1 00:00:00,370 --> 00:00:04,390 JUSTIN ENGLER: My name is Justin Engler, I'm a senior security engineer at iSEC partners. 2 00:00:04,390 --> 00:00:11,390 This is Paul Vines. He's a security engineering intern for us. We both work for iSEC partners 3 00:00:12,559 --> 00:00:17,730 and we are here to talk about automated PIN tracking. We will talk about R2B2, which you 4 00:00:17,730 --> 00:00:24,730 can see here moving on the stage. You won't see C3BO and we will talk about why. 5 00:00:25,430 --> 00:00:29,350 So quickly we are going to go over what your approach would be if you neat to brute force 6 00:00:29,350 --> 00:00:35,030 something like this. We will talk about the robots we built to do it and then we'll talk 7 00:00:35,030 --> 00:00:40,249 about countermeasures and how the robots stack up against countermeasures. 8 00:00:40,249 --> 00:00:46,320 So everyone here know what a PIN is. Anyone never heard of a PIN? Okay. Good. 9 00:00:46,320 --> 00:00:52,449 So if you need to get into something that has PIN protection, so bypass whatever the 10 00:00:52,449 --> 00:00:57,429 PIN is blocking you from doing, you have a few options. One, you could do a software 11 00:00:57,429 --> 00:01:03,809 approach, where maybe you jailbreak the device. You have a jaildevice and you hack the app 12 00:01:03,809 --> 00:01:10,710 to remove the protection. This is your best plan. It's usually quicker and usually a more 13 00:01:10,710 --> 00:01:16,030 direct route to do what you want to do. If for some reason you can't do the software 14 00:01:16,030 --> 00:01:21,750 approach, the next best approach is the hardware attack. Our example here is keyboard emulation. 15 00:01:21,750 --> 00:01:28,750 Darren Kitchen at Hat 5, he plugs into USB Rubber ducky and does something similar. Other 16 00:01:30,610 --> 00:01:37,610 hardware attacks are a good second choice. The last thing you should try to do, if you 17 00:01:39,500 --> 00:01:45,540 have no other options is to brute force the UI itself which is what we are doing. 18 00:01:45,540 --> 00:01:50,760 I'm a security consultant, so I often work on engagements that have a set time period 19 00:01:50,760 --> 00:01:55,010 and I don't have time to sit and brute force out a PIN. 20 00:01:55,010 --> 00:01:59,610 It would take too long when I'm supposed to be doing other things. So the next option 21 00:01:59,610 --> 00:02:02,490 is to get an intern to ‑‑ (Laughter) 22 00:02:02,490 --> 00:02:09,490  ‑‑ do the button pushing for you. (Applause) 23 00:02:09,640 --> 00:02:15,400 So you could have an intern just sit and push the buttons but sometimes interns do things 24 00:02:15,400 --> 00:02:19,549 wrong and we don't really have any way to guarantee that the intern gets it right. My 25 00:02:19,549 --> 00:02:23,549 boss Andrew really loves his coffee and if I take his intern to push buttons all the 26 00:02:23,549 --> 00:02:27,549 time, he won't get his coffee and I don't want to get fired for that. 27 00:02:27,549 --> 00:02:32,680 A much better plan is to hire an intern and help him build the robot, to push the buttons 28 00:02:32,680 --> 00:02:39,319 and then he still has time for coffee later. So in order to build a robot to crack a PIN, 29 00:02:39,319 --> 00:02:44,659 you have a few things you need to do. You have to actuate the interface. You need to 30 00:02:44,659 --> 00:02:48,719 make the device make this think that the button was pushed. You have to keep track of where 31 00:02:48,719 --> 00:02:53,400 you are on the list of all the PINs and you need to usually figure out whether you were 32 00:02:53,400 --> 00:02:57,590 successful or not. There's some cases where you just need the device open and you don't 33 00:02:57,590 --> 00:03:00,409 care what the PIN was. In that case, you could do something even 34 00:03:00,409 --> 00:03:04,999 simpler than what we're doing, have them run through it all and keep going after that. 35 00:03:04,999 --> 00:03:09,349 By the time you have come back, after you went away for the weekend or whatever, then 36 00:03:09,349 --> 00:03:12,769 the device should still be unlocked because someone has been sitting the screen the whole 37 00:03:12,769 --> 00:03:18,060 time but you don't know what the actual PIN is. We are doing a little better than that. 38 00:03:18,060 --> 00:03:25,060 So this thing is a delta robot. That's at general class of robot that this is. Delta 39 00:03:25,450 --> 00:03:29,620 robots were originally for industrial work in the '80s. They are still used for that 40 00:03:29,620 --> 00:03:36,620 stuff today. There's a few rotational motors that through some math that we'll talk about 41 00:03:36,889 --> 00:03:43,889 can turn rotational movement into X, Y, and Z movement. It's also very fast, but it doesn't 42 00:03:45,739 --> 00:03:49,840 have a lot of torque or lifting power, but we don't care about those things. It seems 43 00:03:49,840 --> 00:03:54,189 like a good choice for us. I said it's fairly simple to do the math, 44 00:03:54,189 --> 00:03:59,650 but there are a lot of maths involved. ISEC is owned by NCC group which is a company in 45 00:03:59,650 --> 00:04:06,040 the UK and so maths are plural. That's why there's a bunch of them. The good news for 46 00:04:06,040 --> 00:04:11,870 us is that we like open source and open projects and not only do you not need to do the math 47 00:04:11,870 --> 00:04:17,560 but we actually didn't need to do the math either. We found a guy named Dan Royer had 48 00:04:17,560 --> 00:04:23,310 done a lot of this work for us in setting up a delta robot that did most of what we 49 00:04:23,310 --> 00:04:30,310 wanted to do. He already had source code that would do the inverse kinematics. 50 00:04:35,990 --> 00:04:41,690 He also had 3D printed schematics and everything. He open sourced most of it. So ‑‑ and 51 00:04:41,690 --> 00:04:46,150 he actually sells it as a kit this one you are seeing here is built out of mostly his 52 00:04:46,150 --> 00:04:53,150 kit parts. The one that Paul built, which is in the hotel room right now is actually 53 00:04:53,520 --> 00:04:57,870 completely built by us. We didn't want to be held hostage to them not selling it anymore. 54 00:04:57,870 --> 00:05:03,150 So we did build it from scratch from all other parts and it all works fine. 55 00:05:03,150 --> 00:05:08,580 ' essentially what we have is an Arduino, we have the physical parts of the robot and 56 00:05:08,580 --> 00:05:13,750 we have a computer and the computer is talking over serial to the Arduino and the robot knows 57 00:05:13,750 --> 00:05:20,750 how to move around. So the original kit was missing a few things. It was kind of an empty 58 00:05:21,139 --> 00:05:28,139 head. We added a stylus to the tip and just adding a stylus makes it not work. You have 59 00:05:28,190 --> 00:05:34,740 to ground it because the capacity of touch screen thinks what it is, is a change in capacitance. 60 00:05:34,740 --> 00:05:41,430 We added a camera. So that helps us for configuration. We won't have time to show it to you now. 61 00:05:41,430 --> 00:05:45,990 We can show it to you later. It is set up to recognize when the screen has changed because 62 00:05:45,990 --> 00:05:52,990 that means we successfully unlocked it. We are around moving at five presses per second 63 00:05:54,099 --> 00:05:58,789 but you notice there's a delay after each of the five. Most of the numbers I will talk 64 00:05:58,789 --> 00:06:04,759 about assume that you can do one full P.I.N. So that's four or five presses in a second. 65 00:06:04,759 --> 00:06:09,939 There's some camera code that we can maybe modify to get rid of that delay in the middle. 66 00:06:09,939 --> 00:06:13,930 So all of that stuff is done. We need to make some Python that makes it all work. We have 67 00:06:13,930 --> 00:06:20,930 a serial control, and Python makes that easy. We used open CV to analyze the stuff on the 68 00:06:21,550 --> 00:06:27,590 camera, and we have an easy interface for calibrating where all the buttons are. We 69 00:06:27,590 --> 00:06:32,370 originally tried to calibrate the buttons, it's too hard. Don't believe computer vision 70 00:06:32,370 --> 00:06:37,349 people when they say they can recognize anything anywhere. It's not true. 71 00:06:37,349 --> 00:06:42,659 And lastly, it can detect ‑‑ you tell it where on the screen you want to say if 72 00:06:42,659 --> 00:06:46,960 this part changes, then we definitely unlocked and then we watch for that to change and when 73 00:06:46,960 --> 00:06:53,960 it happens, then we know that we are done. So, we talked a minute ago about how you have 74 00:06:54,639 --> 00:07:00,919 to ground the stylus to make it detect the touch. So at some point when I was working 75 00:07:00,919 --> 00:07:06,069 on this, I realized, well, why don't we just ‑‑ you missed a pin. 76 00:07:06,069 --> 00:07:11,389 Why don't we just hook up a bunch of wires to the screen on the buttons and then ground 77 00:07:11,389 --> 00:07:15,719 them selectively and then we don't need any moving parts. So you use a microcontroller, 78 00:07:15,719 --> 00:07:20,979 connected to relays to trigger those in place, that will then cause the touches to appear 79 00:07:20,979 --> 00:07:25,370 on the screen. And you don't need any moving parts. You don't need this complicated calibration. 80 00:07:25,370 --> 00:07:31,520 All you need to do is fire off the Python, which fires the relays and it all works, except 81 00:07:31,520 --> 00:07:34,090 it doesn't work. (Laughter). 82 00:07:34,090 --> 00:07:38,979 So the problem in my particular case, the relays that I selected, have enough capacitance 83 00:07:38,979 --> 00:07:43,099 by themselves that once you hook it up, even if the relay is open, the screen sees it as 84 00:07:43,099 --> 00:07:47,870 a touch. I don't know anything about electronics. Does anyone here have an idea of what's wrong 85 00:07:47,870 --> 00:07:54,870 and how to fix it? Raise your hands. AUDIENCE MEMBER: Try an isolater. 86 00:07:54,889 --> 00:07:57,889 JUSTIN ENGLER: There are all types of things we can try. 87 00:07:57,889 --> 00:08:04,889 If we can get it fixed at DEF CON, I will give someone a full R2B2 if we have C3BO working 88 00:08:04,909 --> 00:08:11,909 by the end of the time. So talking generally about brute forcing stuff. 89 00:08:12,939 --> 00:08:19,840 We don't want to just naively go through and start with 0000 and then go 0001. We got it ‑‑ 90 00:08:19,840 --> 00:08:26,069 we cracked the P.I.N. So what's the PIN? 91 00:08:26,069 --> 00:08:30,830 (Applause) We're looking for it. 92 00:08:30,830 --> 00:08:37,830 PAUL VINES: Was it 7777? JUSTIN ENGLER: 7777? 9977. 93 00:08:40,100 --> 00:08:47,100 PAUL VINES: Okay it was right before that. JUSTIN ENGLER: We have it multi‑threaded. 94 00:08:49,089 --> 00:08:55,139 It's starting the next run before it's analyzed the picture. So we can narrow it down but 95 00:08:55,139 --> 00:08:58,820 sometimes we are off by one. We actually saved the list of all the times 96 00:08:58,820 --> 00:09:03,870 we think we got it. So if we did get it wrong, then you can go back and try the next, you 97 00:09:03,870 --> 00:09:10,870 know, few up. So we almost got it. So as I was kind of alluding to when I was 98 00:09:11,500 --> 00:09:17,010 talking to Sebastian, we don't go in kind of stupid order from 0000 to 9999. There was 99 00:09:17,010 --> 00:09:24,010 a guy named Nick Berry that did an analysis based on leaked password files to try to figure 100 00:09:25,000 --> 00:09:32,000 out which PIN would be the most common. And he had some really cool, like, data visualizations 101 00:09:32,050 --> 00:09:36,570 but he wouldn't release his raw data but what he did wasn't complicated and we did the same 102 00:09:36,570 --> 00:09:43,570 thing. So we have the password list for that. It's 103 00:09:45,300 --> 00:09:50,600 included in the stuff we are going to submit you to guys, so you can do this too. There's 104 00:09:50,600 --> 00:09:56,680 also a guy named Daniel Amate. His was a little different. He wrote an app for the IOS that 105 00:09:56,680 --> 00:10:01,060 goes through and, like, lets someone add an extra lock screen to their phone and then 106 00:10:01,060 --> 00:10:04,730 he collected the PINs that people were using for that and did ‑‑ 107 00:10:04,730 --> 00:10:08,399 (Laughter). Aggregate statistics about those. 108 00:10:08,399 --> 00:10:14,100 So we asked him for his data and he graciously provided it. It turns out it's a little different 109 00:10:14,100 --> 00:10:18,350 than the data that's just from password lists because those are from people that are usually 110 00:10:18,350 --> 00:10:25,029 sitting at a computer. And so those guys don't do things as much where the position of the 111 00:10:25,029 --> 00:10:31,300 buttons matters. So 2580 is much more common in Dan's list than in the other lists, because 112 00:10:31,300 --> 00:10:37,610 it's just straight down the screen, also corners. Anything else that makes a pattern or uses 113 00:10:37,610 --> 00:10:43,220 the letters. So another one that's popular is the one that spells out "love." 114 00:10:43,220 --> 00:10:48,410 So it's interesting to look at those things. So the two data sets, the one that we synthesized 115 00:10:48,410 --> 00:10:53,980 and when I say we, I mean Paul, and it took him, like, a half an hour to write the code. 116 00:10:53,980 --> 00:10:59,570 So I don't think we're really giving away any special secrets or anything. 117 00:10:59,570 --> 00:11:03,680 And we combined it with Daniel's list and the list that you will have is the synthesis 118 00:11:03,680 --> 00:11:08,720 of the two. So, this is what you need to know about PIN 119 00:11:08,720 --> 00:11:14,589 frequency. So on the bottom, we have the number of PINs that you have guessed. On the top, 120 00:11:14,589 --> 00:11:17,699 you have the percentage of phones that you have unlocked by the time you guessed that 121 00:11:17,699 --> 00:11:23,339 many. So if you want to be more likely than not, you have solved the problem and unlocked 122 00:11:23,339 --> 00:11:29,149 the phone, 670 PINs is all you need out of 10,000, assuming that the person that you 123 00:11:29,149 --> 00:11:35,089 are trying to crack is not some weird DEF CON person and actually follows the statistics. 124 00:11:35,089 --> 00:11:39,920 If you want an 80% chance that you have unlocked it, it's about 3700, which is still much less 125 00:11:39,920 --> 00:11:46,920 than the 8,000 you would expect at 80%. Obviously R2B2 is also able to, because we 126 00:11:48,920 --> 00:11:53,240 are just a robot, we can push physical buttons as well as touch screen buttons. 127 00:11:53,240 --> 00:11:56,709 I don't have a demo for you because I couldn't find a good one. I almost brought an old tape 128 00:11:56,709 --> 00:12:03,709 calculator and had it push buttons, but I couldn't fit it in my bag. We also think we 129 00:12:03,779 --> 00:12:08,759 might be able to do things that are completely mechanical, like there's some pad locks that 130 00:12:08,759 --> 00:12:13,480 have buttons and tings like that. If you noticed all the doors around here seem to have codes 131 00:12:13,480 --> 00:12:17,730 on them. AUDIENCE MEMBER: Break one of those! 132 00:12:17,730 --> 00:12:23,670 JUSTIN ENGLER: Sounds like everyone knows what it is already. 133 00:12:23,670 --> 00:12:30,470 So now that you know how to brute force something. How do we go the other way and defeat brute 134 00:12:30,470 --> 00:12:37,470 forcing. One thing you could do is have a delay after bad guesses. On Android, if all 135 00:12:37,639 --> 00:12:41,009 you have done is set a PIN and you haven't set any other settings, all you have done 136 00:12:41,009 --> 00:12:47,120 is set a PIN, then it makes you ‑‑ every five bad guesses you do, you have to wait 137 00:12:47,120 --> 00:12:51,720 for 30 seconds. That 30 seconds is constant. So the next five you do, you have to wait 138 00:12:51,720 --> 00:12:56,730 another 30 seconds. That means that if you want to go through all 10,000, it's going 139 00:12:56,730 --> 00:13:03,259 to take you about 20 hours which is not that bad for something that's important. 140 00:13:03,259 --> 00:13:07,509 And like we just talked about with the other ones, if you wanted to be more likely than 141 00:13:07,509 --> 00:13:11,920 not done, it's only going to take you 80 minutes. If you want 80% likely to be done, that's 142 00:13:11,920 --> 00:13:18,920 only seven hours. IOS's lock screen handles things a little bit differently. In IOS, you 143 00:13:19,230 --> 00:13:23,730 get your first five for free and after that, it starts to scale up how long you have to 144 00:13:23,730 --> 00:13:30,730 wait between each guess. And it goes up crazy fast. If you take that 20 hours that we had 145 00:13:31,000 --> 00:13:34,860 for Android, and you do the same thing here, and you wait the required waits, you only 146 00:13:34,860 --> 00:13:40,019 have a 20% success rate. So that's not 20% of the PINs because that would be a lot more. 147 00:13:40,019 --> 00:13:45,690 That's 20% success rate. Another important thing to note about Android, 148 00:13:45,690 --> 00:13:49,690 there are many other settings you can set that would change this behavior. If you have 149 00:13:49,690 --> 00:13:55,769 a Google account set, and you have two factor authentication enabled on that, then after 150 00:13:55,769 --> 00:13:59,880 something like 20 guesses, you will be prompted for your Google user name and password instead 151 00:13:59,880 --> 00:14:04,480 of why you ever P.I.N. So that's good. If you are using your device for corporate email, 152 00:14:04,480 --> 00:14:10,199 hopefully your exchange people have set up the wipe after ten tries setting. So it's 153 00:14:10,199 --> 00:14:13,750 not like all hope is lost on Android. There's still a lot you can do. It's just the default 154 00:14:13,750 --> 00:14:20,750 is not as good as it could be. I'm mostly an app exec. We have people who 155 00:14:21,800 --> 00:14:28,800 have people who have a PIN on their lock screen and we find that there's no brute force protection 156 00:14:32,800 --> 00:14:39,290 at all. And when we have an engagement and I tell them that there's no brute force protection, 157 00:14:39,290 --> 00:14:43,470 they say did you break it? No, I didn't have time and now we have the robot and now we 158 00:14:43,470 --> 00:14:49,920 don't have that problem. We very briefly, because the robot was only 159 00:14:49,920 --> 00:14:53,750 stable ‑‑ stably working as of a day or two ago and even then we have been tweaking 160 00:14:53,750 --> 00:15:00,750 code today. We only had a chance to test out a few items from the app store. Things like 161 00:15:03,230 --> 00:15:08,230 financial apps have it. Some antivirus apps, and like store your secret pictures and notes 162 00:15:08,230 --> 00:15:13,730 have it. Out of 13 that we had time to try, four of 163 00:15:13,730 --> 00:15:17,449 them had something that was effective enough that we couldn't break it and the other nine 164 00:15:17,449 --> 00:15:23,949 had nothing that would really stop us. This is an interesting table. So this tells 165 00:15:23,949 --> 00:15:28,509 you, if you can do one PIN per second and there's no other brute force protections how 166 00:15:28,509 --> 00:15:34,600 long it would take for you to break something for various types of PINs or passwords and 167 00:15:34,600 --> 00:15:38,440 the other side shows you what it would be like on the Android style, where it makes 168 00:15:38,440 --> 00:15:43,600 you wait 30 seconds every five bad guesses. So as you can see, it's not that hard. If 169 00:15:43,600 --> 00:15:48,480 you do a four character password that includes all the printable ASCII characters, it will 170 00:15:48,480 --> 00:15:54,370 take two and a half years even if there's no brute force protection and that's decent. 171 00:15:54,370 --> 00:16:00,560 If you can go up to seven, we are up to 20,000 centuries, my robot will be broken by then, 172 00:16:00,560 --> 00:16:06,350 I promise. So the last slide, this is my device ‑‑ 173 00:16:06,350 --> 00:16:13,350 advice to developers of OSs or apps or whatever. You need to put some type of brute force protection 174 00:16:14,629 --> 00:16:20,300 in place. This is my advice for users when you have to use an app that doesn't have any 175 00:16:20,300 --> 00:16:25,310 brute force protection in place, you need to pick a longer PIN or one with better characters. 176 00:16:25,310 --> 00:16:29,040 This is not rocket science and this is something that the security community has known about 177 00:16:29,040 --> 00:16:34,759 forever but at the same time, we still see apps with no protection. So I guess we have 178 00:16:34,759 --> 00:16:39,870 to talk about it some more and maybe with robot, we will finally get some traction on 179 00:16:39,870 --> 00:16:46,600 getting those things changed. ISEC and NCC thank you very much for giving 180 00:16:46,600 --> 00:16:52,940 us some money to build this robot. And Dan Royer, for doing the original define, and 181 00:16:52,940 --> 00:16:59,940 Daniel Amate for giving us some info and David Nichols who helped us with app analysis. 182 00:17:02,470 --> 00:17:09,069 This is our contact information, that's my Twitter handle. Your CDs already have the 183 00:17:09,069 --> 00:17:13,220 kind of preliminary code that was working as of when they were due a couple of months 184 00:17:13,220 --> 00:17:20,220 ago. It will run and it will move the robot. There's no camera code in there yet. The ‑‑ 185 00:17:21,730 --> 00:17:28,089 I will tweet at this when we have the rest of it posted which will be sometime next week. 186 00:17:28,089 --> 00:17:34,630 And I think we can probably get it on the iSEC web page. Yeah. 187 00:17:34,630 --> 00:17:41,630 That's it. Thanks, guys. (Applause). 188 00:17:42,530 --> 00:17:47,350 We have time for questions maybe, a couple. Yes, go. 189 00:17:47,350 --> 00:17:53,250 AUDIENCE MEMBER: (Inaudible question). JUSTIN ENGLER: How many did we successfully 190 00:17:53,250 --> 00:18:00,250 break? How many guesses did it take? We're looking. We'll look. Next question. 191 00:18:07,970 --> 00:18:11,260 Paul is from Seattle. I'm from close to Seattle. Yes. 192 00:18:11,260 --> 00:18:15,059 AUDIENCE MEMBER: (Inaudible question) JUSTIN ENGLER: How much is the robot. If 193 00:18:15,059 --> 00:18:19,730 you have a 3D printer and you print the stuff itself, it's less than $50 for everything 194 00:18:19,730 --> 00:18:21,610 else. If you need to buy the 3D printed parts, you will be probably just under $200, maybe 195 00:18:21,610 --> 00:18:21,860 $150. So not bad. Yes? 196 00:18:21,750 --> 00:18:22,059 AUDIENCE MEMBER: Is there any ‑‑ if you don't want the ‑‑ (Inaudible) ‑‑ 197 00:18:22,059 --> 00:18:22,340 that brute force password attacks has a longer pass code? 198 00:18:22,340 --> 00:18:22,620 JUSTIN ENGLER: So the question was is there an effective defense besides a device wipe. 199 00:18:22,620 --> 00:18:23,059 If you are the user and you don't have any choice, then a longer PIN or a stronger PIN 200 00:18:23,059 --> 00:18:26,590 is the best way to go. If you are a developer, you can do something like IOS does with the 201 00:18:26,590 --> 00:18:28,960 cascading wait where it takes longer and longer and then you can maybe not force the reset 202 00:18:28,960 --> 00:18:29,640 of everything. Make sense? All right. So we have a little bit of time, 203 00:18:29,640 --> 00:18:29,940 we will move over in the hallway so you can look it at closer. 204 00:18:29,940 --> 00:18:30,190 Okay. All other questions out here.