Think Your Smartphone Is Secure With A PIN? Think Again


With more and more of our personal lives moving into technology, it’s a good idea to try to stay as secure as possible. The days of paper records and communications are almost completely behind us and we’re starting to put our trust into the internet and the devices that we carry in our pockets. Especially in the mobile scene, it’s important to understand the types of security we do and do not have.

Many people set their iOS or Android devices to present a PIN lock screen when the device is activated. While this might seem like a good idea, it’s not nearly secure as you might think.

Remember, a four digit PIN has 10,000 different possible permutations, 0000 – 9999. It might seem like a lot of work for a human to enter in all possible options, but for a computer, that’s cake. How easy is it? As a preliminary test, I hacked together a small script in Ruby to pump through all of them. I was able to print out every possible PIN in under 0.04 seconds. That’s four one-hundredths of a second. Michael Phelps has lost by greater margins than that.

Now, to be fair, it will take slightly longer for a piece of software to try each of those 10,000 PINs on your phone. There is some overhead that probably has to do with read/write time and decrypting data. Dailywireless.org reports that the entire process, including dumping phone contents, can be done in about two minutes. What’s also worth noting is that some PINs are more likely than others. An attacker could leverage this knowledge to make the process even faster.

So what’s the best solution? Don’t store any extremely sensitive data on your phone. Many people don’t carry their Social Security card in their wallet for fear of it being stolen. You should treat your phone with the same regard. While the PIN may be good enough to stop your coworker from posting prank statuses on your Facebook wall, it will not be good enough to stop a determined attacker.