A few days ago I was able to get my fingers on, and under, an infrared camera. I had already heard before that the thermal signature of fingerprints is visible for quite some time — but what surprised me was that we were still able to see them for over a minute…
My brother in law was taking a few photos with a thermal imager (a Fluke Ti400) for a publication and was kind enough to also take a few pictures for me. I wanted to see how sensitive the camera is by testing it with an unused number pad I had lying around. We did not have much time, so the following series of pictures were taken without any preparation, free hand, with a cheap numeric pad on a sheet of paper. They were taken at room temperature (around 20°C; all temperatures are in degree Celsius). In the photos the hottest and coldest spots are highlighted. A red-green-blue gradient resembles the temperature distribution in each photo (and differs between them, just in case you’re wondering).
The first shot was taken from the numeric pad before touching it.
I started keying in a random four digit number: 1-5-6-9. And no, it is not one of my PINs… 🙂 I tried to enter the numbers with normal speed and pressure, just as I would on an ATM.
Right after entering the four numbers the thermal signature (my fingerprints) were clearly visible. The correct sequence itself (1-5-6-9) is not really readable on the image. But already having the four digits reduces the number of possible combinations (here: 4! = 24) someone would have to try out to find the correct combination.
This photo really surprised me: after about 1 1/2 minutes there were still thermal traces visible – enough to guess the numbers that were pressed.
Conclusion: I always try to shield my hand when entering my PIN at an ATM or at any other occasion someone might look over my shoulder. The photos I’ve taken clearly show that this precaution the might not be sufficient in the future. Smartphone attachments (like the FLIR ONE) exist that might be used right after you’ve entered your PIN. I think you are still pretty safe, at least on ATMs, as most of them only allow a limited (three) number of retries. But in case of access codes on doors (home, hotel, …) that might be different.
Interesting article!
This is a serious issue and can be really dangerous. Thermal cameras are increasingly becoming affordable (e.g. the flirone costs only 280 EUR).
I think a thermal attack wouldn’t work on ATM machines that use metallic surfaces; those would reflect the thermal image. But it’s still feasible at payment terminals (e.g. in supermarkets).
We recently published a paper about its feasibility on mobile devices. We uncovered PINs and lock patterns with very high accuracy. We also suggest ways to mitigate the attacks. You can read more about it here: http://www.mkhamis.com/projects.php?p=thermalattacks
Good point about the metallic surfaces – I only had limited time to play around with a plastic pad. And thanks for the link to your interesting publication. I only scratched the surface; related attacts will become much more feasible in the near future. I’m pretty sure we will hear about this via ‘regular’ news channels soon enough… — Kai