PIN brute-force

Hello there!

I was recently involved on a testing related to telephones, automated attendant systems and those kind of things that irritates people with a machine talking to them and I have to admit I enjoyed it! I has been a long time since last time I played with phones and DTMF to send messages and commands to a machine over the phone and it made me remember good old times when I was starting on this field.

For those times I remember a technique that some people mentioned, but I never had the chance to practice it in real life. Let’s imagine the following scenario: you call to a phone number, a pre-recorder voice welcomes you, you press start or pound key and then you are request to insert a password to access to the administration interface.

Now we have two options: they ask you for a PIN number and then to press pound or star or they just want for you to insert your PIN number without any termination character. If the system is not asking you for the termination character it may be accepting any combination of 4 numbers (to name the most popular PIN length  that you have inserted so far. For example, if you insert 12345 it will check if the PIN number is 1234 or 2345, so with 5 keystrokes you check 2 different 4 digits PINs!

Woow! That’s something we certainly can hack, can’t we? If we want to brute force that PIN we can take two different paths: the path of truly brute-forcing or the path of “I-know-maths”. For the first one we’ll have to press all combinations, of 4 elements, from 0 to 9… which makes 40000 keystrokes. If we say it will take us to press each key 0,5 seconds we will check all the combinations in more than 5 hours. Not bad but we can do better 🙂

If we want to go for the optimal way to do it we need to do some maths… or at least ask someone who knows! What we need is a De Bruijn sequence. It’s a cyclic sequence that covers all the combinations of a set of number when grouped in sets of a given number. For example, if we want to test all the possibilities for a PIN of 3 digits that contains the numbers between 0 and 3 we will have to use the following sequence:

0 0 0 1 0 0 2 0 0 3 0 1 1 0 1 2 0 1 3 0 2 1 0 2 2 0 2 3 0 3 1 0 3 2 0 3 3 1 1 1 2 1 1 3 1 2 2 1 2 3 1 3 2 1 3 3 2 2 2 3 2 3 3 3 0 0

And it’s only 66 characters long! In our example, checking a 4 digit PIN number with all digits, we will have a sequence of 10003 characters, that, if take in consideration the previous numbers, we’ll be able to insert in less than an hour and a half. That’s some serious improvement, isn’t it? You can check the full sequence online plus a De Bruijn sequence generator if you want to play with it.

Happy Phreaking!