Eight minutes after entry, your PIN code is still glowing
A security researcher stands in front of a PIN pad at an office building with a commercial thermal camera. The last entry was eight minutes ago. Despite this, four keys are significantly warmer than the others—the residual heat from fingertips still clearly shows which digits were pressed. Two of them glow brighter: the ones pressed last. This narrows down a four-digit code to just two or three possible combinations. Total effort: a budget thermal imaging attachment for a smartphone and thirty seconds of patience.
This isn't a lab experiment. Thermal attacks on PIN pads were systematically documented in 2017 by researchers at UC San Diego and work reliably on plastic keyboards even at normal room temperatures. But thermal imaging is just one tool in a broader spectrum of visual exploitation—starting with binoculars and ending with a smartphone photo of an ID badge.
Shoulder Surfing 2.0 is not an attack that requires proximity. It requires a clear line of sight and the right tools. Anything visible to the human eye is potentially readable—from distances no one expects, using devices anyone can buy.
Visual Exposure: The Underestimated Attack Vector
Most security concepts focus on access control: Who has a badge, who knows the code, who has authorization. Visual attacks bypass these questions entirely. They don't ask for authorization—they observe it. The goal is not the access itself, but the information that enables it.
Visual exposure occurs wherever security-relevant information exists in a visible medium: on a display, a keypad, an ID badge, a screen in an open-plan office, or even a Post-it note under a keyboard. The attack surface is the entire visual environment of an employee—and it is rarely fully addressed in any security concept.
Technical access control ends the moment a human enters their code or wears their badge visibly. What the eye can see, an attacker can document—using tools available at any electronics store.
The Four Attack Vectors of Visual Exposure
Thermal Attack in Detail: Physics and Practice
Thermal attacks work because plastic is a poor thermal conductor. Body heat from a fingertip (~34°C contact temperature) stays on the key surface significantly longer than on metal. A thermal camera with a 160×120 resolution—found in cheap smartphone attachments—is sufficient to detect this difference.
Metallic keypad surfaces dissipate heat faster and are significantly more resistant to thermal attacks. PIN pads with metal keys, active thermal mixing (randomly heating all keys), or randomized key layouts are technical countermeasures—not just a PIN policy.
The Badge Photo: Three Clicks to a Print Copy
A badge serves two functions: it is a technical access credential (RFID/NFC chip) and a visual identification tool (print, photo, color, logo). Most security concepts protect the technical function—using cryptography, mutual authentication, or Wiegand replacements. The visual function is almost never addressed.
A printed badge look-alike doesn't need to work to be useful. In a pretext attack, an optically convincing copy is enough to appear legitimate at receptions, during tailgating, or when conversing with staff. RFID function is optional; visual persuasion is the real tool.
Full Attack Chain: From Observation to Entry
Why Technical Measures Alone Aren't Enough—And Which Policies Make the Difference
Visual attack vectors cannot be fully closed by technology. Thermal-resistant PIN pads and cryptographically secured badges solve part of the problem—but not the part rooted in human behavior. Wearing a badge outside a jacket, exposing a screen on a train, or entering a PIN without cover creates an attack surface no technical system can shield.
Badge policies only work when lived—not just when written in a handbook. The most effective measure is a corporate culture where shielding your PIN and concealing your badge is as natural as buckling a seatbelt. This is built through regular simulation, not training slides.
Visual Attack Vectors: Effort, Cost, and Impact
| Attack Vector | Required Tool | Cost | Countermeasure | Risk |
|---|---|---|---|---|
| Thermal Attack PIN Pad (Plastic) | Thermal camera attachment | from ~150 EUR | Metal keypad, thermal mix, hand shielding | CRITICAL |
| Badge Photo for Print Copy | Smartphone camera | 0 EUR | Concealed wear, minimal design | CRITICAL |
| Optical Badge SN Capture | Telephoto lens / Zoom camera | from ~100 EUR | Serial number interior / chip-only | HIGH |
| Direct PIN Observation | Direct sight / Reflection | 0 EUR | Visual shield, hand covering, camera angles | HIGH |
| Photographing Screen Content | Smartphone | 0 EUR | Privacy filters, Clean Screen policy | MEDIUM |
| Thermal Attack PIN Pad (Metal) | High-end thermal camera | from ~800 EUR | Inherently more resistant via conductivity | MEDIUM |
Hardening Against Visual Attacks
- PIN Pads with Metal Surfaces or Active Thermal Mixing: Metal keypads dissipate heat much faster than plastic. Systems with active thermal mixing—where all keys are slightly heated—completely neutralize thermal attacks. This should be a selection criterion for new installations.
- Randomized Key Layouts: Some ACS manufacturers offer pads with layouts that change with each entry. Even if keys are thermally identifiable, their position changes every time, making the attack ineffective.
- Mandatory Badge Holders with Privacy Shields: Use holders that are opaque on the front or have a flip mechanism, showing the badge only when actively presented. These cost very little and close the badge photo vector entirely.
- Harden Badge Design against Info Exposure: Do not encode access levels with front-facing colors. Keep serial numbers in the chip only. Place employee photos and names on the back or in digital credentials.
- Analyze Camera Angles for PIN Pad Areas: Check if your own surveillance cameras capture PIN entry areas. If so, adjust angles. This also reveals positions an attacker might use—showing where visual shields are necessary.
- Privacy Filters for Mobile Devices: Mandatory for all employees who travel regularly or work in public. Privacy filters reduce the viewing angle to ~60 degrees, making screens unreadable to side observers.
- Explicitly Test Visual Vectors in Pentests: A physical security audit should include thermal PIN pad capture, badge photo simulation, and screen shoulder surfing as explicit test cases. What we find in a test, an attacker will find too.
Visual security costs almost nothing – a shielded badge holder, a privacy filter, and a practiced PIN covering routine close the most common vectors. The investment in policy and habit is orders of magnitude smaller than the potential damage of a successful badge clone or PIN theft.
Conclusion: What the Eye Sees, an Attacker Can Use
Shoulder surfing hasn't disappeared; it has become high-tech. The core question remains: What can an attacker see given the right moment and location? The answer has expanded dramatically through affordable thermal cameras, high-res smartphone lenses, and trivial image editing.
The badge hanging on a jacket. The plastic PIN pad without a shield. The laptop on a train without a filter. Each of these is a complete attack vector—not hypothetical, but regularly exploited in audits. And each can be closed with simple, cost-effective measures.
Security doesn't end at technical access control. It ends at the limit of the visible.
Do you know what an attacker sees with a thermal camera at your entrance?
We test visual attack vectors—thermal imaging, badge exposure, screen visibility—and provide concrete policy recommendations per location.
Request Visual Security Audit →