Home / iOS / This Raspberry Pi-powered LEGO robot brute-force attacked an iPhone to find out what PIN codes are blacklisted

This Raspberry Pi-powered LEGO robot brute-force attacked an iPhone to find out what PIN codes are blacklisted


Certain PIN codes are blacklisted on iOS. For example, iOS recommends you don’t use 0000 or 0011, but doesn’t have a problem with 0001 or 1001. But what combination of numbers are blacklisted, and does having this blacklist this improve security?

Also, is a six-digit PIN better than a four-digit PIN?

Security researchers Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth, and Adam J. Aviv decided to find out and enlisted the help of a robot built from LEGO parts and a Raspberry Pi to extract a list of blocked four- and six-digit PIN codes.

The first problem that the researchers had to overcome is that iOS uses rate-limiting to prevent hammering it with PIN codes. However, this protection is not in place during the initial setup process.

Using this information, the researchers constructed a device to automate PIN code entry using LEGO bricks, and a Raspberry Pi equipped with a camera. The “robot,” which is connected to the iPhone via the Lightning port, emulates a USB keyboard. A PIN is entered, and the camera takes a photo of the iPhone screen.

Raspberry Pi-powered LEGO robot

Raspberry Pi-powered LEGO robot

https://this-pin-can-be-easily-guessed.github.io/

The photo is then processed to determine whether the PIN code is allowed or blacklisted.

Advertisements

Must read: The ultimate MacBook Pro accessory just got cheaper

It turns out that Apple has blacklisted 274 four-digit PINs and 2,910 six-digit PINs.

But does this improve security? According to the researchers, no, because the blacklists are too small, and iOS allows users to choose to use blacklisted PIN codes.

“We find that relatively small blacklists in use today by iOS offer little or no benefit against a throttled guessing attack,” the researchers wrote. “Security gains are only observed when the blacklists are much larger, which in turn comes at the cost of increased user frustration. Our analysis suggests that a blacklist at about 10% of the PIN space may provide the best balance between usability and security.”

The researchers also found that six-digit PIN codes not much more effective than four-digit PINs because of the numbers users choose.

“Our study found there is little benefit to longer 6-digit PINs as compared to four-digit PINs. Our participants tended to select more-easily guessed six-digit PINs when considering the first 40 guesses of an attacker.”

The findings, along with with the blacklists, a parts list, and the code to build your own blacklist-extracting robot, can be found at https://this-pin-can-be-easily-guessed.github.io/.



Source link

Advertisements

About admin

I'm a 50 year old PLC programmer from Burnley, UK. I severed my time as an electrician in the baking industry and soon got involved with the up and coming technology of PLC's. Initially this was all based in the Uk but as the years went by I have gradually worked my way around the globe. At first it was mainly Mitsubishi with a bit of Modicon thrown in but these days the industry leaders seem to be the Allen Bradley range of PLC and HMI’s.

Check Also

Apple unveils $99 HomePod Mini smart speaker launching next month

Apple ZDNet Recommends Best smart speakers in 2020: Bose, Google, Apple, Amazon, Sonos, and more ...

Leave a Reply

Your email address will not be published. Required fields are marked *

Advertisements