Although the concept is by no means new (plenty of these improv bots have appeared on Hackaday and other places) and most of the time just takes advantage of the logistics behind the checkerboard and wheat problem coupled with the birthday probability, these ones in particular seem interesting.
From
Black Hat USA:
Password and PIN systems are often encountered on mobile devices. A software approach to cracking these systems is often the simplest, but in some cases a pen tester or forensic investigator may have no better option than to start pushing buttons.
Robotic Reconfigurable Button Basher (R2B2) is a robot designed to manually brute force PINs or other passwords via manual entry. R2B2 can operate on touch screens or physical buttons. R2B2 can also handle more esoteric lockscreen types such as pattern tracing. R2B2 can crack a stock Android 4 digit PIN exhaustively in 20 hours. Times for other devices vary depending on lockout policies and related defenses.
Capacitive Cartesian Coordinate Bruteforceing Overlay (C3BO) is a combination of electronics designed to electrically simulate touches on a capacitive touch screen device. C3BO has no moving parts and can work faster than R2B2 in some circumstances.
Both tools are built with open source software. Parts lists, detailed build instructions, and STL files for 3d printed parts will be available for download.
R2B2 and C3BO will be running against live devices at the kiosk!
From
Slashdot:
"At the Def Con hacker conference in Las Vegas early next month, security researchers Justin Engler and Paul Vines plan to show off the R2B2, or Robotic Reconfigurable Button Basher, a piece of hardware they built for around $200 that can automatically punch PIN numbers at a rate of about one four-digit guess per second, fast enough to crack a typical Android phone's lock screen in 20 hours or less. Engler and Vines built their bot, shown briefly in a preview video, from three $10 servomotors, a plastic stylus, an open-source Arduino microcontroller, a collection of plastic parts 3D-printed on their local hackerspace's Makerbot 3D printer, and a five dollar webcam that watches the phone's screen to detect if it's successfully guessed the password. The device can be controlled via USB, connecting to a Mac or Windows PC that runs a simple code-cracking program. The researchers plan to release both the free software and the blueprints for their 3D-printable parts at the time of their Def Con talk."
So it'll be present at both DEF CON and Black Hat. I'm more interested in the source code and most importantly, how intelligently it is designed, i.e. how it handles lockouts, what algorithm does it use to scale probability, can it detect finger smudges and use the data to shorten the process, etc.
