Cracking Safes with Thermal Imaging

[Sidepocket]

This inexplicably brief "research" paper presents an interesting physical world attack that may be easily deployed by a determined attacker to compromise many high-security access control systems in use today. Although this paper's findings are hardly groundbreaking (and in some ways, are downright obvious), it includes some cool pictures of what should be most certainly taken into account in risk management, secure zone planning, and when drafting operating procedures for high-risk areas. But most of all, I just wanted to share ;-)

In short, virtually all keypad entry systems - as used in various applications, including building access control, alarm system control, electronic lock safes, ATM input, etc - are susceptible to a trivial low-profile passphrase snooping scheme. This attack enables the attacker to quickly and unobtrusively recover previously entered passphrases with a high degree of success. This is in contrast to previously documented methods of keypad snooping; these methods were in general either highly intrusive - required close presence or installation of specialized hardware - or difficult to carry out and not very reliable (e.g., examining deposited fingerprints - works in low-use situations only, and does not reveal the ordering of digits).

The attacker can perform the aforementioned attack by deploying an uncooled microbolometer thermal imaging (far infrared) camera within up to approximately five to ten minutes after valid keycode entry. Although this may sound outlandish, the heat transferred during split-second contact of individual keys with human body (even through, for example, gloves) is significant enough and dissipates slowly enough to make this possible after the area has been cleared of all personnel.

Furthermore, since the image can be acquired from a considerable distance (1-10 meters is easy to achieve), the attacker can afford to maintain a remarkably low profile through the process.

To put things in perspective, portable (handheld) thermal imaging devices, such as the one pictured above, are commercially available without major restrictions from manufacturers such as Flir or Fluke. Prices begin at $5,000 to $10,000 for brand new units, and top-of-the-line models boast a 0.05 K thermal resolution at impressively low sensor noise levels. The "return on investment" can be quite high in most illicit uses, and indeed - historically, ATM phishers were known to be willing to spend money on specialized equipment such as custom assemblies that included high-end digital cameras with wireless access. As such, the scheme is not as outlandish as it might have seemed.

The following sequence of images demonstrates the feasibility of the attack; in this case, the target is LA GARD ComboGard 3035 electronic lock (with rubber keys) installed on an industrial-grade safe:

http://www.binrev.com/forums/style_images/...mage-button.png

Insert Image

Keypad in idle state - in visible light (left) and in thermal imaging (right). Minimal ambient temperature variations are present due to different thermal characteristics of materials used in the safe.

A sequence of keys is being pressed (1-5-9). The difference in colors on the right is due to IR camera automatically adjusting to relatively high temperature of human body, to avoid overexposure and blooming.

Code entry complete. All pressed keys are still clearly readable in this thermogram; the sequence of digits can be infered from the relative temperature of these spots - ones with lower registered temperature (more faint color) were pressed earlier than others.

There are some real-world considerations, of course: reuse of digits in a code, very rapid code entry, vastly differing keypress times, and other code entry quirks (say, victim's habit of resting his palm on the keypad) may render the attack less successful, and may make results more ambiguous. That said, it's still nifty, and apparently not limited to bad science-fiction or computer games; civilian access to sufficiently advanced technology is possible. All in all, many airports, numerous bank branches, and various other entities, might want to reconsider the effectiveness of their defenses.

A proper defense against such techniques would be not to rely on keypad-only access control in easily accessible areas, unless additional advanced countermeasures can be implemented (well-implemented scrambling keypads originally intended to thwart fingerprint or key wear analysis, for example). Smart-card, biometric, or plain old key-based protection can be added to reduce exposure.

Side thought: in terms of safe cracking, another interesting area of research is differential power analysis (DPA) of electronic locks. High-security locks on small- and medium-size safes usually have external connectors that can be used to supply emergency battery power to the device; these usually directly connect to the same route that is used to supply primary power, and as such can be used to measure power consumption characteristics and/or capture CPU-generated feedback noise, and possibly to differentiate between valid and invalid keycodes as digits are entered. If you happen to have a good 'scope lying around, give it a try.

http://lcamtuf.coredump.cx/tsafe/

[Sparda]

An old trick, hard to use (for example) on a safe because it would have to be done with in minuets of the key pad been pressed, and safes are usually guarded in some way. This trick works well on doors which only have a key pad is there only for of authentication.

[MrJester]

I'm wanting to bet Metatron has thermal goggles and has tried this trick in some way or another.

[HalfDeadLoC]

I have 3 digital safes and can safely say like Sparda said by the time I'm done with the safe and leave the room this attacc wouldn't be as reliable to acquire all of the combination. So this doesn't make me loose any sleep, although one of my safes has a poor design (really all 3 could be affected but one in particular) where you basically remove the entire key pad by twisting it to insert batteries. I could see a simple electronic logging device being placed in there VERY easily, which is why I like to keep valuables in my safe that requires a key also (same brand, same size, same fire and water protection, bought a year apart from the non-key safe, but cost almost twice as much).

But for doors, even atm's, & other more accessible key pads this is a decent mean to figure out people's code.

[VaKo]

Wouldn't an easy way of defeating this be to randomize the placement of numbers on the pad each time a code is entered?

[SomeoneE1se]

well if you used a touch screen you could heat it so the temp would never change

and then all you need is 2 different cameras one to see the entered 'touches' and the other to see the corresponding numbers

but how is this better then just reading the touched buttons with a regular camera to begin with?

[hyp0dermik]

but how is this better then just reading the touched buttons with a regular camera to begin with?

Its not. If you could access the safe, you could put up a camera and record ppl entering the code. The only advantage thermal imaging would have would be if you had to limited time to access it.