• General

  • having same 6 digit unlock code for multiple users

Hi! I know that if an attacking party has my phone in his hand and knows the pin code shared between 2 users, that would result in a compromise for both users.

But what if I'm able to punch that phone thief in the face? Then, the thief proceeds to try to hack my phone remotely out of spite?

If a hacker knows my 6 digit code to unlock my phone, can he use that code remotely?

If yes, can he switch users using that pin code remotely?

Is a 6 digit phone unlock code even usable by hackers remotely?

Thanks

    XxTriviumxX
    I mean, even if this hypothetical thief could use the code remotely, couldn't you just change the code?

        XxTriviumxX If a hacker knows my 6 digit code to unlock my phone, can he use that code remotely?

        If yes, can he switch users using that pin code remotely?

        At the very least that would require a remote code execution (RCE) vulnerability plus a privilege escalation vulnerability. That sort of chain may exist, but they tend to be held closely by national actors, large criminal gangs, etc., not in the hands of purse snatchers.

        Merely knowing your PIN, without substantial access to the device, isn't very powerful.

            Dumdum I mean, even if this hypothetical thief could use the code remotely, couldn't you just change the code?

            it's just theoretical! And I change my codes often!

            de0u That sort of chain may exist, but they tend to be held closely by national actors, large criminal gangs, etc., not in the hands of purse snatchers.

            Merely knowing your PIN, without substantial access to the device, isn't very powerful.

            That's a huge part of the answer i was looking for! I know you can have pin code to log in to a windows 11 machine... a pin code that can only be used when someone has physical access to the pc. It can be use as a replacement for a big and complex password that you find tedious to type.

            reference: https://support.microsoft.com/en-us/windows/change-or-reset-your-pin-a386c519-3ab2-b873-1e9b-bb228a98b904

            Just wondering if it is the same principle with the phone unlocking code

            • de0u replied to this.

                  XxTriviumxX I know you can have pin code to log in to a windows 11 machine... a pin code that can only be used when someone has physical access to the pc. It can be use as a replacement for a big and complex password that you find tedious to type.

                  I'm not qualified to comment on Windows 11 login methods (though I will point out that recently there were some concerning issues with widely-used implementations of their fingerprint system).

                  XxTriviumxX Just wondering if it is the same principle with the phone unlocking code

                  I am not an expert, but I think the short answer is that for a PIN to unlock storage on a modern Android device it must be run through a secure element to activate the relevant storage key (which these days is typically held by the storage controller). The design is that most code running on the device, and all code running off the device, can't do that step, and also can't access the storage. But, as I wrote above, a more-or-less-plausible exploit chain could contradict the relevant assumptions.

                  I guess what I'm saying is that "in principle" is one thing, but successful attackers typically win by finding some principle that isn't working out in practice. So the answer to your "in principle" question is probably "Yes", but "in principle" the linked MS Windows fingerprint vulnerability never happened.

                      XxTriviumxX Hi! I know that if an attacking party has my phone in his hand and knows the pin code shared between 2 users, that would result in a compromise for both users.

                      If he knows what user profiles are, then yes.

                      XxTriviumxX But what if I'm able to punch that phone thief in the face? Then, the thief proceeds to try to hack my phone remotely out of spite?

                      Hmm, bit of a stretch, don't you think? You manage to punch him but he's skilled/resourceful enough to quickly exploit a vulnerability but doesn't abduct you instead 😉. It's difficult enough to gain RCE on stock Android, so how about GrapheneOS? Let alone while locked, preventing the USB-C port to allow new connections (although this depends on your settings).

                      XxTriviumxX If a hacker knows my 6 digit code to unlock my phone, can he use that code remotely?

                      If a state actor or dedicated organization is targeting you specifically, it may be possible. I assume you're not in this position, so the chances are little to none. You didn't give your phone to the suspicious man in the back alley or install "free minecraft apk mod 100% no virus," did you? 😉

                      Remember to develop a realistic threat model. It will make your life much easier 🙂.

                              thanks for all your answers!

                              yore Remember to develop a realistic threat model. It will make your life much easier 🙂.

                              Yeah... simply wanted to know more about remote attacks abusing a 6 digit code! It seem like it would indeed be a Government or Terrorist group attack! I'm far from that range.