3D-printed 'Robotic Button Basher' cracks phones' PINs using persistence, luck

Created by Justin Engler and Paul Vines, the bot simply guesses all the possible PIN combinations

Click to follow
The Independent Tech

It's not the most high-tech threat to your phone but it is 100 per cent effective: the Robotic Reconfigurable Button Basher (R2B2) cracks the PIN number safeguarding your phone by simply trying every possible combination.

Created by security researchers Justin Engler and Paul Vines for Def Con - the hacker conference hosted in Las Vegas - the R2B2 costs around $200 and can crack a PIN code in around 20 hours.

Of course, anyone could crack a PIN code in this way (there's only 10,000 possible combinations - you just have to try them all) but why waste your time when cheap robot labour can do the job for you?

Speaking to Forbes Engler and Vines described how they constructed the bot from a combination of off-the-shelf and 3D printed components. An open-source Arduino controller; a couple of $10 servomotors; a webcam to see when the robot succeeds, and some 3D-printed parts from the pair's local hackerspace were all it took.

Although running every combination takes nearly a full day, researchers have shown that 26% of smartphone users use one of twenty most common PIN codes - either sequential codes (1234 is the most common), repeated digits (1111 and the like) or 'patterned' numbres (the cruciform 2468 or 'straight down the middle' 2580).

R2B2 did hit a problem with iPhones however, as iOS delays the user for each incorrect PIN they enter, leaving would-be thieves (or impatient robots) waiting hours before they can try again.

Still, Engler and Vines say the point of the project is simply to highlight how insecure four-digit PIN codes are. They're currently working on a version of their machine that will latch onto cash machines, as well as developing a version that uses electrodes instead of a 'finger' to work the touch pad. Dubbed Capacitative Cartesian Coordinate Brute-force Overlay (C3BO for short), this next-gen button basher should be revaled come Def Con next month.