This cyberattack might seem like a long shot, but for those working in industries with sensitive data or valuable IP, threat actors could have another tool to nab your password: a thermal imaging camera. According to a report by University of California Irvine Computer Science PhD students Tyler Kaczmarek and Ercan Ozturk and Professor Gene Tsudik, an insider threat could steal a password directly from a thermal image taken of a keyboard—up to a minute after it was typed.
The research team conducted a two-stage study that gathered the thermal residues of 30 individual users typing 10 passwords (weak and strong) each on 4 popular keyboards. To collect the data, the researchers used readily available equipment that a “moderately sophisticated and determined adversary” would have easy access to. This includes keyboards available from online retailers and brick-and-mortar shops for about $25 or less. The researchers used an FLIR SC620 thermal imaging camera that they purchased used for about $1,500.
The attack, dubbed Thermanator, was carried out in the study with the camera mounted on a tripod hovering 24 inches above the keyboard. The camera was programmed to take a picture every second for 60 seconds. Obviously, that kind of access is unlikely in a real-world attack. For the study, however, the information they collected provided them with enough information to develop a threat model, which they describe in the following steps:
- Step 1: “The victim uses a keyboard to enter a genuine password, as part of the log-in (or session unlock) procedure”;
- Step 2: “Shortly thereafter, the victim either (1) willingly steps away, or (2) gets drawn away, from the workplace”;
- Step 3: “Using thermal imaging (e.g., photos taken by a commodity FLIR camera) the adversary harvests thermal residues from the keyboard”;
- Step 4: At a later time, the adversary uses the ‘heat map’ of the images to determine recently pressed keys. This can be done manually (i.e., visual inspection) or automatically (i.e., via specialized software)”; and
- Repeat: “The adversary can choose to repeat Steps [1–4] over multiple sessions.”
Whether the attack was orchestrated or spontaneous, the malicious actor has a very narrow window to gather the image. After 30 seconds, the thermal residue remaining on the keycaps only allows an attacker to construct a partial heat map.
The study shows variation in the data based on the typist’s style. For example, “hunt-and-peck” typists were more susceptible to this type of attack, and they tend to only touch the keycaps when depressing them. There is more “noise” overall for touch typists, who tend to rest their fingertips on home row as they type.
Of all the participants in the study, only one left zero thermal signature on the keyboard. Their acrylic nails, which have no blood vessels and are made from a material that is a poor heat conductor, prevented any thermal residue from appearing in the images.
As it currently stands, this type of attack is unlikely, as it requires a bit more than opportunity. However, as the researchers note, thermal imaging technology is getting less expensive (thermal camera adapters for mobile phones are inexpensive), and more and more internal threat actors could get their hands on them.
The researchers do provide a few suggestions to help mitigate a thermal imaging attack. The most straightforward way is to use “chaff typing” to introduce noise into the image. By either resting your hands on the keyboard for a few seconds or by typing nonsense once your password is accepted, you obscure the heat signature left on the keycaps. Additionally, you could use a mouse to enter your password on an on-screen keyboard (or your fingers if you have a touch screen). However, that’s more susceptible to over-the-shoulder attacks, or an attacker could look at the pattern of smudges on the screen.
If you really want to impress some people (probably two or three folks in your IT department), you could go to the extreme and learn to type with an alternate keyboard layout (like Dvorak or Colemak) and use blank keycaps—though that might be a little too extreme.