Thieves can steal smartphone pins in seconds, android users are at risk

If you thought your smart phone was safe when left locked, think again.

A thermal-imaging camera would easily be able to get your phone's pass code from the heat marks left on the screen, researchers have said.

Heat traces transferred from a user's hand to the screen while typing in you PIN could be the giveaway, a paper by four researchers at Stuttgart University says.

The traces are recovered and used to reconstruct the password - even up to 30 seconds after the device was last touched, The Atlantic reports.

Someone typing in a PIN number with four different digits would unknowingly leave behind four heat traces, each slightly different temperatures.

The researchers came up with a six step plan of extracting PIN numbers.

A thermal camera set to capture temperatures between about 66 and 90 degrees Fahrenheit takes a picture of the screen.

Software can then convert the color image to grayscale and applies a filter.

After that, the background is removed entirely, leaving just the heat traces.

These can then be detected and extracted and for a PIN, this will result in one to four circles.

Finally, the relative heat of each PIN to determine the most likely order for the passcode’s digits can be analysed.

The thermal attack also works on Android patterns by tracing the finger’s path across the screen, and working out the direction of the pattern by temperature.

Worryingly, thermal attacks have a shocking success rate.

If the thermal image is taken within 15 seconds of a PIN being entered, it has an almost 90 per cent success rate.

At 45 seconds or above, this drops to 35 per cent.

But watch out Android users - as if the shape has no overlaps, thermal attacks can guess the correct shape 100 per cent even 30 seconds after it's entered.

In a short video, two of the researchers demonstrate how easy the attack is.

A man enters a PIN to unlock his phone, before turning off the screen and putting it down on a table.

Then as he walks away, an 'attacker' comes in, points a small thermal camera to the phone and walks back out.

From the oily residue left on the screen by the user's finger, the passcode can be reconstructed.