Following on from our last blog post, it might be worth explaining a little about how poor system design compromises security.

A well designed security system will be hard to exploit, even with the latest technology. However, short sighted system designers (and by “system” we just mean anything that works with something else) often don’t consider various factors that they should.

A human would be unlikely to sit and try a code with a 30 second time out for a full day. Even if they did, with toilet and meal breaks, and the occasional checking of email, you’d expect them to do an 8 hour shift, then come back the next day, even if they were some kind of monk who could cope with the boredom via meditation.

A small robot, on the other hand, will work at it forever. To paraphrase Kyle Reese (Sargent, Tech-Comm DN38416) : “It can’t be bargained with. It can’t be reasoned with. It doesn’t feel pity, or remorse, or fear. And it absolutely will not stop, ever, until your password security is dead.”

A few examples of clever things people have done follows:

• Small robots that imitate the finger presses on touchscreen GPSs to input the PIN “manually” thousands of times – and, of course, with only 4 digits the most presses it could ever take is 10,000. With 5 entries and a 30 second time out, or ten per minute, it only has to run for 10,000 minutes, or 166.66 hours, which is almost exactly 7 days.  http://hackaday.com/2013/01/05/brute-forcing-a-gps-pin/
• A microcontroller simulating a keyboard on Android, plugged in to the device. It simply sends the simulated key presses, then attempts to send an email from the device with the last entered code, which, of course will only work if the device unlocked. http://www.bbrotherton.com/main/androidpinbruteforce
• A similar attack on iPhone, but which manages to bypass the time-out entirely due to poor design! http://hackaday.com/2013/06/07/ios-keyboard-exploit-allows-brute-force-ipad-lock-screen-attack/
• Brute forcing the XBOX 360 parental controls, again with a microprocessor. This one has no time out anyway, so takes at most 17 hours. http://hackaday.com/2013/07/06/brute-force-attack-xbox-360-parental-controls/
• Brute forcing an electronic fire safe. By cutting the power after each timeout starts, it “forgets” and grants another 3 tries. The addition of a relay to toggle the power allows the microcontroller to test all possible 5 digit PINs in far less than the 140 days it should take according to the designer’s plans. http://forums.hackaday.com/viewtopic.php?f=3&t=3040

(And, of course, it isn’t just electronic devices that can be beaten like this. Years ago, people developed machines to test all possible combinations on a mechanical dial lock. These are called autodiallers, and you can see a video here.  But, of course, a mechanical system can’t “remember” that it has been brute forced, and so they tend to rely on a far larger keyspace. These devices take around 3 days to open a typical container, and sometimes far longer.)

Ironically, though a digital system is “intelligent” in as much as it should be trivial to add a counter so that, after (say) 1000 attempts the device wipes itself then bricks itself, far too few systems do this. Another option would be an increasing time-out. Adding 5 seconds penalty each time the PIN was wrongly entered would make a brute force attack entirely impossible. Of course, you could also add a timer so that after a day, it allowed the penalty to reset, so that should someone be happy to keep trying on their own device, they can, while still making a bruteforce impossible. (Just watch out for someone resetting that time out!)

One of the great features of the Blackberry smart phones is that they are designed to be more secure, and as such, even a 4 digit PIN is secure against this sort of attack. After a few failed entries, the device pops up a challenge, as well as having time-outs, and, in the settings, you can add a condition that wipes the device securely after a set number of failed attempts.

If a few more system designers looked at this page, and realised how cunning some attackers are, they could easily make their systems far more secure.