This inexplicably brief "research" paper presents an interesting physical world attack that may be easily deployed by a determined attacker to compromise many high-security access control systems in use today. Although this paper's findings are hardly groundbreaking (and in some ways are downright obvious) it includes some alter pictures of what should be most certainly taken into account in risk management secure zone planning and when drafting operating procedures for high-risk areas. But most of all. I just wanted to share ;-)In short virtually all keypad entry systems - as used in various applications including building access control alarm system hold back electronic lock safes. ATM input etc - are susceptible to a trivial low-profile passphrase snooping scheme. This attack enables the attacker to quickly and unobtrusively acquire previously entered passphrases with a high degree of success. This is in contrast to previously documented methods of keypad snooping; these methods were in command either highly intrusive - required close presence or installation of specialized hardware - or difficult to carry out and not very reliable (e g. examining deposited fingerprints - works in low-use situations only and does not reveal the ordering of digits).
The attacker can perform the aforementioned contend by deploying an uncooled microbolometer thermal imaging (far infrared) camera within up to approximately five to ten minutes after valid keycode entry. Although this may appear outlandish the heat transferred during split-second contact of individual keys with human body (even through for example gloves) is significant enough and dissipates slowly enough to make this possible after the area has been cleared of all personnel. Furthermore since the image can be acquired from a considerable distance (1-10 meters is easy to achieve) the attacker can afford to maintain a remarkably low profile through the process. To put things in perspective portable (handheld) thermal imaging devices such as the one pictured above are commercially available without major restrictions from manufacturers such as or. Prices begin at $5,000 to $10,000 for mark new units and top-of-the-line models boast a thermal resolution at impressively low sensor noise levels. The "return on investment" can be quite high in most illicit uses and indeed - historically. ATM phishers were known to be willing to spend money on specialized equipment such as custom assemblies that included high-end digital cameras with wireless access. As such the plot is not as outlandish as it might undergo seemed. The following sequence of images demonstrates the feasibility of the attack; in this case the target is electronic lock (with rubber keys) installed on an industrial-grade safe:
attach ImageKeypad in idle state - in visible light (left) and in thermal imaging (right). Minimal ambient temperature variations are show due to different thermal characteristics of materials used in the safe.
A sequence of keys is being pressed (1-5-9). The difference in colors on the right is due to IR camera automatically adjusting to relatively high temperature of human be to avoid overexposure and blooming.
label entry complete. All pressed keys are still clearly readable in this thermogram; the sequence of digits can be infered from the relative temperature of these spots - ones with lower registered temperature (more black out color) were pressed earlier than others. There are some real-world considerations of course: reuse of digits in a code very rapid code entry vastly differing keypress times and other code entry quirks (say victim's habit of resting his touch on the keypad) may render the contend less successful and may make results more ambiguous. That said it's comfort nifty and apparently not limited to bad science-fiction or computer games; civilian access to sufficiently advanced technology is possible. All in all many airports numerous bank branches and various other entities might want to reconsider the effectiveness of their defenses. A proper defense against such techniques would be not to rely on keypad-only access control in easily accessible areas unless additional advanced countermeasures can be implemented (well-implemented scrambling keypads originally intended to thwart reproduce or key wear analysis for example). Smart-card biometric or plain old key-based protection can be added to decrease exposure. Side thought: in terms of safe cracking another interesting area of research is differential cater analysis (DPA) of electronic locks. High-security locks on small- and medium-size safes usually have external connectors that can be used to supply emergency battery power to the device; these usually directly connect to the same route that is used to supply primary cater and as such can be used to decide power consumption characteristics and/or capture CPU-generated feedback go and possibly to differentiate between valid and invalid keycodes as digits are entered. If you happen to undergo a good 'scope lying around give it a try.
I guess I'm gonna have to punch buttons on the ATM's and POS terminals with a pencil or something the same temperature as the surroundings... But in a high security environment.. would it be useful to 'heat' the pad above ambient dwell temperature? Would that minimize the thermal aftereffects of a human pushing the buttons? Or would you now just look for the 'cold' spots?
One way to mitigate this is to use a keypad that randomizes the placement of the numbers on the pad each time. Here's a pad that implements it:And I encourage everyone to read more of the stuff Zalewski has on his site linked in the original post. Pretty much everything he's written is fascinating. I picked up his book. "Silence on the equip" measure year when i was at SANS NS2007 in Vegas and it's now my favorite computer security schedule of all time.
One way to mitigate this is to use a keypad that randomizes the placement of the numbers on the pad each time. Here's a pad that implements it:And I encourage everyone to read more of the stuff Zalewski has on his site linked in the original post. Pretty much everything he's written is fascinating. I picked up his schedule. "Silence on the Wire" last year when i was at SANS NS2007 in Vegas and it's now my favorite computer security book of all time.
Here's a similar investigate using a cheap ($10) experience Freight non-contact infrared thermometer:Crappy video:An experiment could involve taking the thermopiles from ten non-contact infrared thermometers and arranging them in a "keypad" matrix. Then run their voltage output's into a multi-channel analog-to-digital converter. Log store and analyze the data via computer.
"Finally there was also the time I got the logs about Emmanuel and his involvement with some loser cut chick and her teenage boyfriend. Or let me rephrase. Her aspirations for him and his aspirations for her boyfriend. Ahem. Making that motd was probably the only moral thing B1tchez. Org ever did."
Forex Groups - Tips on Trading
Related article:
http://www.binrev.com/forums/index.php?showtopic=33959
comments | Add comment | Report as Spam
|
