Scientists have discovered a new way to capture people’s passwords, though the circumstances needed for the attack to work make the odds of it being ever used in real life fall somewhere between “astronomical” and “no freaking chance.”
Researchers at the University of California, Irvine, this week disclosed the attack, a method used for capturing user passwords by way of thermal imaging. The science behind the attack, known as Thermanator, may seem obvious once understood, but nevertheless, pondering the types of scenarios in which it might be pulled off is still a pretty entertaining exercise.
The gist of Thermanator is pretty simple: A person types their password and afterwards an image of the keyboard is captured using a thermal imaging infrared camera. The intensity of the heat on the keys registers differently based on the order in which they were pressed. The attack is rather tricky to pull off, however, because it requires not only going unnoticed while photographing the keyboard—within 45 seconds, in optimal circumstances—but also convincing the person to immediately stop touching the keyboard after the password is typed.
Frankly, there’s so many easier ways to steal a password. That said, there are a few properties of thermal radiation that make this attack both fun and interesting to consider, even if it is a bit unrealistic.
The first thing to know is that the amount of heat transferred between a human finger and a key on a keyboard relies entirely on the amount of pressure applied. With the right device—a thermography camera, specifically—you can easily distinguish between keys that have been pressed or not pressed or one that’s merely had a finger resting on it, the researchers found.
Of course, there are keyboards today that require very little finger pressure. One with Cherry MX Black switches, for instance, requires a mere 60 centinewtons (cN) to actuate (roughly 0.13 lbs). Assuming you’re taking advantage of this, the amount of heat conducted would be reduced, compared to your run-of-the-mill Logitech keyboard pulled off a shelf at PC World. None of this matters, of course, if the attacker can snap a photo of the keyboard in the first few seconds.
It seems obvious, but heat transferred to an object cools over a period of time contingent on the amount of heat conducted and the ambient temperature of the object’s environment. As mentioned, the amount of heat transferred as relevant to the Thermanator attack is relative to the amount of pressure applied to the keyboard. But the cooling effect is what’s absolutely crucial for Thermanator. Heat loss is almost instantaneously observable. This means that if 10 keys are pressed in rapid succession, the order in which they were pressed is detectable for a short period of time.
How long exactly does it take a key to cool off? Longer than you might think. But to accurately capture a password there are a number of other variables to consider, including how well the typist types and the complexity of the password itself.
According to the researchers, the password “12341234” is recoverable up to 45 seconds after typed by a “hunt-and-peck” typist. That is, a person who doesn’t rest their fingers on the home-row keys. Touch typists, those whose fingers do rest on the home row, are less vulnerable to the attack because they’re constantly transferring heat to random keys as they type.
Therefore, while a bad typist using a crappy password remains vulnerable for a relatively long period of time, a complex password entered by a touch typist (for example: “jxM#1CT”) may only be recovered within roughly 14 to 19 seconds. That’s a short window to capture an image of the keyboard unnoticed while distracting the person in order to get their hands away from they keyboard.
Obviously, the circumstances in which an attack this sophisticated is most likely to be used would involve a security-conscious individual whose password can’t be obtained by simpler means, such as via a phishing attack or through use of a keylogger program. If the target isn’t stupid enough to fall for the easier attack vector, the likelihood of them using a complex password would seem higher.
What’s more, if Thermanator isn’t an insider threat—i.e., carried out by a colleague or someone whose presence isn’t conspicuous—there’s always the matter of infiltrating the area and not appearing conspicuous waiving a FLIR thermal-imaging camera around.
There are several mitigation options for anyone unobservant enough to not notice a person standing directly over their shoulder with a thermal camera. For example, one of the subjects that took part in the Thermanator research wore acrylic nails and left behind no measurable amount of thermal residue. If nails aren’t really your thing, there’s a much more simple method: After you type your password and hit enter, just run your hand across all the keys like you’re Jerry Lee Lewis, leaving thermal residue everywhere.
For 99.999 per cent of users, the only time they’re likely to see a Thermanator attack is while watching Mission Impossible. But that also may be why it’s cool as hell.