
A person's fingers leave thermal residue on keyboard keys that a malicious observer could record and later determine the text a user has entered on the keyboard, according to a recently published research paper by three scientists from the University of California, Irvine (UCI).
"It’s a new attack that allows someone with a mid-range thermal camera to capture keys pressed on a normal keyboard, up to one minute after the victim enters them," says UCI Computer Science Professor Gene Tsudik, one of the three researchers who worked on the paper.
"If you type your password and walk or step away, someone can learn a lot about it after-the-fact," Tsudik said.
Thermanator attack can recover passwords, PINs
The UCI team calls this attack Thermanator, and they say it can be used to recover short strings of text, may it be a verification code, a banking PIN, or password.
Attackers need to be able to place a camera with thermal recording features near a victim, and the camera must have a clear view of the keys for the Thermanator attack to work.
But when these conditions are met, an attacker, even a non-expert one, can recover a collection of keys the victim has pressed, keys which it can later assemble into possible strings to be used in a dictionary attack.
Passwords can be recovered up to 30 seconds after input
In laboratory experiments, the research team had 31 users enter passwords on four different keyboard types. UCI researchers then asked eight non-experts to derive the set of pressed keys from the recorded thermal imaging data.
The test showed that thermal data recorded up to 30 seconds after the password entry is good enough for a non-expert attacker to recover the entire set of keys pressed by a victim.
Attackers can recover partial key sets when the thermal data is recorded up to one minute after the key presses.
Researchers say that users who type using a "hunt and peck" technique of pressing one key at a time with two fingers while continually looking at the keyboard are more susceptible to having their key presses harvested by this technique.
UCI researchers: Passwords must go
One of the conclusions of this research is that over the years several academics have devised several types of attacks for recording passwords in various ways, such as through mechanical vibrations, electromagnetic emanations, and more. The research team argues that it may be time to move away from passwords as a means to secure user data and equipment.
"As formerly niche sensing devices become less and less expensive, new side-channel attacks move from 'Mission: Impossible' towards reality," researchers said. "This is especially true considering the constantly decreasing cost and increasing availability of high-quality thermal imagers."
More details about the UCI team's research can be found in a paper titled "Thermanator: Thermal Residue-Based Post Factum Attacks On Keyboard Password Entry."
Comments
S4NDM4NN - 4 years ago
So this idea has been around for awhile:
https://nakedsecurity.sophos.com/2011/08/17/stealing-atm-pins-with-thermal-cameras/
GT500 - 4 years ago
Yeah, I remember seeing a video about it on YouTube years ago. After watching it I started holding my fingers over the keys on debit card readers after entering my pin just to make it harder for an IR camera to clearly show what buttons I had pressed.
Fever905 - 4 years ago
Umm, ok so if you can put a camera by someones keyboard why not just watch what keys they press instead of going all thermal. Duh...?
mmaddox0 - 4 years ago
Umm... I don't know of anyone who enters their password just before locking their computer. Not a concern.
Fever905 - 4 years ago
Yea you enter your password to unlock... not lock.. makes this article even more troll bait lol
eozturk - 4 years ago
An author of the paper here. Thanks for sharing our work!
A few things to clarify:
- Thermanator does not require the attacker to be present at password entry time (i.e., it is not a real-time attack); rather it gives an attacker up to 30 seconds for full or up to 1 minute for partial password key set recovery, AFTER password entry.
A possible attack scenario is that after the victim logs in to their workstation or any website using their password, an accomplice of the attacker draws away the victim, enabling the attacker with a thermal camera to capture images of the external keyboard used to type in the password. These images can be used for password recovery.
- Previous work, for example [1], focused on PIN pads and PINs, and reported that metallic ATM PIN pads were secure against thermal imaging attacks due to their heat dissipation characteristics and the "mirroring" effect they created on the thermal image. Plastic PIN pads, on the other hand, were reported to be vulnerable against this type of attacks. Our study differs from previous work in in terms of (not an exhaustive list):
- Input entry: Typing passwords is inherently different than entering PINs: one difference is typing style (hunt-and-peck vs. touch typing),
- Input complexity: Passwords are expected to be complicated (e.g., they include special characters and digits),
- Input length: PINs are usually short, passwords can be/are usually long(er),
- Input device: There are multiple keyboard options available in the market made from different materials with different designs,
We evaluate all these above factors via experiments, and report and discuss the results.
Another important thing to note is that, people are more cautious when entering PINs compared to entering passwords in a shared office environment, which makes Thermanator an even more serious threat.
[1] Mowery, K., Meiklejohn, S., and Savage, S. Heat of the moment: Characterizing
the efficacy of thermal camera-based attacks. In Proceedings of the 5th USENIX
conference on Offensive technologies (2011), USENIX Association, pp. 6–6.
GT500 - 4 years ago
Hello.
Thank you for taking the time to drop by and leave a comment with additional information.
eozturk - 4 years ago
Of course! Glad to see that people are taking interest in our work!
eozturk - 4 years ago