3D-Printed Robot Cracks Your Android PIN Code

Using a PIN to lock your Android phone will keep it safe from most people, but not from R2B2 — a robot designed to brute-force its way through any four-digit code in less than a day.

R2B2, the Robotic Reconfigurable Button Basher, is the invention of Justin Engler — a senior security engineer at New York-based iSEC Partners. The robot has debuted on YouTube in advance of its appearance at the Black Hat security conference in Las Vegas.

Instead of using sophisticated software to crack Android PINs, R2B2 adopts the tried-and-true method of entering every possible combination until something clicks.

 In hacking, this method is known as a "brute-force" attack, but R2B2 is unique in that it exhibits brute-force behavior in real life rather than digitally. The robot — four yellow manipulators that control a central appendage, resting atop two "legs" — can sit atop an Android phone and simply press buttons over and over again.

There are 10,000 possible four-digit PINs — a relatively small number, but still too many for one human to work through. R2B2, on the other hand, has no need for food, sleep or mental stimulation, and can work through every possible PIN in just 20 hours.

If a user enters five incorrect PINs in a row, the Android OS enforces a 30-second waiting period before the person can try again — but that is the only disincentive. This is why R2B2 wouldn't work on iOS devices: Apple employs an iterative system that makes a user wait increasingly longer to retry after each incorrect PIN entry.

You can actually create your own R2B2, if you want. The robot is the result of open-source software, a few cheap electronics and a standard MakerBot 3D printer, reports Forbes. In fact, apart from the electronic components, the entire robot was 3D-printed.

The robot's legs, central stand and "finger" apparatus all came from a 3D printer. Engler plans to release all of his blueprints within the next few weeks, which means that anyone in need of a neat party trick can print and cobble together his or her own R2B2.

Though R2B2 is a novel device, it doesn't pose much of a security risk. No one is likely to leave his or her Android phone beneath a very distinctive robot for 20 hours straight, and even if someone did, the robot wouldn't be able to inflict any harm because all it can do is guess PINs.

What R2B2 does demonstrate, though, is that PINs aren't a foolproof security measure, especially compared to pattern- and password-based methods. Additionally, Android could take a page out of the iOS playbook when it comes to locking out potential malefactors.