Your Hot Hands Can Give Away Your Smartphone PIN

For Android users, then, choosing a pattern that crosses over itself would be the most obvious way to defend against thermal attacks. More generally, any sort of tapping and swiping around that happens after unlocking a phone is enough to foil a thermal camera, since doings so adds spots of heat to the screen that can confuse the attacker.

But Yomna Abdelrahman, a Ph.D. candidate at the University of Stuttgart and one of the primary authors of the research paper, said a more complex system might be able to tell different actions apart, based only on their heat signatures. “If we have a learning algorithm, we can actually differentiate between PIN entry and usage,” she said.

The researchers proposed a few ways smartphone hardware can defend against thermal attacks. Briefly increasing screen brightness to its maximum, or triggering a short burst of CPU activity, could heat up the entire phone and make PIN detection difficult.

Some people may be predisposed to a natural defense: Cool hands make it harder to detect heat traces from PIN entry, the researchers found, because the difference in temperature between the screen’s glass and the finger is less pronounced. Hot hands, on the other hand, may prolong the window of attack.

I usually use a fingerprint reader to log into my iPhone, but when I can’t, I type in a long password that has letters, numbers, and symbols. Since it takes a bit longer to type it in than a four-digit PIN, an attacker would have less time to capture the heat traces after I finish typing—but what if I typed it quickly?

“I would guess that if you are a fast typist that means the contact time is reduced, which will influence the amount of heat transferred,” Abdelrahman told me. “Hence, the heat traces left behind will be less, so still it might be hard to infer the long PINs.”

But if I’m typing quickly, I may be exerting more pressure with each stroke, she said, which could end up increasing the intensity of the heat traces I leave behind.

Maybe I’ll just keep my phone in my pocket.


