A new threat to PIN security has been found: By using a thermal camera, scientists at the University of California in San Diego were able to record PIN codes from the heat signatures retained on keypads minutes after the PIN had been entered. But are Thermal Camera Attacks really a threat, or is the reporting skewed for sensationalism?
After reading the scientific article in question, Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks by Keaton Mowery, Sarah Meiklejohn, and Stefan Savage of UC San Diego—cited in the fear-mongering articles spreading like wildfire—I’ve come to the following conclusions:
As described, the test hardly worked on metal keypads:
“The material of the keypad also made a huge difference: against metal keypads, the few runs that we did perform were almost completely abortive. Much of this can be attributed to the high conductivity of the metal, which meant that the heat residue remained localized to the key that had been pressed for only a few seconds; we also observed, however, that either the keypad itself or a paint put on the keypad caused it to act as a thermal mirror, meaning it was hard to even get a clear reading on the keypad at all. Therefore, at least based on our current results, the obvious approach to prevent our (and essentially any thermal-camera-based) attack would be to use metal keypads exclusively.”
The camera used for the test is extremely expensive:
“We used an A320 FLIR camera running at 9Hz with the built-in lens and the standard ExaminIR software for the camera. The monthly rental rate for this camera is $1950 and the cost to buy is about $17,950.”
Although the rental rate is only a mere two thousand dollars per month, the return rate has to be quite high for this method to be economically feasible.
The individual touch can skew results:
“Similarly, individual differences of the keypad operators plays a determining role as well. Some people were quite a bit more warm-blooded than others, and some were more forceful in pressing the keypad; for the people with colder hands or a lighter touch, the thermal results faded significantly more quickly.”
In other words, cold hands and a light touch severely influence the success rate. Not to mention using gloves…
Typical time frame for success:
While the results were pretty good for the first 45 seconds, the thermal imaging had to be rendered within 90 seconds after the PIN code had been entered on a plastic pad.
Most of the time, after entering the PIN on an ATM, the time elapsing before the client has received the money (and puts it away in their wallet/purse) is often more than one minute.
What About Counter Measures?
The article mentions some simple countermeasures ignored in most articles on this ‘new threat’:
“There are of course prevention methods that a user might in turn take against thermal camera-based attacks (for example, continuing to press the keypad even after he has entered the code, or simply resting his whole hand on the keypad); nevertheless, we expect that all but the most paranoid of users do not take them (at least not at present), and so the advantage over conventional cameras is still meaningful.”
How High Is The Risk?
While much has been made of the possibility of theft of individual PIN codes at ATMs, I think that risk is negligible and easily countered. With people becoming more security conscious in recent years, many users already screen their PIN by using their free hand to block the view of the keypad. If that action is followed by these countermeasures, the risk drops down to nihil:
- Keep touching different keys on the pad or simply rest your warm palm on the key to give all of them a heat signature.
- Never take a preset amount of money, but select ‘Other’ so you have use the keypad to insert a different amount. The keys of the amount will mess up the heat signatures of the pads used to typing your PIN.
- Use gloves or an object (pen, keys, et cetera) to press the keys. If none of those options are available, press the keys with your knuckle instead of your fingertip. Especially the knuckle of your little finger will transmit less heat to the keys than a fingertip.
- Whenever you can, only use ATMs with a metal keypad.
So, Nothing To Worry About?
Well, not for ATM users. However, the article is interesting for security professionals with regards to the use of keypads to limit access to secure locations, for a variety of reasons not encountered with ATMs:
- Unlike the keypads of ATMs, access keypads are often mounted vertically on the door or the wall next to the door.
- Door keypads are often made of plastic, which retains the transferred heat longer than metal pads.
- Users often vacate the area immediately, i.e. the individual arrives at the door, enters the code, opens the door, and goes inside, allowing for a far shorter time elapsing between the entering of the code and taking the thermal image.
- And, most important, all users use the same code, so if one takes thermal imaging of several users, the code pattern will emerge much swifter than with the use of individual codes (like PIN codes at an ATM).
A lot of this also goes for safes with electronic keypads: plastic keypads, single code. Except that most safes are not vacated seconds after the code has been entered. So with safes the risk is less high than with door keypads.
The scientific article, complete with graphs and source material, can be found here: https://cseweb.ucsd.edu/~kmowery/papers/thermal.pdf
If you think other people could benefit from this information, please share this post using the social media buttons below.