, it turned out, that only my S3 had this recovery PIN in place……
For the Future
If you’re using a PIN to lock your Android phone, use more than 4 digits! As you’ve seen, 6 digits will be a start, but don’t promise sufficient safety. So either go longer, or try to head for an alphanumeric solution. If using a phone with pattern and recovery PIN, take a really long recovery PIN! Long as in 10+ random digits.