ATMs open to thermal imaging attack, researchers confirm

Researchers have documented a method for working out ATM PIN numbers using residual traces of heat left on keypads after they have been touched by a person’s fingers.

The technique described (note: slow download) by Keaton Mowery, Sarah Meiklejohn and Stefan Savage of the University of California at San Diego explains how a thermal imaging camera could be used to visually record the heat left on each key as a way of snooping PINs.

Using this simple principle it would be possible to record the numbers entered, including their exact order (more recent keypresses appearing as warmer), for up to a minute after they are entered. Even without being able to detect the precise order of the PIN entered, just knowing which four numbers were involved would reduce the number of PINs from 10,000 combinations to only 24.

According to the researchers, if used in large-scale attacks the technique would in some cases outperform the tradition criminal method of shoulder-surfing PINs or recording them from a distance.

The limitations of the attack included the weight with which the keys were pressed by a user (only heavier presses left enough heat) and the material from which it was made with plastic keypads relatively easy to detect and metal ones resisting the attack.

“Based on our current results, the obvious approach to prevent our (and essentially any thermal-camera-based) attack would be to use metal keypads exclusively,” conclude the researchers.

The air temperature culd also play a part in the success of detecting keypresses on metal ATM keypads, which could reduce the security advantage of using this defence in some circumstances.

The research (credit to Chester Wisniewski of Sophos for noticing it on USENIX) was inspired by a 2005 study in which white hat researcher Michael Zalewski who tested the thermal imaging principle against safe keypad security.