Physical device code cracking

Following on from our last blog post, it might be worth explaining a little about how poor system design compromises security.

A well designed security system will be hard to exploit, even with the latest technology. However, short sighted system designers (and by “system” we just mean anything that works with something else) often don’t consider various factors that they should.

A human would be unlikely to sit and try a code with a 30 second time out for a full day. Even if they did, with toilet and meal breaks, and the occasional checking of email, you’d expect them to do an 8 hour shift, then come back the next day, even if they were some kind of monk who could cope with the boredom via meditation.

A small robot, on the other hand, will work at it forever. To paraphrase Kyle Reese (Sargent, Tech-Comm DN38416) : “It can’t be bargained with. It can’t be reasoned with. It doesn’t feel pity, or remorse, or fear. And it absolutely will not stop, ever, until your password security is dead.”

A few examples of clever things people have done follows:

(And, of course, it isn’t just electronic devices that can be beaten like this. Years ago, people developed machines to test all possible combinations on a mechanical dial lock. These are called autodiallers, and you can see a video here.  But, of course, a mechanical system can’t “remember” that it has been brute forced, and so they tend to rely on a far larger keyspace. These devices take around 3 days to open a typical container, and sometimes far longer.)

Ironically, though a digital system is “intelligent” in as much as it should be trivial to add a counter so that, after (say) 1000 attempts the device wipes itself then bricks itself, far too few systems do this. Another option would be an increasing time-out. Adding 5 seconds penalty each time the PIN was wrongly entered would make a brute force attack entirely impossible. Of course, you could also add a timer so that after a day, it allowed the penalty to reset, so that should someone be happy to keep trying on their own device, they can, while still making a bruteforce impossible. (Just watch out for someone resetting that time out!)

One of the great features of the Blackberry smart phones is that they are designed to be more secure, and as such, even a 4 digit PIN is secure against this sort of attack. After a few failed entries, the device pops up a challenge, as well as having time-outs, and, in the settings, you can add a condition that wipes the device securely after a set number of failed attempts.

If a few more system designers looked at this page, and realised how cunning some attackers are, they could easily make their systems far more secure.

Leave a Comment

Your email address will not be published. Required fields are marked *

Call Now Button Scroll to Top