in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

BYOD Mobile Security: Researchers Create PIN-Cracking Robot

If you are looking for an excuse that involves robots to sign up for MDM mobile security software like AlertBoot, look no further: researchers will be debuting a PIN-cracking robot at the 2013 DefCon in Las Vegas.  The robot not only brute-forces your PIN, its schematics can be obtained for free and the necessary hardware can be 3D-printed.

It's not scandalous at all.  After all, wouldn't it just be a physical manifestation of password-cracking software?

Robotic Reconfigurable Button Basher

Why create such a robot?  Why upload instructions for creating it?  According to an interview of the researchers at forbes.com:
"There's nothing to stop someone from guessing all the possible PINs," says Engler, a security engineer at San Francisco-based security consultancy iSec Partners. "We often hear 'no one would ever do that.' We wanted to eliminate that argument. This was already easy, it had just never been done before."
I don't know about "never been done before."  I've run across another robot that does the same thing, except it was cracking a safe and not a smartphone.  Plus, the same forbes.com article has a video of a similar robot cracking the PIN on a Garmin GPS.

I'll also have you know that yours truly has brute-forced a 5-wheel combination bicycle lock while watching all four seasons of Battlestar Galactica.  The lock gave way in about 6 hours, although there are easier, faster ways.  For example, the thief who stole my friend's bicycle managed to bypass the same lock in 10 seconds using a bolt cutter.

Regardless, Engler is right.  The argument does pop up quite often.  And while some might point towards the use of a bolt cutter as an indication that "no one would ever do that," the truth is that the bolt cutter is used because it works.  When the only option is to punch in the correct PIN, that's what people will attack. (Although, you can't really discount the use of a bolt cutter when it comes to accessing smartphones).

Not All Devices Can Be Brute-forced

The researchers in the forbes.com article noted that not all devices would be susceptible to the robot's attack.  Apple's iPads and iPhones, for example, feature rate-limiting by default.  That's when you have to wait increasing minutes between erroneous PIN entries. (Apparently, most Android devices don't come with rate-limiting turned on.)

Furthermore, an even better form of security is found in the auto-wipe feature: enter the wrong PIN more than 10 times and the device's contents are erased without any chance of recovery.

Because of the potentially disastrous nature of such a setting, however, it's not turned on by default by any devices, as far as I know (the one exception might be BlackBerry devices; my memory fails me at the moment).

Thankfully, companies that are engaged in BYOD and COPE can turn on auto-wipe (well, technically, remote-wipe) on mobile devices by creating the correct policy in an MDM solution like AlertBoot Mobile Security.

This will further limit the chances of a data breach – unless the smartphone user decided to etch their PIN to the back of their device or some other nonsense.
Related Articles and Sites:
http://it.slashdot.org/story/13/07/23/132253/pin-cracking-robot-to-be-showed-off-at-defcon
http://www.forbes.com/sites/andygreenberg/2013/07/22/pin-punching-robot-can-crack-your-phones-security-code-in-less-than-24-hours/

 

 
<Previous Next>

Medical Data Breach Lawsuit: Dorn VA Not At Fault, Veterans Not Harmed Says Government

Laptop Encryption: Stolen Laptop Leads To Second Burglary

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.