Your Hot Hands Can Give Away Your Smartphone PIN


Voorhees a jolly good fellow!
If you were protecting your smartphone passcode from someone lurking over your shoulder, or from unseen security cameras, you might cover the screen as you tap in the PIN’s four or six digits. But once you’ve unlocked the phone, perhaps you’d let down your guard, and leave the screen in full view—especially if it’s off.

That would be unwise, according to researchers at two German universities. At an upcoming conference on human-computer interactions, they will present a new study that explains how someone armed with a thermal-imaging camera would have little trouble extracting your passcode from the heat signature left on your smartphone’s screen. It even works 30 seconds after you last touched it.

In a short video, two of the researchers demonstrate how easy the attack is. A guy enters a PIN to unlock his phone, then turns off the screen and puts it down on a table. He gets up to grab a cup of coffee, as an attacker quietly strides in, points a small handheld thermal camera at the phone for a moment, and walks back out.

What happens next is a little like a higher-tech version of a smudge attack, in which a snooper examines the oily residue left on a screen by a user’s finger to reconstruct the phone’s login passcode or pattern. In a 2010 paper that introduced that method, researchers from the University of Pennsylvania called smudges a form of “information leakage” that can be collected and analyzed with nothing more than a regular camera and photo-editing software.

The smudge attack was surprisingly good at decoding Android passcode patterns, those shapes that users trace on their lockscreens to get into their phones. The streaking in the residue left behind after an unlock can even show the direction the user dragged his or her finger, making imitating the pattern trivial. But for strings of numbers like an iPhone PIN, the smudge attack isn’t quite as useful: It can reveal which numbers are included in the PIN, but not what order they were tapped. That still cuts down drastically on the set of possible passcodes, but finding the real one will still take some guesswork.

This is where the thermal attack excels. Because heat decays at a known rate, a person typing in a PIN with four different digits would leave behind four heat traces of slightly different temperatures: The first digit entered would be coolest, and the last digit would be warmest. If a thermal image contains only three or two heat traces, the attacker can infer that the PIN contains at least one digit more than once. The phone’s exact PIN isn’t immediately clear in these cases, but it can be guessed in three or fewer tries. And if there’s only one heat trace, the attacker knows the PIN is just one digit repeated four times. (In 2011, researchers at the University of California in San Diego used a similar approach to guess at ATM PIN numbers.)

Source: The Atlantic
  • 1Helpful
  • 1Like
Reactions: 1 users


Baba Yaga
They have also done a theoretical study on card readers. There was a demo at DEFCON. You can read the numbers pressed on a card reader with an infrared camera. Based on the order they are pressed, they show as hotter or cooler. So you don't even need to guess. You then just need to pickpocket your target.

In the UK and Europe, you get 3 tries at the pin and it locks your card. Not sure of North America. But I assume it's the same or similar security. Thus, you can't afford to guess at 4 digits, as there are 24 possible combinations of a 4 known digits. Which is why you need an infrared image processor sensitive enough to differentiate between buttons pressed within 500 ms to like 750 ms apart. That or stand behind old people :p
  • 1Helpful
Reactions: 1 user