July 15, 2018
There are 64 triangles in this image — can you find them all?
Thermanator steals passwords by reading thermal residue on keyboards
Password "passw0rd" thermal residue 0 (top left), 15 (top right), 30 (bottom left), and 45 (bottom right) seconds after entry
A person's fingers leave thermal residue on keyboard keys that a malicious observer could record and later determine the text a user has entered on the keyboard, according to a recently published research paper by three scientists from the University of California, Irvine (UCI).
"It's a new attack that allows someone with a mid-range thermal camera to capture keys pressed on a normal keyboard, up to one minute after the victim enters them," says UCI Computer Science Professor Gene Tsudik, one of the three researchers who worked on the paper.
"If you type your password and walk or step away, someone can learn a lot about it after the fact," Tsudik said.
Thermanator attack can recover passwords, PINs
The UCI team calls this attack Thermanator, and they say it can be used to recover short strings of text, may it be a verification code, a banking PIN, or password.
Attackers need to be able to place a camera with thermal recording features near a victim, and the camera must have a clear view of the keys for the Thermanator attack to work.
But when these conditions are met, an attacker, even a non-expert one, can recover a collection of keys the victim has pressed, keys which it can later assemble into possible strings to be used in a dictionary attack.
Passwords can be recovered up to 30 seconds after input
In laboratory experiments, the research team had 31 users enter passwords on four different keyboard types. UCI researchers then asked eight non-experts to derive the set of pressed keys from the recorded thermal imaging data.
The test showed that thermal data recorded up to 30 seconds after the password entry is good enough for a non-expert attacker to recover the entire set of keys pressed by a victim.
Attackers can recover partial key sets when the thermal data is recorded up to one minute after the key presses.
Researchers say that users who type using the "hunt and peck" technique of pressing one key at a time with two fingers while continually looking at the keyboard are more susceptible to having their key presses harvested by this technique.
UCI researchers: Passwords must go
One of the conclusions of this research is that over the years several academics have devised several types of attacks for recording passwords in various ways, such as through mechanical vibrations, electromagnetic emanations, and more.
The research team argues that it may be time to move away from passwords as a means to secure user data and equipment.
"As formerly niche sensing devices become less and less expensive, new side-channel attacks move from 'Mission: Impossible' towards reality," researchers said. "This is especially true considering the constantly decreasing cost and increasing availability of high quality thermal imagers."
More details about the UCI team's research can be found in a paper titled "Thermanator: Thermal Residue-Based Post Factum Attacks On Keyboard Password Entry."