Thermanator Attack Steals Passwords by Reading Thermal Residue on Keyboards (opens in new tab)

(bleepingcomputer.com)

96 pointsshreyanshd7y ago90 comments

90 comments

True story: A friend who was a heavy smoker asked me to fix his computer. I went to his house and saw the beige desktop and CRT were stained tobacco brown from second hand smoke. After fixing his "screen's all blurry" problem with some Windex I was ready to go in and see what kind of spyware and viruses he had managed to install on the machine.

I was about to ask for his password when I noticed the only spots not covered in ashes on his keyboard were the W, S, C, B, U, N, and I keys. Knowing he was a die hard Chicago Cubs fan it took me one try to guess the password: cubswin.

It was a nasty job but he was a good friend so I got his machine all straightened out for him without judgement.

The things I do for beer...

jwilk7y ago

Isn't Windex bad for computer screens?

https://news.ycombinator.com/item?id=17416298 says "no Windex, as tempting as it might be!"

sevensor7y ago

It's fine for CRTs as far as I know. And even if it's not, it's probably an improvement on tar.

bbeonx7y ago

I'm guessing this was a while ago when screens were still glass bubbles

blattimwind7y ago

> CRT

neuralRiot7y ago

>Attackers need to be able to place a camera with thermal recording features near a victim, and the camera must have a clear view of the keys for the Thermanator attack to work.

Wouldn't be easier to just set up a regular video camera which can be the size of a jacket button?

JoshTriplett7y ago

> The research team argues that it may be time to move away from passwords as a means to secure user data and equipment.

Many people have expressed this sentiment. By all means we should be using two-factor authentication everywhere. But what, besides a password, has the critical property of residing entirely within your mind and not being obtainable without your cooperation (barring issues like this)?

Physical tokens can be stolen. Biometrics can be obtained and forged, or physically coerced. Authenticating via a secondary device (such as a phone) just moves the problem to "how do you authenticate to that device".

On the other hand, if you ever type in your password in a place where someone can record you, someone could figure out your password, or at least get enough information to make it easier to brute-force your password.

Short of a challenge-response scheme that you can compute entirely within your mind without scratch materials, what could we use that would address both problems? Something that can't simply be stolen or used without your cooperation, but that also isn't potentially disclosed in reusable form every time you use it?

cortesoft7y ago

Yeah, and you can't rotate your fingerprints or retinal scans.

seandougall7y ago

If you only train one fingerprint at a time, most people can rotate up to nine times. It's a bit inconvenient, though. :)

1 more reply

brewdad7y ago

Would holding your finger upside down on the scanner work?

(Nope. My Nexus 5X unlocks no matter the orientation of my finger)

jmcmaster7y ago

Former NASA engineer turned YouTube science fun guy Mark Rober explained this attack in 2014 https://www.youtube.com/watch?v=8Vc-69M-UWk

and references this 2011 UCSD paper Heat of the moment: characterizing the efficacy of thermal camera-based attacks

https://dl.acm.org/citation.cfm?id=2028058

So not sure what the Thermanator folks are adding here...

EDIT: Thermanator paper cites the UCSD research, focuses on qwerty keyboards, updated technology for thermal cameras, comparisons to other attack vectors for public password entry (when you are at coffee shop, airport, ATM etc.).

neoteo7y ago

This is exactly how Theora Jones defeats Bryce Lynch's keypad in Max Headroom (Blipverts episode)...in 1987. :)

closetohome7y ago

Ha! I was going to reference Splinter Cell, but that's probably where they got it from.

fabricexpert7y ago

> THERMANATOR - The hottest attack of the summer! Coming soon to a computer near you!

Are our jobs really this dull that we have to give our projects stupid hollywood names

qop7y ago

Counterpoint:

What if you could say "Yeah boss, Thermanator is complete and ready to be unleashed." and mean it?

I spent thirty years turning in shit like "PrimitiveSpoofAttackDHCP" and "TCPThreadPoolFlooder" but now I'm realizing I couldve been writing bond villain superweapons all this time.

krageon7y ago

I thought naming things was one of those aspects of the job which can be nice and entertaining. It's easy to remember, where is the harm in this?

e12e7y ago

Clearly the naming is wrong anyway - while the terminator saw in monochrome (infra?)red, thermal vision surely points to Predator, not The Terminator...

0xdeadbeefbabe7y ago

Makes me wonder about the variable names.

_raoulcousins7y ago

When I use an ATM, I always run my fingers along all of the keys after entering my pin. Nice to know it's not totally crazy.

jfktrey7y ago

The classic opsec-germs tradeoff

tzakrajs7y ago

You can also use something other than your fingers to press the buttons.

blobbers7y ago

Apparently the attacker has never seen my macbook air running a heavy compilation job. Fan is cranked and the keyboard is so hot that there is no way they are getting my password!

Nothing but noise to a thermal camera...

nomel7y ago

Maybe they would look for cool spots. I assume you would only run into problems where the key was the same temperature as your finger.

blobbers7y ago

I was half making a joke... but I believe if you have a large external thermal source or sink the time for keys to renormalize would be dramatically shorter.

sbhn7y ago

I tried this using a flir one on my iPhone.

https://youtu.be/IMxZQ922rLs

Sorry, it sounds like a really good idea, but it just doesn't work very well in practise.

The users fingers don't sit on the keys long enough to transfer enough heat to last. Just use a standard video camera if this is your thing.

Talyen427y ago

great job getting by my mission impossible style laser beams, hackerman

now please enter your non-SMS two-factor authentication code

grumio7y ago

I like how this exact attack is used in the Splinter Cell games.

mieseratte7y ago

I knew I saw this somewhere!

I wonder what other security issues / lessons I internalized from that game...

blattimwind7y ago

Don't have open man-sized vents lead into your SCIF?

1 more reply

angry_octet7y ago

Makes me wonder if you could achieve a similar effect by spraying some residue over the keypad before the victim uses it, then looking at it after PIN entry. For example, a fluorescing dust. As well a special fingerprinting powders (e.g. https://optimumtechnology.com.au/latent-fingerprint-powders/) you can get stuff from art supplies stores: https://www.glowpaint.com.au/blue-uv-black-light-powder/ .

There is also thermochromic ink, e.g. a grey ink that changes to colourless at 15C. http://www.smarol.com/Ultraviolet-Fluorescent-Powder.html

At this point, I don't think it is viable to pretend that long lifetime secrets, like your bank PIN, are safe if entered into hundreds of different keypads in insecure settings.

black_puppydog7y ago

I thought I read about this thing a long time ago, maybe on Brian Krebs' blog (?) but I can't find it. It was in the context of ATMs but the idea seems the same. All I can find at the moment, also on ATMs, is this from last year:

https://www.albany.edu/iasymposium/proceedings/2017/Study%20...

EDIT: That paper is actually cited in this work. They don't discuss the novelty of their approach compared to this though. Just a bigger search space due to more keys?

chris_mc7y ago

I always heard you should type your PIN at the ATM, then touch all of the buttons a bunch to block this ability. That way they only see that all the buttons were touched, not your PIN. Especially important now that thermal cameras (crappy ones) are pretty cheap.

mikec30107y ago

Why should I care? It's the bank's responsibility to secure their equipment and refund any dollars stolen from me.

1 more reply

amarant7y ago

at first, this seems completely harmless, but there are a few scenarios in which this could potentially be a viable attack.

I doubt it's much use on computers, but imagine someone rigging a candid infrared camera across the street from an ATM. You'd block the cameras view while typing, but then you leave and it's game over.

faitswulff7y ago

This is a fairly well known attack on ATMs with plastic keys, but last I heard metal keys make it nearly impossible to carry out.

rafaele7y ago

Whenever possible I type in the PIN with a house key or car key. That way there's little, if not none at all, heat left behind and I don't have to contact a germ-laden touchpad. #germaphobe

amarant7y ago

replace ATM with the CC terminal in your favorite foodtruck then. this is even better, since you're not likely to type in a withdrawal amount into those (and thus adding noise by pressing more keys)

same thing goes, but they're rarely made of metal

1 more reply

raverbashing7y ago

Well you still have to get the order right, though it might be possible to have an idea through the temperature differences

IshKebab7y ago

Yeah metal reflects thermal IR like a mirror.

1 more reply

neuralRiot7y ago

A thermal camera that have enough resolution to get individual keys from across the street is not gonna be cheap, A 1.8Mpx @30Hz is above $20k without lens.

no_one_ever7y ago

This is why I habitually run my fingers across the keypad after entering my PIN. Paranoid thinking? Maybe.

privacypoller7y ago

I do something similar but I think it's far more likely that a cheap webcam is positioned where it can view the keypad of those who don't screen it well. I always throw in a few "phantom" keypresses when entering a pin for my cc or bank card.

chenning7y ago

How is it 2018 and I can enable 2-factor auth on Twitter but not where I withdraw money from my bank account?

mrguyorama7y ago

Is an ATM card and PIN not two factors?

moftz7y ago

I can wire my entire bank account away without any 2FA with online banking. My bank just started doing SMS verification for new devices but that's still not really enough. Like just get on the TOPT train and leave it alone.

3 more replies

chenning7y ago

Yes. I didn't really consider that. I was thinking more along the lines of an expiring token. If you had to punch it in, someone who came around and Thermanator'd it would always be too late.

zokier7y ago

Not exactly novel research, the earliest mention I could quickly find of pretty much the same idea was from 2005

http://lcamtuf.coredump.cx/tsafe/

and then dozen different iterations since then.

dsfyu404ed7y ago

If the adversary has the level of physical access required to pull this off you've already lost.

DylanBohlender7y ago

Exactly. If the adversary has a camera pointed at your keyboard, they can even possibly attempt the more radical (and indefensible) “I literally recorded what you typed” attack. Scary stuff.

biggerfisch7y ago

I think the argument here is that, since it can happen 30s later, you could enter your password, look at the screen, lock your screen & walk away, without being safe. Imagine a location where the mobo itself is secure enough to prevent anyone from quickly inserting something, but anyone could have quick access to the keyboard & monitor.

In that (highly contrived) situation, this attack is useful, since all you'd need is a quick thermal pic, no longer recording needed.

1 more reply

_verandaguy7y ago

Indefensible is debatable. It can be defeated using any of the major 2FA mechanisms (FIDO U2F, HOTP/TOTP come to mind).

1 more reply

protonimitate7y ago

What's that saying, 'physical access is total access'?

_verandaguy7y ago

Physical access is often considered total access in the infosec community.

It implies the ability to, with enough prep time ahead of the actual physical access, inject malware through a physical interface (USB flash drive, rogue peripheral/HID, directly interfacing with an existing HID device), among others.

Edit: and in this case it includes planting cameras and other recording devices which can be assumed to have effectively limitless video/audio resolution.

1 more reply

Uberphallus7y ago

One can easily attach a long tele lens to one of these cameras, so one could capture passwords through windows. Specialized IR lenses are expensive, but regular lenses can do a good enough job.

Edit: my bad IR doesn't go through most glass material. Still, laptops are commonly used in public, and through lenses or otherwise, your password can be leaked. That's worrying enough to stop the "physical access means total access" adagio in this thread.

_trampeltier7y ago

Good IR tele lenses are not just expensive, the don't even have prices, they have "phone numbers". So you would have to get money from really a lot of people just to pay they IR camera and the lenses.

1 more reply

dharma17y ago

Thermal cameras don't really work through glass

1 more reply

spitfire7y ago

I've always thought you could predict the characters in a password by looking at the oil/polish on the keycaps.

I always figured this could be an attack someday. But didn't know the tech was cheap enough/sensitive enough yet. I need to start being more paranoid.

r00fus7y ago

Which is why keeping your keyboards wiped down (I use baby wipes) isn't just for compulsives.

It's a hygiene and security best practice.

bluGill7y ago

The oils on my fingers attack the print on my keyboard. After a few years the "home row" is very faded. Fortunately my password is not something I type enough other things that you can figure out passwords out based on this.

stretchwithme7y ago

Probably a good idea to repeat at least one character.

deno7y ago

Depends on what the password is for. If it can be brute forced offline then you’ll need a lot more than one character to make any difference.

stretchwithme7y ago

I think you missed my point. If you use a key more than once, heat can't be used to figure out the first time that key was pressed. Only the second press of it can be deduced.

1 more reply

bbeonx7y ago

Yeah, and just use lots of characters. And at least one use of the shift key :)

eurticket7y ago

This seems like it's probably more crucial for pins terminals at ATMS and such.

orliesaurus7y ago

Is the link down due to the HN hug of death? Edit: Seems back now...

whatcanthisbee7y ago

would continuing to type or holding the keys after/before entering my password help?

_trampeltier7y ago

Yes. Just hold your fingers over some random keys after inserting the card and wait to enter the pin. And after that just keep your hand over the keypad while you wait for the money.

(I work for over 10 years with thermal cameras and know the limits)

Uberphallus7y ago

Slightly, as well as removing^H^H^H^H^H^H^H^Hdeleting characters, but the picture invariably shows the keys used, so it will in any case reduce the complexity of brute force attacks by several orders of magnitude.

ajuc7y ago

If I was an attacker and had easy to recover footage and weird "whole keyboard is highlighted" footage - I would just discard the bad footage.

whatcanthisbee7y ago

so is the hardware keys the only answer?

j / k navigate · click thread line to collapse

90 comments

edmanet7y ago

It was a nasty job but he was a good friend so I got his machine all straightened out for him without judgement.

The things I do for beer...

jwilk7y ago

Isn't Windex bad for computer screens?

https://news.ycombinator.com/item?id=17416298 says "no Windex, as tempting as it might be!"

sevensor7y ago

It's fine for CRTs as far as I know. And even if it's not, it's probably an improvement on tar.

bbeonx7y ago

I'm guessing this was a while ago when screens were still glass bubbles

blattimwind7y ago

> CRT

neuralRiot7y ago

>Attackers need to be able to place a camera with thermal recording features near a victim, and the camera must have a clear view of the keys for the Thermanator attack to work.

Wouldn't be easier to just set up a regular video camera which can be the size of a jacket button?

JoshTriplett7y ago

> The research team argues that it may be time to move away from passwords as a means to secure user data and equipment.

cortesoft7y ago

Yeah, and you can't rotate your fingerprints or retinal scans.

seandougall7y ago

If you only train one fingerprint at a time, most people can rotate up to nine times. It's a bit inconvenient, though. :)

1 more reply

brewdad7y ago

Would holding your finger upside down on the scanner work?

(Nope. My Nexus 5X unlocks no matter the orientation of my finger)

jmcmaster7y ago

Former NASA engineer turned YouTube science fun guy Mark Rober explained this attack in 2014 https://www.youtube.com/watch?v=8Vc-69M-UWk

and references this 2011 UCSD paper Heat of the moment: characterizing the efficacy of thermal camera-based attacks

https://dl.acm.org/citation.cfm?id=2028058

So not sure what the Thermanator folks are adding here...

neoteo7y ago

This is exactly how Theora Jones defeats Bryce Lynch's keypad in Max Headroom (Blipverts episode)...in 1987. :)

closetohome7y ago

Ha! I was going to reference Splinter Cell, but that's probably where they got it from.

fabricexpert7y ago

> THERMANATOR - The hottest attack of the summer! Coming soon to a computer near you!

Are our jobs really this dull that we have to give our projects stupid hollywood names

qop7y ago

Counterpoint:

What if you could say "Yeah boss, Thermanator is complete and ready to be unleashed." and mean it?

I spent thirty years turning in shit like "PrimitiveSpoofAttackDHCP" and "TCPThreadPoolFlooder" but now I'm realizing I couldve been writing bond villain superweapons all this time.

krageon7y ago

I thought naming things was one of those aspects of the job which can be nice and entertaining. It's easy to remember, where is the harm in this?

e12e7y ago

Clearly the naming is wrong anyway - while the terminator saw in monochrome (infra?)red, thermal vision surely points to Predator, not The Terminator...

0xdeadbeefbabe7y ago

Makes me wonder about the variable names.

_raoulcousins7y ago

When I use an ATM, I always run my fingers along all of the keys after entering my pin. Nice to know it's not totally crazy.

jfktrey7y ago

The classic opsec-germs tradeoff

tzakrajs7y ago

You can also use something other than your fingers to press the buttons.

blobbers7y ago

Apparently the attacker has never seen my macbook air running a heavy compilation job. Fan is cranked and the keyboard is so hot that there is no way they are getting my password!

Nothing but noise to a thermal camera...

nomel7y ago

Maybe they would look for cool spots. I assume you would only run into problems where the key was the same temperature as your finger.

blobbers7y ago

I was half making a joke... but I believe if you have a large external thermal source or sink the time for keys to renormalize would be dramatically shorter.

sbhn7y ago

I tried this using a flir one on my iPhone.

https://youtu.be/IMxZQ922rLs

Sorry, it sounds like a really good idea, but it just doesn't work very well in practise.

The users fingers don't sit on the keys long enough to transfer enough heat to last. Just use a standard video camera if this is your thing.

Talyen427y ago

great job getting by my mission impossible style laser beams, hackerman

now please enter your non-SMS two-factor authentication code

grumio7y ago

I like how this exact attack is used in the Splinter Cell games.

mieseratte7y ago

I knew I saw this somewhere!

I wonder what other security issues / lessons I internalized from that game...

blattimwind7y ago

Don't have open man-sized vents lead into your SCIF?

1 more reply

angry_octet7y ago

There is also thermochromic ink, e.g. a grey ink that changes to colourless at 15C. http://www.smarol.com/Ultraviolet-Fluorescent-Powder.html

At this point, I don't think it is viable to pretend that long lifetime secrets, like your bank PIN, are safe if entered into hundreds of different keypads in insecure settings.

black_puppydog7y ago

https://www.albany.edu/iasymposium/proceedings/2017/Study%20...

EDIT: That paper is actually cited in this work. They don't discuss the novelty of their approach compared to this though. Just a bigger search space due to more keys?

chris_mc7y ago

mikec30107y ago

Why should I care? It's the bank's responsibility to secure their equipment and refund any dollars stolen from me.

1 more reply

amarant7y ago

at first, this seems completely harmless, but there are a few scenarios in which this could potentially be a viable attack.

faitswulff7y ago

This is a fairly well known attack on ATMs with plastic keys, but last I heard metal keys make it nearly impossible to carry out.

rafaele7y ago

Whenever possible I type in the PIN with a house key or car key. That way there's little, if not none at all, heat left behind and I don't have to contact a germ-laden touchpad. #germaphobe

amarant7y ago

replace ATM with the CC terminal in your favorite foodtruck then. this is even better, since you're not likely to type in a withdrawal amount into those (and thus adding noise by pressing more keys)

same thing goes, but they're rarely made of metal

1 more reply

raverbashing7y ago

Well you still have to get the order right, though it might be possible to have an idea through the temperature differences

IshKebab7y ago

Yeah metal reflects thermal IR like a mirror.

1 more reply

neuralRiot7y ago

A thermal camera that have enough resolution to get individual keys from across the street is not gonna be cheap, A 1.8Mpx @30Hz is above $20k without lens.

no_one_ever7y ago

This is why I habitually run my fingers across the keypad after entering my PIN. Paranoid thinking? Maybe.

privacypoller7y ago

chenning7y ago

How is it 2018 and I can enable 2-factor auth on Twitter but not where I withdraw money from my bank account?

mrguyorama7y ago

Is an ATM card and PIN not two factors?

moftz7y ago

3 more replies

chenning7y ago

Yes. I didn't really consider that. I was thinking more along the lines of an expiring token. If you had to punch it in, someone who came around and Thermanator'd it would always be too late.

zokier7y ago

Not exactly novel research, the earliest mention I could quickly find of pretty much the same idea was from 2005

http://lcamtuf.coredump.cx/tsafe/

and then dozen different iterations since then.

dsfyu404ed7y ago

If the adversary has the level of physical access required to pull this off you've already lost.

DylanBohlender7y ago

Exactly. If the adversary has a camera pointed at your keyboard, they can even possibly attempt the more radical (and indefensible) “I literally recorded what you typed” attack. Scary stuff.

biggerfisch7y ago

In that (highly contrived) situation, this attack is useful, since all you'd need is a quick thermal pic, no longer recording needed.

1 more reply

_verandaguy7y ago

Indefensible is debatable. It can be defeated using any of the major 2FA mechanisms (FIDO U2F, HOTP/TOTP come to mind).

1 more reply

protonimitate7y ago

What's that saying, 'physical access is total access'?

_verandaguy7y ago

Physical access is often considered total access in the infosec community.

Edit: and in this case it includes planting cameras and other recording devices which can be assumed to have effectively limitless video/audio resolution.

1 more reply

Uberphallus7y ago

One can easily attach a long tele lens to one of these cameras, so one could capture passwords through windows. Specialized IR lenses are expensive, but regular lenses can do a good enough job.

_trampeltier7y ago

1 more reply

dharma17y ago

Thermal cameras don't really work through glass

1 more reply

spitfire7y ago

I've always thought you could predict the characters in a password by looking at the oil/polish on the keycaps.

I always figured this could be an attack someday. But didn't know the tech was cheap enough/sensitive enough yet. I need to start being more paranoid.

r00fus7y ago

Which is why keeping your keyboards wiped down (I use baby wipes) isn't just for compulsives.

It's a hygiene and security best practice.

bluGill7y ago

stretchwithme7y ago

Probably a good idea to repeat at least one character.

deno7y ago

Depends on what the password is for. If it can be brute forced offline then you’ll need a lot more than one character to make any difference.

stretchwithme7y ago

I think you missed my point. If you use a key more than once, heat can't be used to figure out the first time that key was pressed. Only the second press of it can be deduced.

1 more reply

bbeonx7y ago

Yeah, and just use lots of characters. And at least one use of the shift key :)

eurticket7y ago

This seems like it's probably more crucial for pins terminals at ATMS and such.

orliesaurus7y ago

Is the link down due to the HN hug of death? Edit: Seems back now...

whatcanthisbee7y ago

would continuing to type or holding the keys after/before entering my password help?

_trampeltier7y ago

Yes. Just hold your fingers over some random keys after inserting the card and wait to enter the pin. And after that just keep your hand over the keypad while you wait for the money.

(I work for over 10 years with thermal cameras and know the limits)

Uberphallus7y ago

ajuc7y ago

If I was an attacker and had easy to recover footage and weird "whole keyboard is highlighted" footage - I would just discard the bad footage.

whatcanthisbee7y ago

so is the hardware keys the only answer?

j / k navigate · click thread line to collapse