Thermal keypad combo snooping

thermal image

This is interesting demo of how residual heat in a safe keypad could expose the key sequence. Using a hand-held thermal imaging device (not cheap) you can read which buttons on a keypad were pressed 5 to 10 minutes after the event from up to 10 meters away. Even though each key press is momentary there is enough heat transfer to distinguish the button in a thermal image. The sequence can be determined since the first button pressed has the least heat. This method break s when buttons are reused in the sequence, but being able to see the unused keys cuts down the number of possible permutations.

[thanks Mr. Mistoffolees]

Comments

  1. weirdguy says:

    splinter cell!

  2. Mojo Jojo says:

    So just heat the keypad so that the temp is consistant across the whole thing

  3. PK says:

    Time to begin pressing all of the buttons at least once after unlocking my panic room.

  4. At the ATM I found that only the first 4 character of my PIN actually mattered so I would always type in 20-30 characters before hitting “enter”. If someone commented I would just whisper “you never saw me” or “government account”.

    Jake.
    http://www.vonslatt.com

  5. tim says:

    ok, now for someone to present diy handheld thermal imaging device

  6. tim says:

    oh, wait…it has been featured on hackaday…a thermal imaging digital camera

  7. morcheeba says:

    What material are these buttons made of? I’m guessing metal; otherwise the heat wouldn’t transfer into them after such a quick press. And metal makes a more impressive looking safe. Make them out of polystyrene and they won’t get warm so quickly (and they’ll last maybe ten presses … oh well).

    This looks like the lock they used:
    http://www.lagard.com/pages/index.asp?action=show_product&id=7

    A similar attack I noticed… a certain apartment building had a keypad with 3 very dirty digits; the rest were spotless.

  8. furtim says:

    And webcam, etc. But I wonder if those are sensitive enough for this application. I would suspect not. Maybe if you hacked up a way to cool the CCD?

    Another candidate would be the dumpster-diving Gen 0 nightvision: http://www.angelfire.com/80s/sixmhz/infrared.html

    That one’s definitely not sensitive enough as-is, but I reckon you could improve on the basic design and maybe get it to do this. It would be significantly less cheap and easy, though.

    jake: That’s pretty brilliant, actually. However, Bank of America accounts have a six-digit minimum length and I think they support a PIN up to eight-digits. (Though it was a while ago that I made my account.) Do you know if this will work for variable-length PINs? (Or is my recollection about the variable-length PIN incorrect?)

  9. richard says:

    SO if i understand this correctly, i could foil a thermal imaging device merely by running my finger over all of the keys after i entered the code. easy.

  10. Jwilliam says:

    The problem with this method is that there are far easier ways to get the numbers in a key sequence than this, and they don’t require anyone to have used the device recently. Also many high security institutions(like Lucent and Avaya for example) use touch screens for keypads, and the numbers are rendered in random places, different each time someone uses it. So if someone were to press 1234 for thier code and you could see where they touched the pad, you could be pressing 3927 when you try using it.

    A good hack none the less, but there are more useful things to do with thermal imaging, but that’s not what these hacks are all about now is it?

  11. cg says:

    That was NOT a do it yourself thermal imager made from a digital camera. It was a do it yourself NIR infrared camera. Two vastly different technologies. And that was NOT a thermal device built from scavanged parts it is a light multiplier or intensifier it is NOT sensitive in the thermal range. Thermal sensors are very hard to build, and uncooled thermal sensors even harder.

    Using a pen or pencil or something of that nature would insulate your fingers from the keypad and might be enough to stop this hack. I have thought about this hack before but never bothered attempting to show it in action.

    Disclaimer – Employee of FLIR

  12. ZipperSeven says:

    I prefer the ‘Sneakers’ method of just kicking the door in.

  13. K R says:

    that is a low resolution camera. even if you dont need it you can get higher resolution cameras for around 12k from mikron infrared.

  14. jOE says:

    Cute idea, but why use a camera at all? There are plenty of very inexpensive IR detectors out there that are much more sensitive. Just pass over each button, note the temperature over ambient, and you’ll know the keypresses.

    Cheapest is probably the IRTC’s from Exergen (exergen.com). Way more sensitive than an imager, and around $100.

  15. prabhuly says:

    oolldd, i’ve been doing this in splinter cell for years! haha…

  16. joshw says:

    attn: morcheeba

    rtfa, they tell you what the buttons are made of.

  17. ez says:

    I’d like a DIY hack more.

  18. Mark says:

    another fairly simple method would be to have a heater behind the keypad that kept it at body temperature, so that no heat is exchanged.

  19. tavor says:

    #9: Simple, put a time-stamped normal-vision camera with it in the same box.
    #16: Spiffy.
    The potential of this is scary, and at the same time… astounding.

  20. jonathan says:

    The access keypad at my previous lab had LCDs on each key. The number associated with each key was scrambled each time the keypad was used. Clearly thermal imaging could not be used to crack a keypad of this type.

    I like #16… great solution! Using a material with low thermal mass for the keys is obviously another step in a safe direction, no pun intended!

  21. Jer says:

    “What material are these buttons made of? I’m guessing metal; otherwise the heat wouldn’t transfer into them after such a quick press. And metal makes a more impressive looking safe. Make them out of polystyrene and they won’t get warm so quickly (and they’ll last maybe ten presses … oh well).”

    this wont matter too much. we use these in firefighting and because of that I’ve had a lot of time to play with them (our dept has 2). putting your hand on grass in the sun will leave a hamdprint for minutes, the top of a polyustyrene cooler will last even longer, hell even pavement will keep the image for several minutes. if anything metal keys might give off the heat faster than insulators like polystyrene.

    also cars are very cool to look at with one of these should you ever get the chance. you can only see the upper half of a person (windows if thet’re down) but you can see the engine glowing nicely and the tires + where they were on the pavement. another cool thing is looking at people through windows, they’re completely invisible and mirrors reflect the users thermal images :D

  22. Ka nai`a says:

    Just like Max Headroom – Blipverts. I think. Did they do something like this? I can’t remember. Damn, off to BT to find that ep now.

  23. furtim says:

    cg: Very good points, employee or no. ;) I was sort of shooting from the hip, and forgot to account for those solutions using the wrong part of the IR spectrum. I guess we’ll have to shell out and get one of your $5k imagers, but in this case you get what you pay for!

  24. DarkFader says:

    If the heat really stays that long, it’d probably be cheaper to have a one-point sensor and manually check each button and record the levels.

  25. barse says:

    A much easier way to get the numbers (but not the sequence) is to spray the keys with some UV reflecting dust or aerosol. After the keys has been used, just use a UV flashlight to check where the UV dust has been smeared.

    Maybe it would be possible to use a different pattern of UV “grease” on each key and then work out the sequence from that. The first key would only be smeared, the second would be smeared _and_ it would have residues from the pattern of the first key and so on…

  26. Dr. Bond says:

    The really cool thing is they did this with an uncooled FPA (Focal Plane Array) bolometer. A cryo-cooled MCT (Mercad Telluride) would give MUCH better results and depending on the safe’s contents the $200K+ investment could certainly be justified. BTW the button material doesnt matter, metal buttons would absorb heat faster but would also dissipate the heat faster.

  27. Chris davis says:

    I had a chance to play with one of the units used by firefighters and it was shocking how sensitive it was. Just touching a wood table for a second would leave a spot visible for a minute or so.

  28. Leion says:

    this is a real cool idea. I did not think of this. :)

  29. Leion says:

    use a pen or something to push the buttons next time we open a safe…

  30. jared harley says:

    #25 “A much easier way to get the numbers (but not the sequence) is to spray the keys with some UV reflecting dust or aerosol. After the keys has been used, just use a UV flashlight to check where the UV dust has been smeared.”

    Or you could give a cute girl a George Washington campaign pin with UV ink/grease on it and later solve the anagram of her password to steal the Declaration of Independence…. just an idea…

  31. Deadly_Dad says:

    Whenever I am using a keypad I do two things:

    1. I rest my first three fingers on the whole row of numbers, only using enough pressure to register the one number I need. You would need a camera with a /very/ high resolution to detect the minute movement.

    2. As my PIN is four digits, I press one key at random, then hit ‘correction’ with my thumb while moving my fingers to the row for the correct first number, thus entering four digits with six beeps.

    Thnik about it!
    Deadly_Dad

  32. ronald says:

    you dont need a thermal camera to see wat numbers were used just set up a tiny video camera or a ultraviolate die or pen to see what was presed theres a $2,150 hand held infrared device cheapest ever. its a good peice compared to 10,000 for the same effects

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 92,317 other followers