Schneier on Security

Roger • November 28, 2005 7:23 PM

A few comments:
* "What happens if you use the same number twice?"
The author, Michal Zalewski, mentions this complication. Usually, it will require you to enter some number of trial combinations, but still far fewer than random guessing. For example, if a combination is 5-9-5, the imager shows that 9 and 5 were pressed, and 5 was pressed last/most. Assuming we know it is probably 3 digits, that allows the combinations 9-9-5, 9-5-5 and 5-9-5. Maaaybe also 5-5-9 if the double press warmed it up enough to still be brighter later. That gives three or four guesses instead of 1,000. Exactly how much depends on the length of the sequence and the number of duplicates.

A possible target mentioned by Zalewski is an ATM keypad. However I would imagine that this is greatly complicated by the subsequent entry of other numeric keys when requesting a withdrawal or transfer. It might be worth noting that this is more of a threat to ATMs when only requesting, say, account balances or other actions which do not require subsequent entry of numerals. (On the other hand, plain old shoulder surfing is a far more serious threat to most users of ATMs.)

* "This is a well known attack".
True, the fact that keypads could be attacked by analysing various physical residues has been known for quite a long time, probably as long as keypads have been used for security applications. At any rate, the "paint worn off the most used buttons" attack is blindingly obvious to anyone using such a system. However this is the first time I've seen hard data on actually mounting a thermal attack. To me, getting actual measurements from real equipment is a lot more interesting than seeing an "artistic interpretation" on "Alias". And as Zalewski puts it "But most of all, I just wanted to share ;-)". I like that!

* "You can buy scrambling keypads which are designed to defeat this sort of attack".
You know, I've used a whole bunch of security keypads, including in some pretty sensitive locations, and I've _HEARD_ of scrambling keypads, and even seen one in a catalogue, but I've never actually encountered one. Part of this is no doubt the price -- around USD $400, when a generic matrix keypad is about USD $20. Another part is that the threat is probably not perceived as very high, usually because access to the keypad itself is fairly restricted. For example, one of the most common security keypads would be in domestic and light commercial burglar alarm controllers. The threat of a tracing powder is not seen as very high because the opponent has to enter an alarmed area before even accessing the keypad to apply it. Even if he manages to apply it during business hours, he then has all of about ten seconds to analyse the results -- and a tracing powder doesn't give you the order in which the keys were pressed, so for a typical 4 digit PIN he has to do 24 trials.

I think using a thermographic camera instead of a tracing agent raises the risk considerably. It doesn't require prior access to the keypad, but can be done within the 10 second PIN entry window (provided the intruder re-enters within ~10 minutes of the alarm arming). Additionally, it gives the sequence of presses, so if there are no duplicate digits you get the complete PIN in one go, and it doesn't even require close access to the keypad, (Zalewski says as much as 10 metres away), so you may be able to analyse an ambiguous result before even entering the controlled area. In any scenario where it is worthwhile spending a couple of hundred bucks to hire a thermographic camera, this attack almost completely defeats domestic and light commercial burglar alarm controllers. (One obvious countermeasure in this case is to require the monitoring company to do a callback anytime the alarm is disarmed within 15 minutes of being set. Many monitoring companies already offer a callback service to check unusual disarmings. However this may not help if the intruder is able to check the keypad from a distance without triggering the alarm, then later return to enter the PIN.)

* "Neat trick if you have $5000 laying around." Note that because these devices are somewhat expensive, and most users only require them somewhat infrequently, they are available for hire (generally on a weekly basis), and there is also a significant second hand market. I don't know what prices are like for rental because they all seem to want you to speak to their sales droids to find out 8^P. However reasonable rental prices are often somewhere around 2 ~ 5% of purchase price per week, call it $100 ~ $250 per week as a guesstimate.

Anyway if you do try this out with the remote thermometer, I'm sure we'd be very grateful if you would post your results.

* "Sorry, but this is move stuff (National Treasure ring a bell?), not real safe cracking."
I saw a fire on a movie once. Does that mean I don't need a smoke alarm? When Bruce talks about "movie plot threats" he means (and please correct me if I misrepresent you here, Bruce) focussing on a specific dramatic scenarios at the expense of developing an overall integrated security analysis. So if I spend hundreds of dollars getting a scrambling keypad for my office burglar alarm and ignore the fact that two guys who were fired for stealing already know the PIN, then I would be doing movie plot threats. That doesn't mean that attacks requiring some special skills or equipment are fantastical, never occur, and do not even need to be considered in your analysis. They are just less common. Whenever there is a scent of lots of money in the air, crooks really are prepared to go to extraordinary measures to get it (some of them would probably be very wealthy if they invested the same energy in honest work!). For example, the fact is that some real safe crackers really do use portable backscatter X-ray machines to attack combination locks, and backscatter X-ray machines are much more expensive than thermographic cameras (they start around USD $50,000).

Finally, it occurred to me to brainstorm a few types of keypads (not necessarily numeric) that might be subject to this attack, and a few countermeasures.

Keypads:
* Automatic telling machines
* EFTPOS machines
* Cell phone keypads (used to enter PIN to access the phone)
* Landline telephone keypads (used to enter phone banking PIN)
* Electronic security door access controllers
* Mechanical digital door locks (e.g. Simplex or Codelock)
* Mechanical digital keysafes
* Electronic safes (domestic, commercial overnight safes, hotels, banks, IT department backup storage, ...)
* Anti-holdup commercial cash drop boxes
* Burglar alarm controllers
* Computer keyboards (used to enter passwords of various types)
* Smart cards with buttons for PIN entry (e.g. RB-1 PIN Pad Token)
* Nuclear weapon PAL arming codes

Countermeasures useful against many attacks:
* Use scrambling keypads (but cost around 20 times more!).
* One-time PINs/passwords.
* Restrict access to area where keypad is mounted, permanently.
* User brings his own keypad and removes after use (e.g. key entry smart cards) BUT it must be secured on the person after use.

Countermeasures useful against several attacks:
* Press multiple keys randomly, or press whole palm on keypad, after entering PIN (but this is only likely to be done by very security conscious persons).
* Enforce pressing of multiple keys after PIN entry, as part of access protocol.
* Obscure view to keypad with IR opaque material so proximity is required to mount attack (the view to the keypad should be obscured anyway, to prevent simple shoulder surfing, and many common opaque materials are also IR opaque).
* Securely cover keypad until a token is presented (formerly common on ATMs as an anti-vandalism measure)

Countermeasures specific to thermal imaging:
* Press keys through insulation, e.g. wear gloves, or someone else suggested a glass rod. (Only likely to be done by security conscious users.)
* Restrict access to area where keypad is mounted, for a minimum of 15 minutes after use.
* Preheat keys to skin temperature (might be useful anyway in cold environments, possibly occurs automatically with laptops).
* Cool keys more rapidly after use (internal fan?)
* Randomly vary key temperature.
* Make keys from a material with a lower IR emissivity.
* Create glare by surrounding keys with a strong emitter in the relevant band (LEDs, or just a high emissivity material with a small heater).