Thermanator Attack Steals Passwords by Reading Thermal Residue on Keyboards

True story: A friend who was a heavy smoker asked me to fix his computer. I went to his house and saw the beige desktop and CRT were stained tobacco brown from second hand smoke. After fixing his &quot;screen&#x27;s all blurry&quot; problem with some Windex I was ready to go in and see what kind of spyware and viruses he had managed to install on the machine.<p>I was about to ask for his password when I noticed the only spots not covered in ashes on his keyboard were the W, S, C, B, U, N, and I keys. Knowing he was a die hard Chicago Cubs fan it took me one try to guess the password: cubswin.<p>It was a nasty job but he was a good friend so I got his machine all straightened out for him without judgement.<p>The things I do for beer...

&gt;Attackers need to be able to place a camera with thermal recording features near a victim, and the camera must have a clear view of the keys for the Thermanator attack to work.<p>Wouldn&#x27;t be easier to just set up a regular video camera which can be the size of a jacket button?

&gt; The research team argues that it may be time to move away from passwords as a means to secure user data and equipment.<p>Many people have expressed this sentiment. By all means we should be using two-factor authentication everywhere. But what, besides a password, has the critical property of residing entirely within your mind and not being obtainable without your cooperation (barring issues like this)?<p>Physical tokens can be stolen. Biometrics can be obtained and forged, or physically coerced. Authenticating via a secondary device (such as a phone) just moves the problem to &quot;how do you authenticate to that device&quot;.<p>On the other hand, if you ever type in your password in a place where someone can record you, someone could figure out your password, or at least get enough information to make it easier to brute-force your password.<p>Short of a challenge-response scheme that you can compute entirely within your mind without scratch materials, what could we use that would address both problems? Something that can&#x27;t simply be stolen or used without your cooperation, but that also isn&#x27;t potentially disclosed in reusable form every time you use it?

Former NASA engineer turned YouTube science fun guy Mark Rober explained this attack in 2014 <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=8Vc-69M-UWk" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=8Vc-69M-UWk</a><p>and references this 2011 UCSD paper Heat of the moment: characterizing the efficacy of thermal camera-based attacks<p><a href="https:&#x2F;&#x2F;dl.acm.org&#x2F;citation.cfm?id=2028058" rel="nofollow">https:&#x2F;&#x2F;dl.acm.org&#x2F;citation.cfm?id=2028058</a><p>So not sure what the Thermanator folks are adding here...<p>EDIT: Thermanator paper cites the UCSD research, focuses on qwerty keyboards, updated technology for thermal cameras, comparisons to other attack vectors for public password entry (when you are at coffee shop, airport, ATM etc.).

This is exactly how Theora Jones defeats Bryce Lynch&#x27;s keypad in Max Headroom (Blipverts episode)...in 1987. :)

&gt; THERMANATOR - The hottest attack of the summer! Coming soon to a computer near you!<p>Are our jobs really this dull that we have to give our projects stupid hollywood names

When I use an ATM, I always run my fingers along all of the keys after entering my pin. Nice to know it&#x27;s not totally crazy.

Apparently the attacker has never seen my macbook air running a heavy compilation job. Fan is cranked and the keyboard is so hot that there is no way they are getting my password!<p>Nothing but noise to a thermal camera...

I tried this using a flir one on my iPhone.<p><a href="https:&#x2F;&#x2F;youtu.be&#x2F;IMxZQ922rLs" rel="nofollow">https:&#x2F;&#x2F;youtu.be&#x2F;IMxZQ922rLs</a><p>Sorry, it sounds like a really good idea, but it just doesn&#x27;t work very well in practise.<p>The users fingers don&#x27;t sit on the keys long enough to transfer enough heat to last. Just use a standard video camera if this is your thing.

great job getting by my mission impossible style laser beams, hackerman<p>now please enter your non-SMS two-factor authentication code

I like how this exact attack is used in the Splinter Cell games.

Makes me wonder if you could achieve a similar effect by spraying some residue over the keypad before the victim uses it, then looking at it after PIN entry. For example, a fluorescing dust. As well a special fingerprinting powders (e.g. <a href="https:&#x2F;&#x2F;optimumtechnology.com.au&#x2F;latent-fingerprint-powders&#x2F;" rel="nofollow">https:&#x2F;&#x2F;optimumtechnology.com.au&#x2F;latent-fingerprint-powders&#x2F;</a>) you can get stuff from art supplies stores: <a href="https:&#x2F;&#x2F;www.glowpaint.com.au&#x2F;blue-uv-black-light-powder&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.glowpaint.com.au&#x2F;blue-uv-black-light-powder&#x2F;</a> .<p>There is also thermochromic ink, e.g. a grey ink that changes to colourless at 15C. <a href="http:&#x2F;&#x2F;www.smarol.com&#x2F;Ultraviolet-Fluorescent-Powder.html" rel="nofollow">http:&#x2F;&#x2F;www.smarol.com&#x2F;Ultraviolet-Fluorescent-Powder.html</a><p>At this point, I don&#x27;t think it is viable to pretend that long lifetime secrets, like your bank PIN, are safe if entered into hundreds of different keypads in insecure settings.

I thought I read about this thing a long time ago, maybe on Brian Krebs&#x27; blog (?) but I can&#x27;t find it. It was in the context of ATMs but the idea seems the same. All I can find at the moment, also on ATMs, is this from last year:<p><a href="https:&#x2F;&#x2F;www.albany.edu&#x2F;iasymposium&#x2F;proceedings&#x2F;2017&#x2F;Study%20of%20Potential%20-%20P15.pdf" rel="nofollow">https:&#x2F;&#x2F;www.albany.edu&#x2F;iasymposium&#x2F;proceedings&#x2F;2017&#x2F;Study%20...</a><p>EDIT: That paper is actually cited in this work. They don&#x27;t discuss the novelty of their approach compared to this though. Just a bigger search space due to more keys?

at first, this seems completely harmless, but there are a few scenarios in which this could potentially be a viable attack.<p>I doubt it&#x27;s much use on computers, but imagine someone rigging a candid infrared camera across the street from an ATM. You&#x27;d block the cameras view while typing, but then you leave and it&#x27;s game over.

How is it 2018 and I can enable 2-factor auth on Twitter but not where I withdraw money from my bank account?

Not exactly novel research, the earliest mention I could quickly find of pretty much the same idea was from <i>2005</i><p><a href="http:&#x2F;&#x2F;lcamtuf.coredump.cx&#x2F;tsafe&#x2F;" rel="nofollow">http:&#x2F;&#x2F;lcamtuf.coredump.cx&#x2F;tsafe&#x2F;</a><p>and then dozen different iterations since then.

If the adversary has the level of physical access required to pull this off you&#x27;ve already lost.

I&#x27;ve always thought you could predict the characters in a password by looking at the oil&#x2F;polish on the keycaps.<p>I always figured this could be an attack someday. But didn&#x27;t know the tech was cheap enough&#x2F;sensitive enough yet. I need to start being more paranoid.

Probably a good idea to repeat at least one character.

This seems like it&#x27;s probably more crucial for pins terminals at ATMS and such.

Is the link down due to the HN hug of death? Edit: Seems back now...

would continuing to type or holding the keys after&#x2F;before entering my password help?