Criminals can extract a smartphone PIN directly from the screen using the heat signature left by a user’s fingers, warns new research.
A team of computer scientists from the University of Stuttgart and Ludwig Maximillian University has shown that thermal imaging techniques can reveal which parts of the screen were tapped or swiped, even if the device is left untouched for 30 seconds.
The research paper, Stay Cool! Understanding Thermal Attacks on Mobile-based User Authentication, which will be presented at an upcoming conference in the U.S., explains how this new threat to user privacy on mobile devices has emerged as thermal cameras become more ubiquitous and affordable.
‘During a thermal attack, a thermal camera operating in the far infrared spectrum, captures the heat traces left on the surface of a mobile device after authentication. These traces are recovered and used to reconstruct the password,’ the report notes.
Once the thermal image is captured, software is used to convert the data into greyscale and reduce background noise. The heat spots can then be pulled from the image to clearly indicate the secret code.
The report further revealed that if the thermal image is collected within 15 seconds of a PIN being entered, the technique is accurate almost 90% of the time. At 30 seconds, this accuracy decreased slightly to 80%. At 45 seconds or more, the accuracy dropped to 35% and below.
The researchers detailed that while PINs remained vulnerable even with duplicate digits (>72% success rate), overlapping patterns, as is common to Android devices, significantly decreased the success of thermal attacks from 100% to 16.67%.
A further way to avoid being hit by this attack, the researchers suggest, is to cover your screen with your whole hand when typing in your PIN. This creates a series of random heat traces across the screen, throwing off any identifiable patterns. They also advise that increasing the brightness of your display will push up the screen temperature and reduce the time thermal visibility of your passcode.