This summer was very interesting for new attacks. There are two that I really liked, for very different reasons. They are also both attacks on PIN codes, yet they are quite different.
The first one is an attack on ATMs, with a thermal camera, hoping that your fingers stay on the keys long enough to heat them up. Well, it seems that if all conditions are good, the trick can work. The great thing about this attack is that it naturally captures the order (the warmest key is the last one). The attack even works well in optimal conditions (recovering half of the PIN codes after one minute), which sounds good, even a bit alarming.
Luckily, it is quite sensitive to various conditions, like the material in which the keys are made (plastic seems better for the attack than metal, which conducts heat away too easily). Having cold fingers also is a good security measure, since the amount of heat transferred is lower. The researchers haven’t tried it, but the temperature of the environment should also have some influence. So, against this attack, I guess that selecting an ATM in full sun, with metal keys (the authors’ recommendation) and wearing gloves should make it.
The second attack is about using a smartphone’s motion sensor to guess a PIN code typed on it. Of course, when you type on a smartphone while holding it, you apply some pressure on the screen, and the result in terms of movement depends on where you type. It doesn’t work as well as the previous attacks, but apparently, they get over 70% of the digits typed on a 10-digit keyboard.
The obvious countermeasure is to make sure that your phone is safely lying on a table, which will severely limit any movement. In terms of countermeasure, this also raises the bar for people who are developing systems that protect the touchscreen: well, you may as well protect the motion sensors, because if a hacker controls that, he may just get the PIN code that we want to protect. Of course, that ‘s until another attack comes, using another sensor.
For me, these two attacks have in common to be absolutely obvious. You just read the title of the paper and you think “Of course, this is nice”. And yet, they are quite practical, and they can become a real problem for real people. They also both rely on using a disruptive attack technology: PIN protection requirements usually don’t consider thermal cameras and motion sensors as potential threats, but they may in he future. This is another reminder that security is a wonderful job, because as soon as you have covered all known threats, new ones come up that you also need to cover.