The journey of brute forcing: From GPU dominance to CPU workhorses and back
Author: Magnus Johansson – Professional Services at MSAB
When a mobile device is locked and access is required for a lawful forensic examination, brute-forcing, systematically testing passcodes, can be the last, and sometimes only, viable method. In those situations, speed is crucial: the faster a valid passcode can be recovered, the sooner investigators can continue their work, cases can progress, and backlogs can shrink. Over the years the landscape around brute-forcing has changed dramatically. Mobile operating systems and key-derivation algorithms have shaped how we approach the challenge.
At MSAB we have followed and contributed to this evolution closely. Our journey with brute-forcing technology reflects how mobile forensics itself has matured, from early GPU-based solutions, through distributed CPU cracking, and now a return to GPU acceleration with the release of BruteStorm Surge.
Back around 2016-2017, when I moved from IT into Professional Services at MSAB, I led many Access Services operations and supported customers of the Advanced Acquisition Lab (AAL), the predecessor to XRY Pro. Most devices arriving then were Huawei and other Android-based phones, typically running versions up to Android 8.0. For those devices we relied heavily on GPU acceleration using the open-source Hashcat software. GPUs are extremely efficient at the parallel mathematical operations used in many key-derivation and hashing functions, and with well-configured GPU rigs we could achieve blazing-fast passcode recovery times.
Everything changed with Huawei’s Android 8.1 implementation. Up until then, Huawei devices had been among the most successfully processed using Hashcat and GPU acceleration. The updates to device security meant that GPU cracking suddenly became ineffective for a large range of modern devices. Almost overnight, GPU-based brute-forcing became unusable for many Android devices, and we were forced to rethink our approach. To overcome that limitation MSAB developed DBS (Distributed Bruteforcer Software), the CPU-based predecessor to what would later become BruteStorm. DBS could run on virtually any system and aggregate the processing power of multiple computers into a coordinated task. Its client/server mode let customers allow office machines to contribute spare CPU cycles to the same brute-force job. Even so, CPU farms could not come close to the throughput of a modern multi-GPU rig.
GPUs were sidelined because GPU kernels must be tailored to each specific hash implementation. Vendors regularly strengthen device security, and when the internal protections change, GPU-based approaches can become ineffective until new support is developed. That was the practical effect of Huawei’s Android 8.1 implementation: algorithmic changes that effectively locked out GPU acceleration for certain device classes. For years the industry relied on CPU-based solutions, which were versatile but far slower.
Now, however, GPU acceleration is back. BruteStorm Surge is a customized build of Hashcat that incorporates the necessary patches and optimizations for modern Android targets, including FBE devices. It brings back the raw computational speed of GPU cracking.
The return of GPU acceleration has enormous practical implications. A single high-end GPU can often perform password cracking roughly a hundred times faster than a CPU, depending on the algorithm and configuration. Adding GPUs generally scales performance nearly linearly for many workloads: two similar GPUs roughly double throughput, three triple it, and so on, until other system bottlenecks (memory bandwidth, PCIe) appear. That means an attack that would take hours or weeks on a CPU cluster can often be completed in minutes or hours on a GPU cluster. For illustration: a rig with a large number of current-generation GPUs can reduce multi-year CPU runtimes down to a matter of hours; exact numbers depend heavily on hardware and attack configuration.
Looking back, it’s clear how far this field has come. In 2017, when Huawei’s implementation of Android 8.1 forced the forensic community to abandon GPU-based cracking, MSAB responded by building a distributed CPU solution that kept analysts operational. Now, with BruteStorm Surge, we’ve come full circle, combining the massive compute advantage of GPUs with the reliability and forensic rigor that define MSAB’s approach.
This next generation of GPU-powered brute-forcing is more than a technical milestone. It is a reminder that forensic tools must continuously evolve alongside the devices and algorithms they target. Our goal remains unchanged: to provide customers with lawful, efficient and trustworthy access to digital evidence, wherever technology leads next.
