A device which can be attached to smartphones is capable of stealing customers' PINs using thermal imaging, UK security consultancy Sec-Tec warns.

Thermal imaging equipment – once the sole preserve of only the best-equipped attacker – is now available as a readily available iPhone accessory costing less than £200. The kit creates an increasing risk to push-button security devices.

Sec-Tec tested a wide range of push-button security devices, including ATMs, locks and safes, discovering in the process that devices could leak the digits pressed by a legitimate user for over a minute after use.

The iPhone accessory is available online from a wide variety of sources. Legitimate uses for the gadget include finding leaks within plumbing systems.

While identifying the keys in use is straightforward, pinpointing the order in which they were pressed is far trickier. However, many of the devices utilise no lock-out mechanism. And testing all combinations of a four-digit code once the digits are known is easy.

Even in cases where the number of tries are restricted it might still be possible to optimise the process of determining key ordering so that the process is more efficient than that found in a simple brute force attack. Sec-Tec has created two undisclosed methods that assist in this process.

Sec-Tec has combined this attack vector with existing RFID cloning equipment to successfully compromise two-factor door locks on a physical-penetration test.

Fortunately, various simple defences against attacks that rely in whole or in part on thermal imaging are possible.

PIN pad

The use of devices with metallic (as opposed to plastic or rubber) keys makes also such attacks impossible. And palming the keypad after use, even for only a few seconds, prevents attacks in the majority of cases, Sec-Tec advises.

A brief (11 second) YouTube clip, put together by Sec-Tec, presenting a view through a thermal imaging system of someone entering a code through a PIN pad can be found below. ®