Hack Demo Videos:

How to bruteforce the PIN on Android: Nexus 4 video demo

19 Dec 2014

In our previous demo we talked about Scraping Memory From Android Phones With JTAG.

This time we’ll be showing you how to get the PIN information from that scraped memory, and bruteforce it.

The attack

So, I had grabbed two images from a Google Nexus 4, one of the User Data partition (containing all the sensitive information) and the Meta Data partition (containing all the crypto information). We’ll now use those two resources to get the PIN, which will decrypt the phone for us.

To get the PIN, and then try to decrypt the data you’ll need two scripts. One to run against both the User Data partition the Meta Data partition dumps (to bruteforce the PIN), and one to run against the Meta Data partition, to decrypt it. The ones we used were written by Thomas Cannon. The PIN bruteforce one is here, and the decrypt one is here.

The PIN bruteforce script needs to be told the maximum number of PIN digits to check. We know that our demo device has a 4 digit PIN so for the sake of speed we told the script that was the maximum length. What it does is look through all the Meta Data, scan the crypto information, and then enumerate the PIN!

Decryption time

Now we have the PIN we can try to decrypt the data in the User Data partition dump we’ve taken, using the decrypt script. It does throw up a lot of zeros in the user data partition, but don’t be put off, it is working. Before you can mount the user data partition information in Linux all the slack space needs to be removed.

So, now we have an unencrypted partition which we can interrogate any way we like. Android uses SQL Lite, similar to iOS, and what we’re after is actionable clear text data. Let’s look at email information for example. All we need to do is query emailprovider.db with the right command and instantly we get the email address and account password, in clear text, in a matter of minutes.

What can you do about it?

To make this harder you need to update your handset operating system. From Android 4.4 they introduced Scrypt key derivation which would slow our attack, but it’s still possible to bruteforce a 4 digit PIN in around one hour, even with a slow virtual machine. You should also run PINs longer than 4 digits, many devices offer up to 17 digits at present. However, these will not deter a serious attacker, so have a think about whether you should even allow Android devices to connect to your network in the first place.