2

I have a locked phone (forgotten PIN). Currently, it seems, brute forcing PINs is the only option. Due to many incorrect attempts, the gatekeeper timeout or cooldown period is stuck at 480 seconds now.

The question is: Does this timeout period apply to TWRP too, i.e., would I have to brute force with 480s as the interval period, OR, is 10s the default for TWRP?

beeshyams
  • 40,739
  • 30
  • 119
  • 269
Nurmengardian
  • 81
  • 6
  • 2
    https://android.stackexchange.com/q/239189 – alecxs Jul 22 '21 at 06:18
  • 1
    Gatekeeper runs in TEE. It enforces timeout. It will refuse verification until the cooldown is over. – defalt Jul 22 '21 at 08:10
  • Thank you again, alecxs. – Nurmengardian Jul 22 '21 at 11:17
  • @defalt agreed. however some people claim some TWRP builds might able to overcome timeout increasement (although I don't believe it) refer to comment they claim it is only 10 sec timeout https://android.stackexchange.com/q/212261 would you mind writing up answer why gatekeeper timeout increasement can't be disabled (what is TEE) so we have some Q&A for further reference – alecxs Jul 25 '21 at 09:32

1 Answers1

2

In android 8+ devices that, screen lock authentication and File Based Encryption (FBE) are controlled by hardware-backed secure environment called Trusted Execution Environment (TEE). Google Pixel and high-end Samsung devices have discrete TEE chip onboard. Mid-range Qualcomm Snapdragon and Samsung Exynos devices also come with integrated TEE chip with at least EAL 4+ (Evaluation Assurance Level) certification.

TEE has a component called Gatekeeper that handles screen lock authentication which is cryptographically bound to FBE. Gatekeeper enforces authentication timeout regardless of how and who is attempting authentication. TEE consumes 100ms to verify the lock code. After 5th and 10th incorrect authentication attempt, there is a timeout of 30 seconds. Every successive attempt up to the 30th gets the same timeout. Between 30th and 140th attempts, the timeout grows exponentially from 32 seconds to 17 hours 4 minutes. After 140 attempts the timeout for each incorrect attempt is 1 day. A brute force attack against a 4 digit PIN would take around 27 years to complete.

It's still recommended to use 6-8 digit PIN because people keep weak 4 digit PINs. TEE firmware is proprietary although sample implementation of TEE firmware is open-sourced by Google and as a security design Google's implementation of Gatekeeper does enforce exponential timeout. But there can be some devices whose Gatekeeper's implementation is either faulty or unpatched just like there are Factory Reset Protection (FRP) bypasses available for some devices until they are patched. FRP is also backed by TEE. You have to test timeout for your device but note that even if you manage to bypass it for your device, it's not a generic method and will not work at all on other devices.

Some OEMs also feature automatic factory reset after certain number of incorrect attempts which is most likely an opt-in feature. If you happen to have this feature enabled, you will lose your data with no possible way to recover it.

defalt
  • 1,069
  • 1
  • 10
  • 22