A new research has warned that, criminals can extract a smartphone PIN directly from the screen using the heat signature left by a user’s fingers.
The research showed that thermal imaging techniques can reveal which parts of the screen were tapped or swiped, even if the device is left untouched for 30 seconds.
A team of computer scientists from the University of Stuttgart and Ludwig Maximilian University will present the research paper at an upcoming conference in the U.S.
How the Thermal Attack occurs?
The paper, Stay Cool! Understanding Thermal Attacks on Mobile-based User Authentication, explains how this new threat has emerged as thermal cameras become more ubiquitous and affordable.
“During a thermal attack, a thermal camera operating in the far infrared spectrum, captures the heat traces left on the surface of a mobile device after authentication. These traces are recovered and used to reconstruct the password,’ the report notes.
It also adds that unlike smudge attacks, thermal attacks can leak information about the order of entry for PINs and patterns because the heat spots left by a user’s finger grow fainter over time.
Once the thermal image is captured, software is used to convert the data into grey-scale and reduce background noise. The heat spots can then be pulled from the image to clearly indicate the secret code.
Meanwhile, the report further revealed that if the thermal image is collected within 15 seconds of a PIN being entered, the technique is accurate almost 90% of the time.
However, at 30 seconds, this accuracy decreases slightly to 80%. At 45 seconds or more, the accuracy drops to 35% and below.
How can we Prevent the Attack?
The researchers highlight that while PINs remain vulnerable even with duplicate digits (>72% success rate), overlapping patterns significantly decrease the success of thermal attacks from 100% to 16.67%.
Moreover, A further way to avoid being hit by this attack is to cover your screen with your whole hand when typing in your PIN.
This creates a series of random heat traces across the screen, throwing off any identifiable patterns.
They also advise that increasing the brightness of your display will push up the screen temperature and reduce the time thermal visibility of your pass code.