TECH

Scientists find ways to steal passwords using thermal imaging of keyboard
Scientists have discovered a new way to capture people's passwords, even though the circumstances required for the attack to work make it one day in real life to be between "astronomical" and "no chance".Researchers at the University of California at Irvine this week unveiled the attack, a method used to capture user passwords through thermal imaging. The science behind the attack, known as the "Thermanator," may seem obvious since, however, pondering the kinds of scenarios in which it can be used is still a very fun exercise.The essence of Thermanator is quite simple: a person types their password, and then a keyboard image is captured using an infrared thermal imaging camera. The heat intensity on the keys is recorded differently, based on the order in which they were pressed. However, the attack is quite complicated because it requires not only to go undetected while photographing the keyboard - in 45 seconds under ideal circumstances - but also to persuade the person to immediately stop playing the keyboard after the password is entered.Honestly, there are many easier ways to steal a password. That said, there are some properties of thermal radiation that make this attack fun and interesting to consider, even if it's a bit unrealistic.
The first thing to know is that the amount of heat transferred between a human finger and a key on a keyboard depends entirely on the amount of pressure applied. With the right device - a camera of thermography, specifically - you can easily distinguish between keys that were pressed or not pressed or one that has only one finger on it, the researchers found.Of course, there are keyboards currently requiring very little finger pressure. One with Cherry MX Black switches, for example, requires only 60 centinewtons (cN) to operate (approximately 0.05 kg). Assuming you're taking advantage of that, the amount of heat driven would be reduced, compared to Logitech's routine keyboard, for example, freshly pulled from a Walmart shelf. None of this matters, of course, if the attacker can get a picture of the keyboard in the first few seconds.It seems obvious, but the heat transferred to an object cools over a period of time which depends on the amount of heat conducted and the temperature of the environment in which the object is. As mentioned, the amount of heat transferred as relevant to the Thermanator attack is relative to the amount of pressure applied to the keyboard. But the cooling effect is absolutely crucial for Thermanator. The loss of heat is almost instantly observable. This means that if ten keys are pressed in rapid succession, the order in which they were pressed will be detected for a short time.
How long does it take for a key to cool down? More than you imagine. But to accurately capture a password, there are several other variables to consider, including how well the typist types and the complexity of the password itself.According to the researchers, the password "12341234" is recoverable up to 45 seconds after typing by a "handle-corn" typist. That is, a person who does not rest his fingers on the keys of the starting line. Touch typists, those whose fingers rest on the starting line, are less vulnerable to attack because they are constantly transferring heat to random keys as they type.Therefore, while a bad digitizer using a low-quality password remains vulnerable for a relatively long period of time, a complex password typed by a touch digitizer (eg "jxM # 1CT") can only be retrieved within approximately 14 a 19 seconds. This is a small window for capturing a picture of the keyboard unnoticed while distracting the person to take their hands off the keyboard.Of course, the circumstances in which such a sophisticated attack is more likely to be used would involve a security-conscious individual whose password could not be obtained by simpler means, such as a phishing attack or the use of a keylogger program. If the target is not stupid enough to fall into the simplest attack vector, the probability of them using a complex password should be higher.
Also, if Thermanator is not an internal threat, that is, performed by a colleague or someone whose presence is not visible, there is always the question of infiltrating the area and not giving a peek by swinging a FLIR thermal image camera to here and there.There are several mitigation options for those who are not insightful enough to notice a person standing directly on their shoulder with a thermal camera. For example, one of the people who participated in the Thermanator survey used acrylic nails and left no measurable amount of thermal residue. If neat fingernails are not your style, there is a much simpler method: after entering your password and pressing enter, you simply move your hand across all keys, leaving thermal waste everywhere.For 99.999% of users, the only time they will likely see a Thermanator attack is while watching Mission Impossible. But it may also be exactly why this method is so cool.



Gizmodo.com