If you were protecting your smartphone passcode from someone lurking over your shoulder, or from unseen security cameras, you might cover the screen as you tap in the PIN's four or six digits. But once you've unlocked the phone, perhaps you'd let down your guard, and leave the screen in full view―especially if it's off.
The heat traces left on the smartphone's screen after typing the PIN or swiping a pattern could give away secret code, warn researchers.
All one needs to steal the code is a thermal-imaging camera as thermal images reveal what parts of the screen were tapped, even after it is left untouched for 30 seconds, The Atlantic reported.
At an upcoming conference on human-computer interactions to be held in the US in May, researchers from the University of Stuttgart and the Ludwig Maximilian University of Munich in Germany will present in a new study how PINs or patterns can be extracted from the heat signature left on the user's smartphone screen.
"PINs and patterns remain among the most widely used knowledge-based authentication schemes. As thermal cameras become ubiquitous and affordable, we foresee a new form of threat to user privacy on mobile devices," the researchers said.
Thermal cameras allow performing thermal attacks, where heat traces, resulting from authenticating, can be used to reconstruct passwords.
The researchers said that while PINs remain vulnerable even with duplicate digits, overlapping patterns significantly decrease successful thermal attack rate.
If the thermal image is taken within 15 seconds of a PIN being entered, it is accurate nearly 90 percent of the time. At 30 seconds, it is about 80 percent accurate. But at 45 seconds or more, the accuracy drops to 35 percent below, the report said.
The smudge attack was surprisingly good at decoding Android passcode patterns, those shapes that users trace on their lock screens to get into their phones. The streaking in the residue left behind after an unlock can even show the direction the user dragged his or her finger, making imitating the pattern trivial. But for strings of numbers like an iPhone PIN, the smudge attack isn't quite as useful: It can reveal which numbers are included in the PIN, but not what order they were tapped. That still cuts down drastically on the set of possible passcodes, but finding the real one will take some guesswork.
This is where the thermal attack excels. Because heat decays at a known rate, a person typing in a PIN with four different digits would leave behind four heat traces of slightly different temperatures: The first digit entered would be coolest, and the last digit would be warmest. If a thermal image contains at least of one digit more than once. The phone's exact PIN isn't immediately clear in these cases, but it can be guessed in three or fewer tries. And if there's only one heat trace, the attacker knows the PIN is just one digit repeated four times. (In 2011, researchers at the University of California in San Diego used a similar approach to guess at ATM PIN numbers.)