Cheap thermal imagers can steal user PINs

A British infosec company has found that cheap thermal imaging accessories for smartphones can be used to glean personal identification numbers entered on push-button security devices on bank ATMs..

FLIR One for iOS thermal imaging attachment.

Thermal imaging devices used to be bulky and expensive, but Sec-Tec told iTnews they can now be bought cheaply as compact iPhone accessories - for instance, the FLIR One, which retails for US$249 (A$340).

The company tested several PIN pads in ATMs, locks and safes with the thermal imagers and found they could "leak" the digits entered by legimate users for longer than a minute after use.

Demonstration of thermal imaging attack on PIN pad. Source: Sec-Tec.

Sec-Tec said it had succeded in defeating two-factor door locks by combining the thermal imaging attack vector with radio-frequency identification (RFID) cloning equipment.

While it was easy to work out which keys were pressed, it was much harder to figure out the order in which they were entered, Sec-Tec. It devised two methods that assisted considerably in identifying the key ordering, butthe firm did not disclose them.

Even if the key press ordering is not identified, Sec-Tec said few devices have a lock-out mechanism to stop repeated PIN entries -  meaning it's easy to test all combinations of four-digit codes.

Preventing PIN disclosure through thermal imaging is relatively easy, the company said. Users can palm the keypad after use which, even after just a few seconds, makes thermal imaging attacks impossible.

Using metallic keys in PIN pads also defeats thermal imaging attacks, Sec-Tec said.