

Python implementation of passcode hashing algorithm used on Samsung Galaxy S4 - watermel0n
https://gist.github.com/hubert3/8560499

======
nly
No practical hashing algorithm, even Scrypt, would be able to securely hash a
4 digit PIN. If they don't have a hardware security module they may as well
store it plain. The amount of cryptography fail in mobile apps is stunning...
from Snapchats static encryption key to pointless obfuscation like this.

If you want to talk about weak passwords though, consider that millions of
broadband customers in the UK are likely using cable modems/routers with the
default Wifi password that came printed on the base... currently 8 random
lowercase characters on Virgin Medias newest gear for example. WPA2-PSK
handshakes only add 12 bits during key stretching, so that's only 2^50 hash
iterations to compromise potentially millions of wifi networks.... which can
be done in about ~2 minutes to a few hours with a bit of hardware investment.

~~~
drdaeman
The interesting part is whenever they use the same algorithm for hashing
passphrases (there's an option to lock phone using a proper passphrase, not
4-digit pin).

~~~
nly
Good point! Although really, breaking the unlock password on a phone isn't
that interesting to an attacker unless the owner has encrypted their phone or,
more likely, they suspect the owner uses the same password for other things.

I think most people just use face or pattern unlock these days though?

Android actually does quite well in this regard: KitKat now uses Scrypt...
although both PIN and Face Unlock can still be used with encryption, which
very secure. Oddly you can't use pattern.

~~~
blueskin_
>I think most people just use face or pattern unlock these days though?

Most average users, sure. I've seen a couple of family members using face
unlock, and many random people and coworkers using patterns. Myself, I use a
password.

~~~
nly
Patterns are terrible. I've clocked a few friends patterns accidentally, let
alone actually _trying_ to shoulder surf. Far too visible.

~~~
darklajid
Ah, but it's a matter of what you're trying to protect against.

I'm having a number of devices, from 'swipe to unlock' via 'pattern unlock'
and full passphrases.

My phone uses a lock pattern, because

\- swipe to unlock would unlock the phone in my pocket. Rare, but happened a
number of times

\- my phone is the one device that consistently lies around the house and gets
carried away by my 1.x year old son. Swipe to unlock was very easy to
understand...

So - pattern aren't secure, agreed. They are just a way to lock the keyboard
against accidents and for that they work quite well..

~~~
e12e
This. Arguably, if you're not using full disk encryption, your adversary is
someone that (at least) hasn't entered high school yet... ;-)

I'd add that it also does add a bit of "intent" (in the same sense that (quite
easily pickable) door locks do -- if your child/friend/coworker unlocks your
phone with your pattern, that's clearly crossing a boundary - more so than
just looking at your unlocked phone.

------
gagabity
Is it possible to get the hash and salt off the device while the phone is
still locked and not in developer mode? If not this doesnt seem too serious as
a security risk.

~~~
fission-fish
You can root the phone from a sdcard and then have access to it. You'll need
root rights anyway to access the hash and salt. This might not work with every
Android version.

~~~
Ecio78
maybe I'm wrong but don't you need to unlock the bootloader before, and doing
the phone will be erased as a security measure?

------
pmorici
If you have enough access to the phone to dump the hashed pin code then why
would you care what the pin code is to begin with? This seems like a non-
problem unless people are reusing their phone pin code for them ATM cards but
no amount of security is going to fix that kind of stupid.

------
dgerges
Question : how did you get the salt and algorithm used ? By retro engineering
the code ?

~~~
arb99
"Get salt in signed numeric format by doing sqlite3 query SELECT value FROM
locksettings WHERE name = 'lockscreen.password_salt' on
/data/system/locksettings.db"

~~~
guipsp
That does not answer his question.

