Recovering Passwords by Measuring Residual Heat

Researchers have used thermal cameras and ML guessing techniques to recover passwords from measuring the residual heat left by fingers on keyboards. From the abstract:

We detail the implementation of ThermoSecure and make a dataset of 1,500 thermal images of keyboards with heat traces resulting from input publicly available. Our first study shows that ThermoSecure successfully attacks 6-symbol, 8-symbol, 12-symbol, and 16-symbol passwords with an average accuracy of 92%, 80%, 71%, and 55% respectively, and even higher accuracy when thermal images are taken within 30 seconds. We found that typing behavior significantly impacts vulnerability to thermal attacks, where hunt-and-peck typists are more vulnerable than fast typists (92% vs 83% thermal attack success if performed within 30 seconds). The second study showed that the keycaps material has a statistically significant effect on the effectiveness of thermal attacks: ABS keycaps retain the thermal trace of users presses for a longer period of time, making them more vulnerable to thermal attacks, with a 52% average attack accuracy compared to 14% for keyboards with PBT keycaps.

“ABS” is Acrylonitrile Butadiene Styrene, which some keys are made of. Others are made of Polybutylene Terephthalate (PBT). PBT keys are less vulnerable.

But, honestly, if someone can train a camera at your keyboard, you have bigger problems.

News article.

Tags: , , ,

Posted on October 12, 2022 at 6:30 AM22 Comments

Comments

Austin October 12, 2022 6:51 AM

“But, honestly, if someone can train a camera at your keyboard, you have bigger problems.”
Well said. I do however appreciate this type of research and that they determine the “lifespan” of the usable residual heat on different materials. In my paranoia whenever I have people behind me at an ATM I touch several buttons during my PIN that are not part of my PIN.
Side note, every gate code entry point where I work has an easily guessable code because the unused buttons have mild corrosion.

Bilateralrope October 12, 2022 7:29 AM

if someone can train a camera at your keyboard, you have bigger problems.

Sure. But getting a single photo of it seems easier than getting video.

Bilateralrope October 12, 2022 7:35 AM

I wonder if it’s possible to design the cooling within a laptop to interfere with this attack. Though that probably will come with tradeoffs in comfort and battery life

Clive Robinson October 12, 2022 8:15 AM

@ Sam, ALL,

Re : Where your finger has been.

“Can this be used on ATM to get the PIN of the last user?”

Long answer short, “Yes”.

Long answer, “It’s a question of energy transfer”.

That is,

1, between your finger and the surface material of the key.
2,The key to the environment it’s in.

@ Bilateralrope,

“I wonder if it’s possible to design the cooling within a laptop to interfere with this attack. “

The ability for an IR / Thermal imager to be of use depends on,

1, The energy difference
2, The speed of trabsmission.

Importantly remember thermal energy only moves “one way” from hot to cold so the main environment would have to be less than the surface temprature of the persons finger. And any electronics to do this would need to be active and fast with a feedback mechanism to acount for peoples disparate finger tip tempratures.

Thus a low mass metallic key cap –say etched copper– in an environment near but below skin temprature will provide the least imagable surface difference.

Whilst it sounds hard, remember harder thetmal control at a much more rapid speed is done in ink-jet printers.

@ ALL,

This is not new information it’s been known and discussed for oh a couple of decades or more. I came across it originally with digital locks for security doors where the equivalent of a telescope and thermal imager were demonstrated as being able to read key touches from wall mountd digital lock pannels mounted at average shoulder hight. Either during or imediately after the employee had typed in or gone through the door.

It was one of the reasons for the development of those LED digital displays behind a transparent keyboard, where the digits were “supppsedly” randomly displayed…

Only in some –like we’ve heard about gambling machines– somebody thought using a “Linear Feedback Shift Register”(LFSR) was “A OK” which it was not…

Neill October 12, 2022 9:40 AM

Given the recent events and the high viral loads – physical and virtual – I am very inclined to wear gloves everywhere I go. Should result in less heat transfer.

Ted October 12, 2022 9:41 AM

One cool thing the researchers note is that thermal cameras have come down in price. Mind you, this could also make thermal-based attacks more ubiquitous.

Here’s a thermal camera you can attach to your smartphone.

https://www.flir.com/flir-one/

(The company, Teledyne FLIR, notes the cameras could be useful for electricians, mechanical inspectors, automotive technicians, and HVAC professionals.)

You can see how the use of ML would make an attack like ThermoSecure more fruitful. The design setup is an interesting compilation of processing and analyses.

Bilateralrope October 12, 2022 10:11 AM

@Clive Robinson

I was actually thinking of something that moved the waste heat from the laptops CPU, and other internal components, to the keyboard keys.

Since that waste heat depends on how much load the CPU/GPU is under, that means the equilibrium temperature the keys reach can vary with load. That seems like a confounding factor. We are probably looking at different equilibrium temperatures for each key for a given load, requiring the attacker to know how that laptops cooling system behaves.

I wasn’t thinking of adding extra heat generating components due to the extra drain that puts on the laptop battery. But desktops/atms don’t have to worry about that power drain. They could put a small heater in each key, each set to a random temperature or heat output. One that changes on regular intervals.

Quantry October 12, 2022 11:11 AM

Regarding a noise channel against “thermal cameras” to mitigate this ancient “Sneakers” attack: (Since the camera is using infrared),

Perhaps a heat pad to warm from below, or a row of infrared LED’s beaming up to drown the ccd sensor,

Even better yet, enclose yur workstation in cammo, fire your security detail, and stop doing yer nuclear missile research in the college library.

As FBI director James Comey says regarding tape over his webcam: “There’s some sensible things you should be doing, and that’s one of them”.

Aaron October 12, 2022 12:21 PM

Some of you have come up with good ideas to mask the residual heat signatures on the keyboard but I think high tech isn’t the answer; we need low tech. Remember typing class in school? Remember those keyboard covers that the instructors would use to cover your hands over the keyboard so you couldn’t see your hands as well as your orientation to the keyboard? Yeah, use one of those and as an added bonus you’ll retrain yourself to be a proficient typist.

Bilateralrope October 12, 2022 12:31 PM

The issue I see with a keyboard cover is that we are talking about someone who take a photo of your keyboard. Possibly while you aren’t there. So they might move the keyboard cover aside to take the photo. Then you’ve got to think about if the cover slows the normal cooling of the keys.

So you need to be careful about what the cover is made of.

Also, I wonder if closing my laptop when I move away from the desk makes is a good thing against this attack.

Winter October 12, 2022 3:56 PM

There are more tricks. One that was portrayed on TV was to cover the keypad of an ATM with drops of crème. Then afterwards you look which keys are smudged.

If you fear that traces of your touch might betray your pin/password, then touch the other keys too.

SpaceLifeForm October 12, 2022 5:33 PM

@ Winter, ALL

Yep. Dirt.

It it simple as Dirt to look at a keypad, and reduce the keyspace to search.

A think. Ask yourself, if you are Right-handed for example, how many characters in your password are typed from your left hand on a real keyboard (not touchscreen)?

Another think. If one mostly uses a mouse for reading, how often are they actually using the keyboard?

David October 13, 2022 12:55 AM

So petrol station credit card readers set high on the pump with the station cctv cameras looking at you from all directions?

Erdem Memisyazici October 13, 2022 3:11 AM

@Bilateralrope

I am truly uncertain as to what causes my posts to disappear on this blog however it does seem to fall into the category, so let’s hope this one goes through. Otherwise I wasted my time yet again.

Closing your laptop’s lid would not preserve the heat signatures, they would still disappate. Second law of thermodynamics shows us that heat always works to achieve equilibrium while going from hotter object to cooler object.

The only virtual exception to this is the concept of negative temperatures (thermodynamics not kinetic energy present).

Systems with a positive temperature will increase in entropy as one adds energy to the system, while systems with a negative temperature will decrease in entropy as one adds energy to the system.

This doesn’t apply to the keyboard on your laptop, so you’d still lose that information even if you close the lid.

Clive Robinson October 13, 2022 3:50 PM

@ Rwndal,

“I’ll just type my passwords with a pencil eraser.”

Would that be one that is on or off of a pencil?

If on it would make “covering the keys” with the other hand a little painfull 😉

Q October 15, 2022 1:05 AM

Just from the article alone it appears as though using one or more repeated keys could be a useful way to defeat it.

I guess the ultimate defeat would be using only two letters and type out a binary code.

Eg. “eecceeecceceeecece” (longer is better of course)

Good luck trying to reverse that when all you can see is that the “c” and “e” keys have raised temperatures. Bonus points for resting other fingers on the “Shift”, “b”, “r” and “u” keys but never pressing them, and making them heat up also. Them someone might assume the password was “Bruce”.

Naturally you have to make sure the entire session isn’t being recorded on video, otherwise all bets are off.

Clive Robinson October 15, 2022 5:16 AM

@ Q, ALL,

Re : Failings of the human mind.

“I guess the ultimate defeat would be using only two letters and type out a binary code.”

Against a “residual energy attack” on a system that alows reasonable length “paraphrases” it would.

But two points to consider,

1, Many systems still only allow or use eight character passwords, so you get limited to just over five hundred passwords[1].
2, The human mind is mostly usless at remembering what it sees as random.

The human mind was designed by evolution to see “paterns in the noise” as a way to detect preditors. The result is our language assumes noise as do our brains[2]. The result is we are very very bad at remembering random, think 4 decimal digit PINS are too much for most people, and how many “mobile phone users” these days can remember even their own 7 digit or more phone numbers?

[1] That is 256 eight character passwords, plus 128 seven character passwords, plus 64 six… And so on. But… Most systems do not alow less than six chatacter passwords so 448 passwords…

[2] It’s not generally known but untill “dictionaries” became popular just a couple of centuries ago words were “spelt meny weys” and nobody cared because when pronounced phonetically “meny and many” sound sufficiently the same thus ment the same in a persons head when read in context.

Ari Trachtenberg October 15, 2022 10:18 PM

This is old news:

Kaczmarek, Tyler, Ercan Ozturk, and Gene Tsudik. “Thermanator: Thermal Residue-Based Post Factum Attacks On Keyboard Password Entry.” arXiv preprint arXiv:1806.10189 (2018).

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.