I have come across a pretty easy way to get a PIN code for an iPhone or Android it just takes a very tiny amount of social engineering. You will also need physical access to the device.
Step 1
Convince whoever it is, you would like to see their phone. This is the part where social engineering is involved. You have to be creative. You can say something like "you're amazed at their device and you want to see it up close, or another option is just wait until they leave the phone on a table, or unattended for a while.
Step 2
Power cycle the device. Hold the power button until either the device gives you an option to either restart or shutdown. If you shut the device down be sure to hit the power button again to start the device up.
Step 3
Stay around, and shoulder surf. Phones now a-days require you to enter the PIN after reboot. If you are close enough to the target you should be able to see the victim type their PIN in.
For Example: If you know the victim's number you can send them a video of something interesting. Then when you see them close to their phone ask if they have gotten the video you sent them. The Victim will now check their phone, their phone will ask for the pin, and they will type it in with you there. Boom know you know their PIN.
Step 4
Profit. At this point you can own their phone, either when it is laying around somewhere, which people do all the time, or make something up to use their phone again like an "Emergency call". As long as they don't change their PIN you have access to their device.
If it so happens that the user has an actual password on their lock screen they you may have hit the jackpot. Most people use the same password for everything. You may be able to get into their Gmail, iCloud, Facebook, Instagram, etc accounts if they do not have two factor authentication turned on.
How do I avoid this attack?
Simple, make sure no one is looking at your screen when you are typing passwords, or pins on your phone. You can purchase a privacy screen protector for your devices. Also, do not leave your phone unattended. Phones have a lot of data on them. Just like you don't leave your computer out in public settings, do not leave your phone out on tables, and such.
Thanks for reading
This is my first post. Hopefully, it is somewhat helpful. The key with this is to get creative, I have used this multiple times, with success. Sometime you do not need malware, or complicated hacks to get into a device. Some simple social engineering can go a long way.
1 Response
Although it's quite an old trick, it still works like a charm. Nice work sharing this :)
Share Your Thoughts