Researchers have discovered malicious attackers could potentially analyze the thermal residue left behind on keyboard keys to determine short strings of text that the user has entered - such as a password or PIN. According to a recently published research paper by scientists from the University of California, Irvine, an attacker with a mid-range thermal camera could capture the keys pressed on a regular keyboard up to one minute after the victim enters them.
“Although thermal residue dissipates over time, there is always a certain time window during which thermal energy readings can be harvested from input devices to recover recently entered, and potentially sensitive, information,” the research paper reads. “To-date there has been no systematic investigation of thermal profiles of keyboards, and thus no efforts have been made to secure them.”
The UCI researchers named the attack Thermanator which involves an attacker placing a camera with thermal recording features near the victim. The camera must have a clear view of the victim’s keys for this attack to work.
However, the researchers found that an attacker could potentially recover a collection of keys that the victim has pressed that they can later analyze to infer the most likely key-press order and assemble into possible strings to be used in a dictionary attack.
In a series of experiments, the UCI researchers found they were able to recover the entire collection of keys pressed by subjects in many cases. The team had 31 students enter ten passwords - both secure and insecure - on four different types of keyboards while eight non-experts acted as the “adversaries” conducting the Thermator attacks and derive the set of pressed keys from the recorded thermal imaging data.
Researchers found that the non-expert “attackers” managed to recover the entire set of key-presses when the thermal data was recorded as late as 30 seconds after the passwords were entered. They could recover partial key-press sets when the thermal data was recorded up to one minute after the keys were pressed.
Researchers found certain typing styles were more susceptible to having their key presses collected and successfully read by a threat actor using the Thermanator attack.
For instance, users who type using the “hunt and peck” technique - in which they press one key at a time with two fingers and continuously look at the keyboard - were more susceptible to this attack. Since these typists don't their fingertips on the keyboard home-row or hover above it, it is easy to correctly identify each bright spot on the thermal image as a key-press.
Meanwhile, “touch typists” - whose fingers are constantly in contact with or in close proximity to the home-row of the keyboard - produced thermal data was harder for subjects to analyze.
“In many cases, a subject was uncertain whether a key was lit on the thermal image because it was actually pressed, or because it was simply close to the home-row,” researchers said. “This uncertainty in turn led to misclassification of some keys as unpressed.”
In one case, a student with long acrylic fingernails did not use their fingers to type, but their nail-tips that left almost no thermal residue. In fact, not even one key-press could be correctly identified. Although researchers said this is likely a rare occurrence, they did note that a user with long acrylic fingernails are "virtually immune to Thermanator Attacks.”
As threat actors continually develop new techniques to exploit human weaknesses and system vulnerabilities to steal passwords in side-channel attacks, experts have long said that passwords should be phased out to better secure data and devices.
“As formerly niche sensing devices become less and less expensive, new side-channel attacks move from ‘Mission: Impossible’ towards reality. This strongly motivates exploration of novel human-factors attacks, such as those based on Thermanator,” researchers said.