Date: 07.19.13 - 12:08pm
Played around doing some research this week to see if I could brute force a physical keypad based login using a netduino.
Download: Sample project files
After a lot of playing around, i finally got it working and stable. I did however have to introduce a 50ms delay in the keypad scanning loop to give the spoofer enough time to detect which row was being scanned next so it could decided whether or not to send its keypad signal. I first tried using interrupts, but settled on using direct reads within a while loop which seemed more reliable.
When running the full sequence, with the mandatory delays for the LED blink cycles and key send timeouts, it took 6 minutes to reach the password of 123 (which was also the 123rd try out of a total possible 1000 combinations for a 3 digit numeric code)
For take 2, I hooked up a relay bank to emulate the keypad. This setup worked on keypad readers that did a constant scan as well as interrupt based ones. Lot more wiring, but it was stable, no false keypresses and did not have to modify the keypad scanner program to introduce any delay.
I do have to say that the netduino is a very slick piece of hardware! Breakpoints and mouse over variable values at run time in Visual Studio. Full intellisense and syntax code highlighting. One click deployment and live debug output. Micro controllers dont get any better than this. The last thing i played with was a Motorolla HC11a which took a TON of labor to write, deploy and debug software on.
After the first attempt, I also did a little post experiment googling and found the relay approach: Brute force finds the lost password for an electronic safe