Android PIN Code Analysis

Android lockscreen series

  1. Tricking the Biometric Sensor on a Android Phone
  2. Android PIN Code Analysis
  3. Android Lock Screen Pattern Analysis**

PIN Code

The PIN code lock on an android device allows a user to set a code between 4 and 16 numbers long. To unlock the device the PIN code has to be entered on to lock screen which then unlocks and decrypts the device. By default the user has an infinite amount of tries to guess the code, which presents the possibility acquiring the PIN code via a brute-force attack. However, after entering the wrong PIN code 5 times the device will prevent the user from entering another code again for 30 seconds. The lock screen timeout can be vendor specific, and on the devices used for experiments in this project the timeout is 30 seconds after entering the wrong code 5 times the first 2 times, after which it is 30 seconds after every try. This drastically affects the time it would take to brute-force the PIN code.

Android supports On-The-Go(OTG) which makes it possible to connect a Human Interface De- vice(HID) such as a keyboard. With a keyboard connected to the device it makes it possible to enter the device PIN code with a external keyboard without having to interact with the screen of the device. [1] Thus reducing the time between each PIN code input. Making use of this func- tionality you are able use a device such as a Arduino or Raspberry Pi microcontroller to emulate a HID device. By emulating a HID device you can write a program that will automate the PIN code input process with no human interaction.[3][4]

The minimum PIN code length is 4 numbers. That gives 10,000 possible PIN code combinations (C). If you were to run a brute-force attack against a stock(standard) android device with a 4 number PIN code with 30 second timeout(T) after 5 attempts(A) it would take approximately:

Equation

to try every single combination of 4 number PIN codes. This is not an unreasonable amount of time to spend on unlocking the device in a forensic investigation. This tries every single combination of 4 number PIN codes, so in reality the final time for the brute-force attack to end will be lower than 16.6 hours, assuming that the PIN code to unlock the device is not at the very end of the attack(e.g 9999 starting at 0000). However, the OnePlus 3 android device used in this project is by default configured in such a way that the 30 second timeout is activated after every wrong attempt, A = 1 Equation 1, after 10 wrong attempts. This additional wait time between attempts increases the time greatly for the brute-force attack to ≈ 83.3 hours, indicating that this method is highly vendor/device specific.

For PIN codes with 5 or more numbers the runtime for a brute-force attack starts to get unrea- sonably high reaching up to ≈ 166.6 hours or ≈ 833.3 hours respectively for the two earlier calculations. Table 1 shows that for this attack to work on a device with PIN codes 5 or higher, optimizations have to be made for it to be a efficient and compelling approach.

Digits Combinations Time Time(OnePlus3)
4-digits 10,000 16.6 hours 83.3hours
5-digits 100,000 166,6 hours 833,3 hours
6-digits 1,000,000 1666,6 hours 8333,3 hours
16-digits 10¹⁶ ≈ 3.1688⋅10⁷ years ≈1.5844⋅10⁹ years

Table 1: Pin code combinations and times for brute-force attack

Optimization

Instead of using a pure brute-force method to test every single PIN code in sequence, a more optimized approach can be utilized. By using a huge dataset of every PIN code combination possible you can sort them in order of most frequently used to least frequently used. Such datasets have been compiled from data acquired in previous hacks that have been leaked on the internet or from independent studies. David Amitay’s list[4] of the most frequent 4 number PIN codes and the famous list compiled from the Rockyou data leak[5] are two examples of datasets that can be used for this purpose. This transforms this attack from a brute-force attack to a dictionary attack in principle. Applying a dictionary attack to go through the most frequently used PIN codes will in many cases find the correct code significantly faster and this type of attack can in theory be applied to any PIN code size assuming that a sample dataset exists.[3]

References


Garlic Bread
Android Lock Screen Pattern Analysis