Stephen November 28, 2005 11:56 AM

Of course, I can just use a $.50 glass rod to punch in my combination to make your $5000 investment in an IR camera worthless.

I have my doubts as to the length of time the digits would remain readable as, in the “proof” thermogram, the first digit has almost faded in only a minute.

Vicki November 28, 2005 12:02 PM

Of course this can be defeated, as Stephen says–but only if the legitimate users of the keypad are aware of the issue, and remember to take care. As the linked article says, this is something to take into account in security planning.

For example, if you want users to use a 50-cent glass rod to enter their combinations, it’s a good idea to provide one at the point of entry. If it’s “just use your housekeys,” people won’t, because it’s simpler not to and because that doesn’t provide any sense of urgency.

antibozo November 28, 2005 12:14 PM

This is a well-known attack, and is the reason advanced keypads (with display keycaps) scramble the layout each time they are used.

But everyone already knows this.

Frosty November 28, 2005 12:25 PM

Neat trick if you have $5000 laying around.

Now how about one of those $150 remote-sensing thermometers, where the digital display shows the surface temperature of wherever the laser-dot is resting. Easily available at Fry’s or other electronics stores.

The idea is not to use them as an imaging device, but as a distant temperature-sensitive “finger”, which the attacker moves from button to button in a manual scan.

The absolute accuracy doesn’t need to be that good, as long as the precision and minimum resolvable temp-difference is decent, say 0.1 F.

And even if you don’t get all the digits, or the correct sequence, you’ve still turned it into a much smaller problem than 10-to-the-(number-of-digits).

Jason November 28, 2005 12:28 PM

I suspect the scrambling is meant to fight wear marks and fingerprint patterns as well.

For the thermal imaging issue directly, I can think of two comparatively simple solutions: change the materials used in the keys, or warm them.

Mike Sherwood November 28, 2005 12:31 PM

I wouldn’t really consider this safe cracking. It requires physical access to the safe within a few minutes of legitimate access. Are there a lot of cases where safes are installed in public view where this attack could be applied? I can’t think of any cases I’ve seen where this is true.

It’s an interesting use of technology to demonstrate a vulnerability, but I doubt this would constitute a serious threat.

Aze. November 28, 2005 12:38 PM

This attack is more interested for coded doors in public places than safes. Does keypad scrambling always happen at the moment the next person starts typing or can I get a visual image before they arrive and a thermal one after they leave?

Isn’t resting fingers on random keys before, during and after typing the simplest/cheapest countermeasure?

Anonymous November 28, 2005 12:41 PM

I do think this is a serious threat. especially on atm’s in combination with other techniques ( dust on the keypad, hidden camera, magnetic strip snooping ). It’s all part of the enumeration phase.

Ben November 28, 2005 12:43 PM

Not every bank employee is supposed to have the combination to the vault. And I know I’ve seen keypads next to “secure” doors in public areas of airports. So you can talk all you want about cases in which it doesn’t work. But it is easy to see plenty where it would be a viable attack.

antibozo November 28, 2005 12:50 PM

Of course there’s a suitable attack for any access control system. My point is that this attack is so well known that there is equipment mass marketed to defeat it. The author’s presentation is nicely done and pretty to look at, but he appears to be totally unaware that you can just buy a scrambling keypad to defeat his attack. This attack is so well known that I’m pretty sure I’ve seen it on prime time television (Alias, perhaps).

Note that scrambling keypads are less convenient to use, and make codes harder to recall because they eliminate the visual/geometric mnemonic aspect of traditional keypads, so apart from cost, the inconvenience may account for the relative unuse of scrambling keypads.

Ari Heikkinen November 28, 2005 1:10 PM

Well, I thought this was one of the standard “side channel” attacks when it comes to keypads among all the others everyone’s seen on macgyver and the like on TV.

Unixronin November 28, 2005 1:35 PM

I’ll bet this attack could be defeated by the following trivial method:

  1. Enter the combination.
  2. Open the door.
  3. Hold your palm flat on the keypad for ten seconds.

xtu November 28, 2005 1:54 PM

The way I read this, the author seems to be rather aware this is not something others have never thought of, and he seems to mention countermeasures. Matter of fact is that this can be easily attempted in many public places, and this does not seem to be taken seriously in most cases (say, airports, bank branches).

Also, weren’t scrambling keypads developed to make it harder to analyze fingerprints or key wear patterns, and this had nothing to do with thermal imaging as such?

greg November 28, 2005 1:55 PM

What about a old fassion dial lock (Sorry, I don’t the proper name). Most safes i have seen use the electronic bit to start the time delay to release dail lock. Then you put in the dail lock combination.

antibozo November 28, 2005 2:01 PM

“weren’t scrambling keypads developed to make it harder to analyze fingerprints or key wear patterns”

They were developed to make it harder to analyze any physical residue of access. This includes not only thermal imaging but any form of marking, e.g surreptitious fluorescent dye as shown in the film “National Treasure”.

David November 28, 2005 3:46 PM

How about doing the opposite. Get invisble ink on the person who is going to open the safe. Volia.

Sorry, but this is move stuff (National Treasure ring a bell?), not real safe cracking.

David November 28, 2005 3:49 PM

Forgot to mention:

What happens if you use the same number twice? Ooops.. there goes the whole scheme.

James November 28, 2005 5:01 PM

Way more tech than you need.

I used to work in a building that had a keypad at one of the side doors. The pad was covered with a plastic layer for weather proofing. There was obvious excess wear on four of the keys. Needless to say, it didn’t take very many tries to find the combo.

If the pad were new, however, the wear would have been less apparent. So, I’d have had to smear a smooth layer of grease over it, wait for someone to use it, and look for tracks.

Tim Vail November 28, 2005 7:13 PM

Eh…what about someone like me who likes to “type” the keys. It might be marginally less effective since all the middle 3 keys would be warmed up due to my fingers resting on it like it was a home row.

Roger November 28, 2005 7:23 PM

A few comments:
* “What happens if you use the same number twice?”
The author, Michal Zalewski, mentions this complication. Usually, it will require you to enter some number of trial combinations, but still far fewer than random guessing. For example, if a combination is 5-9-5, the imager shows that 9 and 5 were pressed, and 5 was pressed last/most. Assuming we know it is probably 3 digits, that allows the combinations 9-9-5, 9-5-5 and 5-9-5. Maaaybe also 5-5-9 if the double press warmed it up enough to still be brighter later. That gives three or four guesses instead of 1,000. Exactly how much depends on the length of the sequence and the number of duplicates.

A possible target mentioned by Zalewski is an ATM keypad. However I would imagine that this is greatly complicated by the subsequent entry of other numeric keys when requesting a withdrawal or transfer. It might be worth noting that this is more of a threat to ATMs when only requesting, say, account balances or other actions which do not require subsequent entry of numerals. (On the other hand, plain old shoulder surfing is a far more serious threat to most users of ATMs.)

  • “This is a well known attack”.
    True, the fact that keypads could be attacked by analysing various physical residues has been known for quite a long time, probably as long as keypads have been used for security applications. At any rate, the “paint worn off the most used buttons” attack is blindingly obvious to anyone using such a system. However this is the first time I’ve seen hard data on actually mounting a thermal attack. To me, getting actual measurements from real equipment is a lot more interesting than seeing an “artistic interpretation” on “Alias”. And as Zalewski puts it “But most of all, I just wanted to share ;-)”. I like that!
  • “You can buy scrambling keypads which are designed to defeat this sort of attack”.
    You know, I’ve used a whole bunch of security keypads, including in some pretty sensitive locations, and I’ve HEARD of scrambling keypads, and even seen one in a catalogue, but I’ve never actually encountered one. Part of this is no doubt the price — around USD $400, when a generic matrix keypad is about USD $20. Another part is that the threat is probably not perceived as very high, usually because access to the keypad itself is fairly restricted. For example, one of the most common security keypads would be in domestic and light commercial burglar alarm controllers. The threat of a tracing powder is not seen as very high because the opponent has to enter an alarmed area before even accessing the keypad to apply it. Even if he manages to apply it during business hours, he then has all of about ten seconds to analyse the results — and a tracing powder doesn’t give you the order in which the keys were pressed, so for a typical 4 digit PIN he has to do 24 trials.

I think using a thermographic camera instead of a tracing agent raises the risk considerably. It doesn’t require prior access to the keypad, but can be done within the 10 second PIN entry window (provided the intruder re-enters within ~10 minutes of the alarm arming). Additionally, it gives the sequence of presses, so if there are no duplicate digits you get the complete PIN in one go, and it doesn’t even require close access to the keypad, (Zalewski says as much as 10 metres away), so you may be able to analyse an ambiguous result before even entering the controlled area. In any scenario where it is worthwhile spending a couple of hundred bucks to hire a thermographic camera, this attack almost completely defeats domestic and light commercial burglar alarm controllers. (One obvious countermeasure in this case is to require the monitoring company to do a callback anytime the alarm is disarmed within 15 minutes of being set. Many monitoring companies already offer a callback service to check unusual disarmings. However this may not help if the intruder is able to check the keypad from a distance without triggering the alarm, then later return to enter the PIN.)

  • “Neat trick if you have $5000 laying around.” Note that because these devices are somewhat expensive, and most users only require them somewhat infrequently, they are available for hire (generally on a weekly basis), and there is also a significant second hand market. I don’t know what prices are like for rental because they all seem to want you to speak to their sales droids to find out 8^P. However reasonable rental prices are often somewhere around 2 ~ 5% of purchase price per week, call it $100 ~ $250 per week as a guesstimate.

Anyway if you do try this out with the remote thermometer, I’m sure we’d be very grateful if you would post your results.

  • “Sorry, but this is move stuff (National Treasure ring a bell?), not real safe cracking.”
    I saw a fire on a movie once. Does that mean I don’t need a smoke alarm? When Bruce talks about “movie plot threats” he means (and please correct me if I misrepresent you here, Bruce) focussing on a specific dramatic scenarios at the expense of developing an overall integrated security analysis. So if I spend hundreds of dollars getting a scrambling keypad for my office burglar alarm and ignore the fact that two guys who were fired for stealing already know the PIN, then I would be doing movie plot threats. That doesn’t mean that attacks requiring some special skills or equipment are fantastical, never occur, and do not even need to be considered in your analysis. They are just less common. Whenever there is a scent of lots of money in the air, crooks really are prepared to go to extraordinary measures to get it (some of them would probably be very wealthy if they invested the same energy in honest work!). For example, the fact is that some real safe crackers really do use portable backscatter X-ray machines to attack combination locks, and backscatter X-ray machines are much more expensive than thermographic cameras (they start around USD $50,000).

Finally, it occurred to me to brainstorm a few types of keypads (not necessarily numeric) that might be subject to this attack, and a few countermeasures.

* Automatic telling machines
* EFTPOS machines
* Cell phone keypads (used to enter PIN to access the phone)
* Landline telephone keypads (used to enter phone banking PIN)
* Electronic security door access controllers
* Mechanical digital door locks (e.g. Simplex or Codelock)
* Mechanical digital keysafes
* Electronic safes (domestic, commercial overnight safes, hotels, banks, IT department backup storage, …)
* Anti-holdup commercial cash drop boxes
* Burglar alarm controllers
* Computer keyboards (used to enter passwords of various types)
* Smart cards with buttons for PIN entry (e.g. RB-1 PIN Pad Token)
* Nuclear weapon PAL arming codes

Countermeasures useful against many attacks:
* Use scrambling keypads (but cost around 20 times more!).
* One-time PINs/passwords.
* Restrict access to area where keypad is mounted, permanently.
* User brings his own keypad and removes after use (e.g. key entry smart cards) BUT it must be secured on the person after use.

Countermeasures useful against several attacks:
* Press multiple keys randomly, or press whole palm on keypad, after entering PIN (but this is only likely to be done by very security conscious persons).
* Enforce pressing of multiple keys after PIN entry, as part of access protocol.
* Obscure view to keypad with IR opaque material so proximity is required to mount attack (the view to the keypad should be obscured anyway, to prevent simple shoulder surfing, and many common opaque materials are also IR opaque).
* Securely cover keypad until a token is presented (formerly common on ATMs as an anti-vandalism measure)

Countermeasures specific to thermal imaging:
* Press keys through insulation, e.g. wear gloves, or someone else suggested a glass rod. (Only likely to be done by security conscious users.)
* Restrict access to area where keypad is mounted, for a minimum of 15 minutes after use.
* Preheat keys to skin temperature (might be useful anyway in cold environments, possibly occurs automatically with laptops).
* Cool keys more rapidly after use (internal fan?)
* Randomly vary key temperature.
* Make keys from a material with a lower IR emissivity.
* Create glare by surrounding keys with a strong emitter in the relevant band (LEDs, or just a high emissivity material with a small heater).

B-Con November 28, 2005 8:44 PM

“Funnily enough, the computer game “Splinter Cell” involved this trick.”

You have to hand it to them, they did a good job with it, although the head does fade a tad fast.

“* Automatic telling machines.”

That was the first thing that sprang to mind for me, as far as practical attacks. Simply getting in line behind the only person at an outdoor, secluded ATM (yes, they exist), and using the thermal-imaging system, or even just remote thermometer, to get the password, then stalking the guy who just finished his transaction, waiting for an opertune moment to grab his/her card.

“I wouldn’t really consider this safe cracking. It requires physical access to the safe within a few minutes of legitimate access. Are there a lot of cases where safes are installed in public view where this attack could be applied? I can’t think of any cases I’ve seen where this is true.”

You’re assuming that the attack is coming from the outside. What about in a buisisness where one (or more) employees are responcible for handling safe contents. Another employee working along side them could simply wait for the first employee to do what they need to, then jump in and get a quick heat reading from the keypad once the first guy has left.

Me personally: I plan to touch all the keys on the pad, then rapidly enter my PIN, taking care to create a PIN that reuses at least one number and is at least 6 digits long. (My current one is 12, but they tell me that this isn’t a good idea because not all locations have machines that can handle the full 12 digits. Bah.)

Terry Karney November 29, 2005 2:37 PM

My ATM uses hard plastic keys, and a touch screen.

Assuming a four digit code (which is what my bank wants, though I made them let me have a five digit code, which means I can’t withdraw money from out of country, which isn’t a big deal to me, as it means no one else can if they steal my wallet) I wonder how much information (since the keys are also fairly flat) is still available after I finish my transaction ritual, which has me at the screen for about three minutes after I enter my code.


Karsten W. Rohrbach November 30, 2005 11:00 AM

When you got a 4 digit code, it would make sense to embed it in a longer code, say 8 digits and require its exact position in that code via a display mounted directly to the keypad unit.

So your PIN is “1234” and the teller machine asks you to enter “472****1”, the next time it will ask you for “****2956” and so on.

Shouldn’t be too hard to implement and would eliminate “over the shoulder” spying on entered PIN numbers. You can limit a one line numeric display in several very good ways in terms of angle of view and such.

The Thermographer December 1, 2005 1:55 PM

The “Anti-Hack” for this is to manufacture the keys out of polished aluminum (Emissivity <0.05…meaning too reflective for Infrared imaging devices). If you design the keypad to be recessed in a ‘box’ that was also polished aluminum all the camera would see is a brilliant square with no keys and no ‘hot fingerprints’.

Owen December 16, 2005 11:23 AM

Ok, so thermal and wear examinations don’t work on scrambling keypads. What about the multitude of devices out there that already that have cheap keypad locks? For example, Ford uses a 10-digit keypad with a 4-digit key entry system on many of its vehicles. While breaking into a car might not pay as much as safe cracking, it is much more likely to happen and you don’t need to target a specific instance since these devices are becoming quite common. The Ford keypads make the situation worse by having key surfaces that quickly show wear. While ATMs and safes are obvious points of attack, I guess I’m more concerned about the poor implementations of this type of lock that are vulnerable to a quick examination that requires no extra equipment.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.