Thermal Keypad Combo Snooping

thermal image

This is interesting demo of how residual heat in a safe keypad could expose the key sequence. Using a hand-held thermal imaging device (not cheap) you can read which buttons on a keypad were pressed 5 to 10 minutes after the event from up to 10 meters away. Even though each key press is momentary there is enough heat transfer to distinguish the button in a thermal image. The sequence can be determined since the first button pressed has the least heat. This method break s when buttons are reused in the sequence, but being able to see the unused keys cuts down the number of possible permutations.

[thanks Mr. Mistoffolees]

32 thoughts on “Thermal Keypad Combo Snooping

  1. What material are these buttons made of? I’m guessing metal; otherwise the heat wouldn’t transfer into them after such a quick press. And metal makes a more impressive looking safe. Make them out of polystyrene and they won’t get warm so quickly (and they’ll last maybe ten presses … oh well).

    This looks like the lock they used:
    http://www.lagard.com/pages/index.asp?action=show_product&id=7

    A similar attack I noticed… a certain apartment building had a keypad with 3 very dirty digits; the rest were spotless.

  2. And webcam, etc. But I wonder if those are sensitive enough for this application. I would suspect not. Maybe if you hacked up a way to cool the CCD?

    Another candidate would be the dumpster-diving Gen 0 nightvision: http://www.angelfire.com/80s/sixmhz/infrared.html

    That one’s definitely not sensitive enough as-is, but I reckon you could improve on the basic design and maybe get it to do this. It would be significantly less cheap and easy, though.

    jake: That’s pretty brilliant, actually. However, Bank of America accounts have a six-digit minimum length and I think they support a PIN up to eight-digits. (Though it was a while ago that I made my account.) Do you know if this will work for variable-length PINs? (Or is my recollection about the variable-length PIN incorrect?)

  3. The problem with this method is that there are far easier ways to get the numbers in a key sequence than this, and they don’t require anyone to have used the device recently. Also many high security institutions(like Lucent and Avaya for example) use touch screens for keypads, and the numbers are rendered in random places, different each time someone uses it. So if someone were to press 1234 for thier code and you could see where they touched the pad, you could be pressing 3927 when you try using it.

    A good hack none the less, but there are more useful things to do with thermal imaging, but that’s not what these hacks are all about now is it?

  4. That was NOT a do it yourself thermal imager made from a digital camera. It was a do it yourself NIR infrared camera. Two vastly different technologies. And that was NOT a thermal device built from scavanged parts it is a light multiplier or intensifier it is NOT sensitive in the thermal range. Thermal sensors are very hard to build, and uncooled thermal sensors even harder.

    Using a pen or pencil or something of that nature would insulate your fingers from the keypad and might be enough to stop this hack. I have thought about this hack before but never bothered attempting to show it in action.

    Disclaimer – Employee of FLIR

  5. Cute idea, but why use a camera at all? There are plenty of very inexpensive IR detectors out there that are much more sensitive. Just pass over each button, note the temperature over ambient, and you’ll know the keypresses.

    Cheapest is probably the IRTC’s from Exergen (exergen.com). Way more sensitive than an imager, and around $100.

  6. The access keypad at my previous lab had LCDs on each key. The number associated with each key was scrambled each time the keypad was used. Clearly thermal imaging could not be used to crack a keypad of this type.

    I like #16… great solution! Using a material with low thermal mass for the keys is obviously another step in a safe direction, no pun intended!

  7. “What material are these buttons made of? I’m guessing metal; otherwise the heat wouldn’t transfer into them after such a quick press. And metal makes a more impressive looking safe. Make them out of polystyrene and they won’t get warm so quickly (and they’ll last maybe ten presses … oh well).”

    this wont matter too much. we use these in firefighting and because of that I’ve had a lot of time to play with them (our dept has 2). putting your hand on grass in the sun will leave a hamdprint for minutes, the top of a polyustyrene cooler will last even longer, hell even pavement will keep the image for several minutes. if anything metal keys might give off the heat faster than insulators like polystyrene.

    also cars are very cool to look at with one of these should you ever get the chance. you can only see the upper half of a person (windows if thet’re down) but you can see the engine glowing nicely and the tires + where they were on the pavement. another cool thing is looking at people through windows, they’re completely invisible and mirrors reflect the users thermal images :D

  8. cg: Very good points, employee or no. ;) I was sort of shooting from the hip, and forgot to account for those solutions using the wrong part of the IR spectrum. I guess we’ll have to shell out and get one of your $5k imagers, but in this case you get what you pay for!

  9. A much easier way to get the numbers (but not the sequence) is to spray the keys with some UV reflecting dust or aerosol. After the keys has been used, just use a UV flashlight to check where the UV dust has been smeared.

    Maybe it would be possible to use a different pattern of UV “grease” on each key and then work out the sequence from that. The first key would only be smeared, the second would be smeared _and_ it would have residues from the pattern of the first key and so on…

  10. The really cool thing is they did this with an uncooled FPA (Focal Plane Array) bolometer. A cryo-cooled MCT (Mercad Telluride) would give MUCH better results and depending on the safe’s contents the $200K+ investment could certainly be justified. BTW the button material doesnt matter, metal buttons would absorb heat faster but would also dissipate the heat faster.

  11. I had a chance to play with one of the units used by firefighters and it was shocking how sensitive it was. Just touching a wood table for a second would leave a spot visible for a minute or so.

  12. #25 “A much easier way to get the numbers (but not the sequence) is to spray the keys with some UV reflecting dust or aerosol. After the keys has been used, just use a UV flashlight to check where the UV dust has been smeared.”

    Or you could give a cute girl a George Washington campaign pin with UV ink/grease on it and later solve the anagram of her password to steal the Declaration of Independence…. just an idea…

  13. Whenever I am using a keypad I do two things:

    1. I rest my first three fingers on the whole row of numbers, only using enough pressure to register the one number I need. You would need a camera with a /very/ high resolution to detect the minute movement.

    2. As my PIN is four digits, I press one key at random, then hit ‘correction’ with my thumb while moving my fingers to the row for the correct first number, thus entering four digits with six beeps.

    Thnik about it!
    Deadly_Dad

  14. you dont need a thermal camera to see wat numbers were used just set up a tiny video camera or a ultraviolate die or pen to see what was presed theres a $2,150 hand held infrared device cheapest ever. its a good peice compared to 10,000 for the same effects

Leave a Reply to richardCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.