Brute-Forcing PIN Code Keypads Using Combinational Mathematics

by Alva Ray

Where I live - and probably in many parts of the world - most residential houses are guarded at entrance by the simple mechanism that is the four-digit PIN code.  By pressing buttons on a numeric keypad in the correct order, the door will unlock, and all residents share that single code.  Many of these numeric keypads have the same couple of flaws that make them more vulnerable to brute-force attacks: First, there is no confirmation button that needs to be pressed after having entered four digits.  Second, the last four entered digits will always be accepted, instead of the pad resetting after an incorrect PIN code.

Now, brute-forcing a keypad of this kind only involves a maximum of 10,000 codes to begin with.  While this may seem a large number, it's actually quite small compared to the possible number of combinations when brute-forcing, for example, a computer password.  (A four-letter password using lowercase a-z means 456,976 combinations.)  The big difference between brute-forcing a computer password and trying PIN codes on a physical keypad is, of course, that the latter can't easily be automated, meaning it will be very slow.

To go through all possible PIN codes, you could start at 0000, 0001, 0002, etc., and try them all in order.  You would be looking at a maximum of 40,000 key presses, hoping for the correct PIN code to be early in the sequence.  Being a skilled keypad operator able to try one PIN code per second, this method would still mean up to three hours of hard work and sore fingers.

But because of the flaws mentioned in the beginning, you don't have to press that many buttons.  After having tried the first four PIN codes (0000, 0001, 0002, 0003) you have actually already tried ten different ones, since the pressed sequence also contained 0010, 0100, 1000, 0020, 0200, and 2000.  By this principle, the number of required key presses is only a quarter of that initial 40,000.  If you can keep up the same speed as previously, this means "only" about 40 minutes of work.  However, the process in this case will probably be slower since the pressed sequence will not just be an ordered set of increasing numbers - something that otherwise favors physical brute-forcing since it can be carried out in a more systematic and thus faster fashion.

So, what shortened sequence might that be?

In other words, what is the shortest possible sequence of digits containing all of the four-digit PIN codes from 0000 to 9999?  Luckily, combinatorial mathematics can answer that for us, in the form of so called "de Bruijn sequences."  Named after the Dutch mathematician Nicolaas Govert de Bruijn, attributing it to Camille Flye Sainte-Marie, Tatyana Pavlovna Ehrenfest, and himself, such sequence is according to Wikipedia:

[A] cyclic sequence of a given alphabet A with size k for which every possible sub-sequence of length n in A appears as a sequence of consecutive characters exactly once."

In the case of keypad PIN codes, the alphabet has a length of ten (the digits 0-9) and the sub-sequence a length of 4.

Every de Bruijn sequence has a length of k^n, so this one will be 10,000 digits, plus an extra three zeroes at the end to cover all PIN codes, since the sequence is cyclic.  Concluding this short mathematical excursion, all four-digit PIN codes can be expressed through a 10,003 digit number.

It turns out this string of numbers fits on approximately two A4 pages, meaning it could be printed double-sided on a single sheet, small enough to always be carried around in your toolbox/bag/wallet/pocket/hidden compartment.  Any savants out there might find it useful to just memorize the whole thing.  While still implying anywhere between one and several hours of number punching, this sequence will ensure the absolute minimum number of key presses.

Some possible scenarios: Finding yourself locked in, guessing a PIN code your only escape, this will definitely save you valuable time and oxygen.  Forgetting or losing the PIN code to your rented storage space or garage, it will save you the money for having the code reset by an operator.  You could even save some stamp money by delivering all your mail yourself!  O.K., that last one was a joke, but you get the point.

Speaking of mail, the chances of hitting a correct PIN code early on in the sequence at any given residential house entrance are in fact higher than one in 10,000.  At least over here, keypads accept additional PIN codes used exclusively by letter-carriers, codes that are often shared throughout entire neighborhoods.  By going through the entire sequence on a less prominent keypad in your area, maybe in batches to avoid suspicion, you might find multiple working PIN codes.  In that case, one of them is likely a service-type one - a skeleton key among PIN codes.  Nota bene, you should not do this for any space you are not allowed access to in the first place, but that goes without saying.

I want to end this article with an idea for an invention:

It was said earlier that trying PIN codes on a physical keypad is not easily automated.  However, it would be interesting to do just that, by building a small device with a set of mechanical "thumbs" that can be held against the keypad.  It would then run through the optimal 10,003 digit PIN code sequence, pushing the buttons much faster than any human could.

If the device could try even just ten PIN codes per second, it would take at most 16 to 17 minutes to guess the right one.  If lucky, and if there are multiple correct codes, it would take a much shorter time than that.

The device could be run by an Arduino board or similar, having some software on it that could calculate de Bruijn sequences itself given PIN code length, and remembering its position in the sequence when deactivated.  If written so, and if activation of the device happens simply by pushing it against the keypad and deactivation occurs by releasing it, you would have a very stealthy piece of brute-force machinery.

You could visit a keypad for just a minute at a time over the course of several hours or even days, always continuing where you left off.  Bonus points for coming up with some clever way to make the thumbs flexible enough to be fitted on any keypad layout (4-3, 5-2, etc.).

The advanced hardware hacker could even add a sensor to the device that can notice a green light, the common keypad mechanism for signaling that the correct PIN code was entered.  With a built-in GPS and wireless, the device could save its location and the correct PIN code and, when connected to the Internet, report this data to a shared database.

Without further ado, and using some Python code found on Wikipedia, I've generated for you the 10,003 digits making up the shortest possible sequence containing all PIN codes between 0000 and 9999 exactly once.

Cut it out and save it, because you never know when it might come in handy:

0000100020003000400050006000700080 0090011001200130014001500160017001 8001900210022002300240025002600270 0280029003100320033003400350036003 7003800390041004200430044004500460 0470048004900510052005300540055005 6005700580059006100620063006400650 0660067006800690071007200730074007 5007600770078007900810082008300840 0850086008700880089009100920093009 4009500960097009800990101020103010 4010501060107010801090111011201130 1140115011601170118011901210122012 3012401250126012701280129013101320 1330134013501360137013801390141014 2014301440145014601470148014901510 1520153015401550156015701580159016 1016201630164016501660167016801690 1710172017301740175017601770178017 9018101820183018401850186018701880 1890191019201930194019501960197019 8019902020302040205020602070208020 9021102120213021402150216021702180 2190221022202230224022502260227022 8022902310232023302340235023602370 2380239024102420243024402450246024 7024802490251025202530254025502560 2570258025902610262026302640265026 6026702680269027102720273027402750 2760277027802790281028202830284028 5028602870288028902910292029302940 2950296029702980299030304030503060 3070308030903110312031303140315031 6031703180319032103220323032403250 3260327032803290331033203330334033 5033603370338033903410342034303440 3450346034703480349035103520353035 4035503560357035803590361036203630 3640365036603670368036903710372037 3037403750376037703780379038103820 3830384038503860387038803890391039 2039303940395039603970398039904040 5040604070408040904110412041304140 4150416041704180419042104220423042 4042504260427042804290431043204330 4340435043604370438043904410442044 3044404450446044704480449045104520 4530454045504560457045804590461046 2046304640465046604670468046904710 4720473047404750476047704780479048 1048204830484048504860487048804890 4910492049304940495049604970498049 9050506050705080509051105120513051 4051505160517051805190521052205230 5240525052605270528052905310532053 3053405350536053705380539054105420 5430544054505460547054805490551055 2055305540555055605570558055905610 5620563056405650566056705680569057 1057205730574057505760577057805790 5810582058305840585058605870588058 9059105920593059405950596059705980 5990606070608060906110612061306140 6150616061706180619062106220623062 4062506260627062806290631063206330 6340635063606370638063906410642064 3064406450646064706480649065106520 6530654065506560657065806590661066 2066306640665066606670668066906710 6720673067406750676067706780679068 1068206830684068506860687068806890 6910692069306940695069606970698069 9070708070907110712071307140715071 6071707180719072107220723072407250 7260727072807290731073207330734073 5073607370738073907410742074307440 7450746074707480749075107520753075 4075507560757075807590761076207630 7640765076607670768076907710772077 3077407750776077707780779078107820 7830784078507860787078807890791079 2079307940795079607970798079908080 9081108120813081408150816081708180 8190821082208230824082508260827082 8082908310832083308340835083608370 8380839084108420843084408450846084 7084808490851085208530854085508560 8570858085908610862086308640865086 6086708680869087108720873087408750 8760877087808790881088208830884088 5088608870888088908910892089308940 8950896089708980899090911091209130 9140915091609170918091909210922092 3092409250926092709280929093109320 9330934093509360937093809390941094 2094309440945094609470948094909510 9520953095409550956095709580959096 1096209630964096509660967096809690 9710972097309740975097609770978097 9098109820983098409850986098709880 9890991099209930994099509960997099 8099911112111311141115111611171118 1119112211231124112511261127112811 2911321133113411351136113711381139 1142114311441145114611471148114911 5211531154115511561157115811591162 1163116411651166116711681169117211 7311741175117611771178117911821183 1184118511861187118811891192119311 9411951196119711981199121213121412 1512161217121812191222122312241225 1226122712281229123212331234123512 3612371238123912421243124412451246 1247124812491252125312541255125612 5712581259126212631264126512661267 1268126912721273127412751276127712 7812791282128312841285128612871288 1289129212931294129512961297129812 9913131413151316131713181319132213 2313241325132613271328132913321333 1334133513361337133813391342134313 4413451346134713481349135213531354 1355135613571358135913621363136413 6513661367136813691372137313741375 1376137713781379138213831384138513 8613871388138913921393139413951396 1397139813991414151416141714181419 1422142314241425142614271428142914 3214331434143514361437143814391442 1443144414451446144714481449145214 5314541455145614571458145914621463 1464146514661467146814691472147314 7414751476147714781479148214831484 1485148614871488148914921493149414 9514961497149814991515161517151815 1915221523152415251526152715281529 1532153315341535153615371538153915 4215431544154515461547154815491552 1553155415551556155715581559156215 6315641565156615671568156915721573 1574157515761577157815791582158315 8415851586158715881589159215931594 1595159615971598159916161716181619 1622162316241625162616271628162916 3216331634163516361637163816391642 1643164416451646164716481649165216 5316541655165616571658165916621663 1664166516661667166816691672167316 7416751676167716781679168216831684 1685168616871688168916921693169416 9516961697169816991717181719172217 2317241725172617271728172917321733 1734173517361737173817391742174317 4417451746174717481749175217531754 1755175617571758175917621763176417 6517661767176817691772177317741775 1776177717781779178217831784178517 8617871788178917921793179417951796 1797179817991818191822182318241825 1826182718281829183218331834183518 3618371838183918421843184418451846 1847184818491852185318541855185618 5718581859186218631864186518661867 1868186918721873187418751876187718 7818791882188318841885188618871888 1889189218931894189518961897189818 9919192219231924192519261927192819 2919321933193419351936193719381939 1942194319441945194619471948194919 5219531954195519561957195819591962 1963196419651966196719681969197219 7319741975197619771978197919821983 1984198519861987198819891992199319 9419951996199719981999222232224222 5222622272228222922332234223522362 2372238223922432244224522462247224 8224922532254225522562257225822592 2632264226522662267226822692273227 4227522762277227822792283228422852 2862287228822892293229422952296229 7229822992323242325232623272328232 9233323342335233623372338233923432 3442345234623472348234923532354235 5235623572358235923632364236523662 3672368236923732374237523762377237 8237923832384238523862387238823892 3932394239523962397239823992424252 4262427242824292433243424352436243 7243824392443244424452446244724482 4492453245424552456245724582459246 3246424652466246724682469247324742 4752476247724782479248324842485248 6248724882489249324942495249624972 4982499252526252725282529253325342 5352536253725382539254325442545254 6254725482549255325542555255625572 5582559256325642565256625672568256 9257325742575257625772578257925832 5842585258625872588258925932594259 5259625972598259926262726282629263 3263426352636263726382639264326442 6452646264726482649265326542655265 6265726582659266326642665266626672 6682669267326742675267626772678267 9268326842685268626872688268926932 6942695269626972698269927272827292 7332734273527362737273827392743274 4274527462747274827492753275427552 7562757275827592763276427652766276 7276827692773277427752776277727782 7792783278427852786278727882789279 3279427952796279727982799282829283 3283428352836283728382839284328442 8452846284728482849285328542855285 6285728582859286328642865286628672 8682869287328742875287628772878287 9288328842885288628872888288928932 8942895289628972898289929293329342 9352936293729382939294329442945294 6294729482949295329542955295629572 9582959296329642965296629672968296 9297329742975297629772978297929832 9842985298629872988298929932994299 5299629972998299933334333533363337 3338333933443345334633473348334933 5433553356335733583359336433653366 3367336833693374337533763377337833 7933843385338633873388338933943395 3396339733983399343435343634373438 3439344434453446344734483449345434 5534563457345834593464346534663467 3468346934743475347634773478347934 8434853486348734883489349434953496 3497349834993535363537353835393544 3545354635473548354935543555355635 5735583559356435653566356735683569 3574357535763577357835793584358535 8635873588358935943595359635973598 3599363637363836393644364536463647 3648364936543655365636573658365936 6436653666366736683669367436753676 3677367836793684368536863687368836 8936943695369636973698369937373837 3937443745374637473748374937543755 3756375737583759376437653766376737 6837693774377537763777377837793784 3785378637873788378937943795379637 9737983799383839384438453846384738 4838493854385538563857385838593864 3865386638673868386938743875387638 7738783879388438853886388738883889 3894389538963897389838993939443945 3946394739483949395439553956395739 5839593964396539663967396839693974 3975397639773978397939843985398639 8739883989399439953996399739983999 4444544464447444844494455445644574 4584459446544664467446844694475447 6447744784479448544864487448844894 4954496449744984499454546454745484 5494555455645574558455945654566456 7456845694575457645774578457945854 5864587458845894595459645974598459 9464647464846494655465646574658465 9466546664667466846694675467646774 6784679468546864687468846894695469 6469746984699474748474947554756475 7475847594765476647674768476947754 7764777477847794785478647874788478 9479547964797479847994848494855485 6485748584859486548664867486848694 8754876487748784879488548864887488 8488948954896489748984899494955495 6495749584959496549664967496849694 9754976497749784979498549864987498 8498949954996499749984999555565557 5558555955665567556855695576557755 7855795586558755885589559655975598 5599565657565856595666566756685669 5676567756785679568656875688568956 9656975698569957575857595766576757 6857695776577757785779578657875788 5789579657975798579958585958665867 5868586958765877587858795886588758 8858895896589758985899595966596759 6859695976597759785979598659875988 5989599659975998599966667666866696 6776678667966876688668966976698669 9676768676967776778677967876788678 9679767986799686869687768786879688 7688868896897689868996969776978697 9698769886989699769986999777787779 7788778977987799787879788878897898 7899797988798979987999888898899898 9999000