The attack consists in detecting whether the PIN code is right or wrong (here, through some change in display intensity) before the number of false PIN presentations is incremented in persistent memory. Upon detection, the phone is immediately rebooted, and the increment doesn’t happen. Yeaahh!!

Similar attacks have been performed on smart cards for over 20 years. The attackers used to monitor the power consumption when verifying a PIN, and an increase in consumption (indicating a memory write) would indicate the beginning of an EEPROM update, and the right time to cut power.

The solution? Most people typically look for complex implementations, but the general solution is much simpler: just increment your counter of failed attempts before actually performing the comparison (and ensure that the actual memory update has been performed, not just cached). Then, no need to worry about power cuts and reboots, since the attacker will not get additional attempts.

I will tend to believe that most (all?) Java Card implementations of the OwnerPIN class include such countermeasures, providing adequate protection for a PIN comparison. And by the way, since recent iPhone’s include a Secure Element, this is where the PIN comparison belongs.

For more details on PIN attacks and countermeasures, you can read my tutorial JC101-12C: Defending against attacks.

The first one is an attack on ATMs, with a thermal camera, hoping that your fingers stay on the keys long enough to heat them up. Well, it seems that if all conditions are good, the trick can work. The great thing about this attack is that it naturally captures the order (the warmest key is the last one). The attack even works well in optimal conditions (recovering half of the PIN codes after one minute), which sounds good, even a bit alarming.

Luckily, it is quite sensitive to various conditions, like the material in which the keys are made (plastic seems better for the attack than metal, which conducts heat away too easily). Having cold fingers also is a good security measure, since the amount of heat transferred is lower. The researchers haven’t tried it, but the temperature of the environment should also have some influence. So, against this attack, I guess that selecting an ATM in full sun, with metal keys (the authors’ recommendation) and wearing gloves should make it.

The second attack is about using a smartphone’s motion sensor to guess a PIN code typed on it. Of course, when you type on a smartphone while holding it, you apply some pressure on the screen, and the result in terms of movement depends on where you type. It doesn’t work as well as the previous attacks, but apparently, they get over 70% of the digits typed on a 10-digit keyboard.

The obvious countermeasure is to make sure that your phone is safely lying on a table, which will severely limit any movement. In terms of countermeasure, this also raises the bar for people who are developing systems that protect the touchscreen: well, you may as well protect the motion sensors, because if a hacker controls that, he may just get the PIN code that we want to protect. Of course, that ‘s until another attack comes, using another sensor.

For me, these two attacks have in common to be absolutely obvious. You just read the title of the paper and you think “Of course, this is nice”. And yet, they are quite practical, and they can become a real problem for real people. They also both rely on using a disruptive attack technology: PIN protection requirements usually don’t consider thermal cameras and motion sensors as potential threats, but they may in he future. This is another reminder that security is a wonderful job, because as soon as you have covered all known threats, new ones come up that you also need to cover.