We’ve all had or seen server room doors protected by combination locks.

Most safes these days are protected by electronic keypads, like the ones used to safeguard on-site backup tapes. Using digital keypads, one’s fingers transfer a minute amount of heat to each key pressed.

This heat can be read by thermal imaging cameras for a short period of time after the keys have been pressed.

These cameras detect and display a large swath of the infrared (IR) spectrum.  So, if you are using a keypad to access a door or a safe you are at risk.

A 2005 report, “Cracking safes with thermal imaging” by Michael Zalewski was the first to bring this threat to the forefront.  Since that time, sophisticated attackers and penetration testers have tried to take advantage of the infrared technology used in these types of attacks.

Three researchers, students at the University of California, San Diego (UCSD) recently followed up on the findings with their own study, “Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks,” which automates the code acquisition using metal and plastic Automated Teller Machine (ATM) keyboards.

The researchers found that the rate of successful recovery rose when recovery was automated.  For example, within one minute of the personal identification number (PIN) being entered, recovery via visual inspection was 20-30% while automated recovery was approximately 50%.

Thermal imaging cameras can be rented for under $2,000 a month and thermal probes for microcontrollers can be purchased for dollars. The camera used by the researchers retails for about $18,000.

Keaton Mowery, one of the UCSD researchers and authors of the paper, shared with securitycurrent a few key findings about the data:

  • The key presses added 2-4 degrees to the environment, dissipating over 20-40 seconds, depending on how warm the subject’s hands were.  Since people’s hand temperatures can vary widely, changing the ambient temperature isn’t likely to impact things a great deal.
  • Subsequent key presses that aren’t part of the PIN were effective in masking the PIN.
  • Insulating or think gloves are also very good protection from PIN discovery.
  • Seven of the twenty-seven codes tested had repeat digits, and while figuring out which digits were pressed was still accurate, the software struggled to identify the actual key code used.

These types of thermal-based attacks are of concern because the victim isn’t aware of the attack, and doesn’t know their credentials have been compromised.  Moreover, since the attacks aren’t common knowledge yet most people don’t know to try to prevent them.

An attacker simply has to point a thermal imaging camera at a safe keypad, door button combination lock or ATM keypad and within a couple of minutes of a legitimate user entering the PIN or combination it is known to the attacker.

There are some steps that can be taken which help make an attacker’s job more difficult or block attempts to use thermal detection to carry out these attacks. Some of the steps you can take are:

  • Pressing random keypad digits after opening a lock or using an ATM can help throw off an attacker.  Mowery recommends pressing non-PIN/combination digits to mask the true numbers.
  • Wearing gloves is another obvious protection, though it’s not practical for all users.

Similar attacks have been documented, such as the 2010 paper by researchers at the University of Pennsylvania, “Smudge Attacks on Smartphone Touch Screens,” which detailed the recovery of smart phone PINs by photographing the fingerprint smudges on their screens.  Going from PINs to passwords without obvious patterns or meanings on smartphones is a decent mitigation tactic for that particular attack.

Each of these attacks falls into the realm of physical security but leverages technology like thermal cameras to carry out.  Most IT Security departments don’t focus on physical security, and very few organizations change lock combinations with any frequency.  In the end, if securing access to these areas that contain sensitive information is paramount, it is advisable based on the research to supplement these keypad locks with radio frequency identification (RFID)-based badge readers to prevent thermal-based attacks.

Leave a Reply