PIN customers can avoid heat of thief's phone attachment
September 1, 2014 by Nancy Owano
Engineer Mark Rober has some words of advice in guarding the safety of your PIN. His advice comes in the form of a video where he demonstrates that a thief can steal a PIN by using a thermal imaging attachment clipped to a smartphone. The good news is that the theft can be easily avoided. Anyone can protect the PIN from such ploys. As easy as it may seem to steal the data, it is just as easy to stop such attempts from succeeding. Rober invites his video viewers to watch him as he steps into a store and uses the technique. The customer in front of him in line keys in her PIN on the counter pad. As soon as he walks up to the register after the customer has left, his phone briefly hovers over the keypad. He used the device FLIR ONE for infrared thermal imaging, where you "see" the heat. With FLIR ONE, thermal imaging has found its way into the palm of the hand, and clips on the back of the iPhone to display infrared. Using it, one can see "the temperature" of things. Since the heat signature fades with time, the thief has the opportunity to estimate the order in which the keys were pressed. Pressed last were the hotter keys and pressed first were the dimmer keys.
The comforting news is that the trick will not work on all keypads. Metal keypads, he said, will not allow for a thermal signature to be left behind. Rubber and plastic pads did allow for thermal signatures. That resonates with a team who in the past discussed thermal camera attacks. According to a paper in 2011, "Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks," researchers from the University of California San Diego explored the potential of using a thermal camera to recover codes typed into keypads.
They wrote that the material of the keypad made a huge difference. They said that "against metal keypads, the few runs that we did perform were almost completely abortive. Much of this can be attributed to the high conductivity of the metal, which meant that the heat residue remained localized to the key that had been pressed for only a few seconds; we also observed, however, that either the keypad itself or a paint put on the keypad caused it to act as a thermal mirror, meaning it was hard to even get a clear reading on the keypad at all. Therefore, at least based on our current results, the obvious approach to prevent our (and essentially any thermal-camera-based) attack would be to use metal keypads exclusively."
Rober said in his video that another important point to convey is that it is easy to avoid this risk; just rest your fingers on other buttons as you type in your code.
FLIR ONE, meanwhile, was announced as an infrared camera for the iPhone (5 and 5s). "The dark ages are over, said the promotional video, because once you see the heat, you will never look at anything the same again. "We've taken the technological precision of military-grade night vision, and packed it into a wafer-form camera smaller than a dime," said its creators. Numerous beneficial applications for the device include home use, in detecting heat loss, energy inefficiency, and leaks; work support for contractors, in being able to quickly evaluate issues such as spill-tracing, electrical shorts, and radiant floor heating; surveying a campsite at night and finding a lost pet; and seeing through smoke. Creatives can observe patterns and artistic images.