Thermanator: Thermal Residue-Based Post Factum Attacks On Keyboard Password Entry

As a warm-blooded mammalian species, we humans routinely leave thermal residues on various objects with which we come in contact. This includes common input devices, such as keyboards, that are used for entering (among other things) secret information, such as passwords and PINs. Although thermal residue dissipates over time, there is always a certain time window during which thermal energy readings can be harvested from input devices to recover recently entered, and potentially sensitive, information. To-date, there has been no systematic investigation of thermal profiles of keyboards, and thus no efforts have been made to secure them. This serves as our main motivation for constructing a means for password harvesting from keyboard thermal emanations. Specifically, we introduce Thermanator, a new post factum insider attack based on heat transfer caused by a user typing a password on a typical external keyboard. We conduct and describe a user study that collected thermal residues from 30 users entering 10 unique passwords (both weak and strong) on 4 popular commodity keyboards. Results show that entire sets of key-presses can be recovered by non-expert users as late as 30 seconds after initial password entry, while partial sets can be recovered as late as 1 minute after entry. Furthermore, we find that Hunt-and-Peck typists are particularly vulnerable. We also discuss some Thermanator mitigation strategies. The main take-away of this work is three-fold: (1) using external keyboards to enter (already much-maligned) passwords is even less secure than previously recognized, (2) post factum (planned or impromptu) thermal imaging attacks are realistic, and finally (3) perhaps it is time to either stop using keyboards for password entry, or abandon passwords altogether.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 3

page 5

page 6

page 7

page 8

page 9

page 10

07/02/2020

DATE: Defense Against TEmperature Side-Channel Attacks in DVFS Enabled MPSoCs

Given the constant rise in utilizing embedded devices in daily life, sid...
05/26/2021

Perspective – On the thermodynamics of perfect unconditional security

A secure key distribution (exchange) scheme is unconditionally secure if...
01/22/2021

An Enhanced Passkey Entry Protocol for Secure Simple Pairing in Bluetooth

In this paper, we propose a simple enhancement for the passkey entry pro...
02/01/2019

Thermal Recovery of Multi-Limbed Robots with Electric Actuators

The problem of finding thermally minimizing configurations of a humanoid...
11/12/2018

Macro pose-based non-invasive thermal comfort perception for energy efficiency

Individual thermal comfort perception plays very important roles in smar...
03/30/2020

Hold the Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft

Recently, the traditional way to unlock car doors has been replaced with...
07/08/2019

Mitigating Censorship with Multi-Circuit Tor and Linear Network Coding

Anonymity networks are providing practical mechanisms to protect its use...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1. Introduction

Insider attacks are very common, estimated to account for

of all electronic crimes in industry (mickelberg2014us, ). This includes some high-profile attacks, such as the 2014 Sony hack (robb2014sony, ). At the same time, it is well known that security of a system is based on its weakest link. Furthermore, it is often assumed that involvement of a fallible (or simply gullible) human user corresponds to this weakest link, e.g., as in Shoulder-Surfing and Lunch-Time attacks. However, other insider attacks that focus on stealing passwords by compromising the user environment, e.g., Acoustic Emanations (asonov2004keyboard, ; zhuang2009keyboard, ; compagno2017don, ) or Keyboard Vibrations (owusu2012accessory, ), show that the weakest link is a consequence of a law of Physics. However, such insider attacks must occur instantaneously, in real time, in order to succeed. In other words, to exploit them, the adversary must be able to record the environment as the user is entering a password. Real-time adversarial presence (whether in person or via a nearby compromised recording device) raises the bar for the attack. This prompts the question:
Are there any observable physical effects of password entry that linger and can therefore be collected afterwards?

1.1. Heat Transfer & Thermal Emanations

Any time two objects with unequal temperatures come in contact with each other, an exchange of heat occurs. This is unavoidable. Being warm-blooded, human beings naturally prefer environments that are colder than their internal temperature. Because of this heat disparity, it is inevitable that we leave thermal residue on numerous objects that we routinely touch, especially, with with bare fingers. Furthermore, it takes time for these heated objects to cool off and lose heat energy imparted by human contact. It is both not surprising and worrisome that this includes our interactions with keyboards that are used for entering sensitive private information, such as passwords.

Based on this observation, we consider a mostly unexplored attack space where heat transfer and subsequent thermal residue can be exploited by a clever adversary to steal passwords from a keyboard some time after it was used for password entry. The main distinctive benefit of this attack type is that adversary’s real time presence is not required. Instead, a successful attack can occur with after-the-fact adversarial presence: as our results show, many seconds later.

While there has been some prior work on using thermal emanations to crack PINs, mobile phone screen-locks and opening combinations of vaults/safes (SafeCracking, ; andriotis2013pilot, ; abdelrahman2017stay, ; mowery2011heat, ), this work represents the first comprehensive investigation of human-based thermal residues and emanations of external computer keyboards.

1.2. Expected Contributions

In this paper, we propose and evaluate a particular human-based side-channel attack class, called Thermanator. This attack class is based on exploiting thermal residues left behind by a user (victim) who enters a password using a typical external keyboard. Shortly after password entry, the victim either steps away inadvertently, or is drawn away (perhaps as a result of being prompted by the adversary) from the personal workplace. Then, the adversary captures thermal images of the victim keyboard. We examine the efficacy of Thermanator Attacks for a moderately sophisticated adversary equipped with a mid-range thermal imaging camera. The goal of the attack is to learn information about the victim password.

To confirm viability of Thermanator Attacks, we conducted a rigorous two-stage user study. The first stage collected password entry data from 31 subjects using 4 common keyboards. In the second stage, 8 non-expert subjects acted as adversaries and attempted to derive the set of pressed keys from the thermal imaging data collected in the first stage. Our results show that even novice adversaries can use thermal residues to reliably determine the entire set of key-presses up to 30 seconds after password entry. Furthermore, they can determine a partial set of key-presses as long as a full minute after password entry. We provide a thorough discussion of the implications of this study, and mitigation techniques against Thermanator Attacks.

Furthermore, in the course of exploring Thermanator Attacks, we introduce a new post factum adversarial model. We comprehensively compare this model with those of other insider attacks that target user behavior and physical properties, such as Lunch-Time, Shoulder-Surfing, and Acoustic Emanations attacks. In doing so, we focus on attack characteristics, such as: goals, timeline and equipment required by the adversary.

1.3. Organization

Section 2 provides background on thermodynamic concepts, modern keyboards and thermal cameras. Section 3 describes assumed Thermanator Attacks and adversarial models. Section 4 describes our methodology, apparatus and subject recruitment. Study results are presented in Section 5 and their implications are discussed in Section 6. We then compare and contrast Thermanator with other insider attacks in Section 7. Section 8 discusses related work. We conclude the paper with directions for future work in Section 9.

2. Background

In this section we provide some background material on physical interactions that describe thermal phenomena observed in our experiments. We start with a glossary of terms, then describe the form factor and material composition of modern 104-key ”Windows” keyboards and finish with certain Physics concepts used in the rest of the paper. Given familiarity with elements of Conductive Heat Transfer and Newton’s Law of Cooling, Sections 2.1, 2.2, and 2.3 can be skipped with no loss of continuity.

2.1. Basic Thermal Terminology

  • Joule (J) - Unit of energy Corresponding to Newton-Meter ()

  • Kelvin () – Base unit of temperature in Physics. The temperature T in Kelvin (K) minus yields the corresponding temperature in degrees Celsius ().

  • Watt (W) – Unit of work corresponding to 1 Joule-Second: ()

  • Conduction – Transfer of Thermal Energy caused by two objects in physical contact that are at different Temperatures.

  • Convection – Transfer of Thermal Energy caused by submerging an object in a fluid.

  • Heat Transfer Coefficient - Property of a fluid that determines rate of convective heat flow. Expressed in Watts per square meter Kelvin:

  • Specific Heat – Amount of Thermal Energy in Joules that it takes to increase temperature of kg of material by . Expressed in Joules over kilograms degrees Kelvin: .

  • Thermal Conductivity – Rate at which Thermal Energy passes through a material. Expressed in Watts per meters Kelvin:

  • Thermal Energy – Latent energy stored in an object due to heat flowing into it.

  • Thermal Source – Object or material that can internally generate Thermal Energy such that it can stay at constant temperature during a thermal interaction, e.g., a heat pump.

2.2. Heating via Thermal Conduction

Thermal Conduction is transfer of heat between any two touching objects of different temperatures. It is expressed as the movement of heat energy from the warmer to the cooler object. We are concerned with transfer of energy from a human fingertip to a pressed keycap. This transfer is governed by Fourier’s Law of heat conduction which states that:

Heat transfer between two objects can be modeled by the equation: , where is thermal conductivity111 should not be confused with – degrees Kelvin. of the object being heated, is area of contact, is initial temperature of the hotter object, is initial temperature of the cooler object, is time, and is the thickness of the object being heated.

The relationship between an object’s heat energy and its temperature is governed by the object’s mass and specific heat, as dictated by the formula: , where is total heat energy, is object’s specific heat, is object’s mass and is change in temperature.

We consider the human body to be a thermal source, and we assume that any change in the fingertip temperature during the (very short) fingertip-keycap contact period is negligible, due to internal heat regulation (dai2004comparison, ). Furthermore, we assume that:

  • Average area of an adult human fingertip is (peters2009diminutive, ).

  • Average human skin temperature is () (burton1939range, ).

  • Average duration of a key-press is s (sauro2009estimating, ).

  • Keyboard temperature is the same of that as that of the air, which, for a typical office, is OSHA222OSHA = Occupational Safety and Hazards Administration, a United States federal agency.-recommended () (occupational1999osha, ).

Therefore, for variables mentioned above, we have:

Plugging these values into Fourier’s Law, we get:

which yields total energy transfer: J. We then use total energy in the specific heat equation to determine total temperature change: . This gives us a total temperature change of . Therefore, we conclude that the average human fingertip touching a keycap at the average room temperature results in the keycap heating up by .

2.3. Cooling via Thermal Convection

After a keycap heats up as a result of conduction caused by a press by a warm(er) human finger, it begins to cool off due to convective heat transfer with the air in the room. Convection is defined as the transfer of heat resulting from the internal current of a fluid, which moves hot (and less dense) particles upward, and cold (and denser) particles – downward. This interaction is governed by Newton’s Law of Cooling. Its particulars are impacted by the shape and position of the heated object. In our case, there is a plane surface333The actual keycap surface can be slightly concave. facing towards the cooling fluid (i.e., a keycap directly exposed to ambient air) which is described by the formula:

where is temperature at time , is temperature of ambient air, is initial object temperature, and is the cooling constant of still (non-turbulent) air over a plane.

This comes with the additional intuitive notion that a surface convectively cools quicker when the temperature difference between the heated object and the fluid is higher. Similarly, it cools slower when the temperature difference is smaller. Finally, Newton’s Law of Cooling is asymptotic, and cannot be used to find the time at which the object reaches the exact temperature of the ambient fluid. Thus, instead of finding the time when the temperatures are equal, we determine the time when the temperature difference falls below an acceptable threshold, which we set at . Plugging this into Newton’s Law of Cooling results in:

which yields for total time for a pressed key to cool down to the point where it is indistinguishable from room temperature.

2.4. Modern Keyboards

Most commodity external keyboard models are of the 104-key ”Windows” variety, shown in Figure 1. On such keyboards, the distance between centers of adjacent keys is about mm, and a typical keycap shape is an rectangular prism, with an average travel distance of (noyes1983qwerty, ); see Figure 3. All such keyboards are constructed out of Polybutylene Terephthalate (PBT) with density of , resulting in an average keycap mass of (pyda2004heat, ). PBT generally has the following characteristics: specific heat = and thermal conductivity = (pyda2004heat, ).

Figure 1. Typical ”Windows”-style Keyboard.

Figure 2. Typical Keycap Profile.

2.5. Thermal Cameras

In the past few years, many niche computational and sensing devices have moved from Hollywood-style fantasy into reality. This includes thermal imagers or cameras. In order to clarify their availability to individuals (or agencies) at different levels of sophistication, we provide the following brief comparison of several types of readily-available FLIR: Forward-Looking Infra-Red devices. (See: https://www.flir.com/products for full product specifications.) In the rest of the paper, we use the following terms interchangeably: FLIR device, thermal imager and thermal camera.

Figure 3. FLIR Devices / Thermal Imagers: TG165(top left,) SC620(top right,) A6700sc (bottom left,) and X8500sc (bottom right).
  1. – Price: About US$. Thermal Sensitivity: K. Thermal Accuracy: K or of reading. Resolution:. Image Capture: Manual, image at a time. Video Capture: None

  2. – Price: About US$ (used). Thermal Sensitivity: K Thermal Accuracy: K or of reading. Resolution: . Image Capture: Automatic, programmable to capture images by timer, or when specific criteria are met, at maximum rate of image per second. Video Capture: None.

  3. – Price: About US$. Thermal Sensitivity: K Thermal Accuracy: K or of reading. Resolution: . Image Capture: Automatic, programmable to capture images by timer or when specific criteria are met, at up to fps. Video Capture: High speed, up to fps.

  4. – Price: About US$. Thermal Sensitivity: K: Thermal Accuracy: K or of reading. Resolution: Image Capture: Automatic, programmable to capture images by timer or when specific criteria are met, at up to fps. Video Capture: High speed, up to fps.

Obviously, a sufficiently motivated organization or a nation-state could easily obtain thermal imagers of the highest quality (and price), we assume that the anticipated adversary is of a mid-range sophistication level, i.e., capable of acquiring a device of the type exemplified by SC620.

3. Adversarial Model & Attacks

This section describes the adversarial model for Thermanator Attacks.

(a) STEP 1: Victim Enters Password
(b) STEP 2: Victim Leaves
(c) STEP 3: Thermal Residues Captured
Figure 4. An Example Thermanator Attack

3.1. Physical Premise

As mentioned in Section 2, Fourier’s Law states that contact between any two objects with unequal temperatures results in transfer of heat energy from the hotter to the cooler object. It is reasonable to assume that the typical office environment has the ambient temperature within the OSHA-recommended range of (=) (occupational1999osha, ). In that setting, the average human hand is expected to conductively transfer an observable amount of heat to the ambient-temperature keyboard. Consequently, a bare-fingered human typist can not avoid leaving thermal residue on a keyboard. This physical interaction can be abused by the adversary in order to harvest the thermal residue of a victim who recently used a keyboard to enter potentially sensitive information, e.g., a password. This forms the premise for Thermanator Attacks.

3.2. Thermanator

Thermanator is a distinct type of insider attack, where a typical attack scenario proceeds as follows:

STEP 1::

The victim uses a keyboard to enter a genuine password, as part of the log-in (or session unlock) procedure.

STEP 2::

Shortly thereafter, the victim either: (1) willingly steps away, or (2) gets drawn away, from the workplace.

STEP 3::

Using thermal imaging (e.g., photos taken by a commodity FLIR camera) the adversary harvests thermal residues from the keyboard.

STEP 4::

At a later time, the adversary uses the “heat map” of the images to determine recently pressed keys. This can be done manually (i.e., via visual inspection) or automatically (i.e., via specialized software).

REPEAT::

The adversary can choose to repeat STEPS [1-4] over multiple sessions.

The two options in STEP 2 correspond to two attack sub-types: opportunistic and orchestrated. In the former, the adversary patiently waits for the situation described in STEP 2 case (1) to occur. Once the victim leaves (on their own volition) shortly after password entry, the adversary swoops in and collects thermal residues. This strategy is similar to Lunch-Time Attacks. In an orchestrated attack, instead of waiting for the victim to leave, the adversary uses an accomplice to draw the victim away shortly after password entry, as in STEP 2 case (2).

4. Methodology

In this section we describe of the experimental apparatus, procedures, and subject recruitment methods.

4.1. Apparatus

The experimental setup was designed to simulate a typical office setting. It was located in a dedicated office in a research building of a large university. Since experiments were conducted during the academic year, there was always some (though not excessive) amount of typical busy office-like ambient noise. Figure 6 shows the setup from the subject’s perspective. Equipment used in the experiments consisted of the following readily available (off-the-shelf) components:

  1. FLIR Systems SC620 Thermal Imaging Camera444see: http://www.FLIR.com for a full specification. This camera was perched on a tripod  above the keyboard.

  2. Four popular and inexpensive commodity computer keyboards: (a) Dell SK-8115, (b) HP SK-2023 (c) Logitech Y-UM76A, and (d) AZiO Prism KB507. The first (Dell) is shown in 1 above, and the other three – in Figure 5.

(a) HP SK-2023
(b) Logitech Y-UM76A.
(c) AZiO Prism KB507 (backlit).
Figure 5. Keyboards

The thermal camera was chosen to be realistic for a moderately sophisticated and determined adversary. We assume this type of adversary to be an individual, i.e., not an intelligence agency or a powerful criminal organization. FLIR SC620 Thermal Imager costs approximately used. (This model is about 6-7 years old.) It automatically records images at the resolution of pixels, with frequency. Its thermal sensitivity is .

The four keyboards were chosen to cover the typical range of manufacturers represented in an average workplace. Dell, HP and Logitech keyboards are popular default keyboards included in new computer orders from major PC, desktop, and workstation manufacturers. Each costs . Meanwhile, Azio Prism is a popular low-cost and independently manufactured keyboard that can be easily obtained on-line e.g., from Amazon; it costs .

Figure 6. SC620 Apparatus Setup

Figure 7. Example of Thermal Emanations being Recorded.

4.2. Procedures

Thermanator was evaluated using a two-stage user study. The first stage was conducted to collect thermal emanation data, and the second – to evaluate efficacy of Thermanator Attacks. A given subject only participated in a single stage.

4.2.1. Stage One: Password Entry

Recall that Thermanator’s goal is to capture thermal residues of subjects after keyboard password entry. This is accomplished by FLIR SC620 taking a sequence of images (60 total), once per second for a total of one minute after initial password entry. The first stage is shown in Figure 8.

Figure 8. Experiment Stage One: Flowchart

Each subject entered passwords on keyboards and each entry was followed by one minute of keyboard recording ( successive images) by the FLIR. Each subject entered a total of passwords and every entry took, on average, between and seconds. The total duration of the experiment for a Stage 1 subject ranged between and minutes, based on the individual’s typing speed and style. Both keyboards and passwords were presented to each subject in random order, in an attempt to negate any side-effects due to subject training or familiarity with the task.

We selected 10 passwords that included both ”insecure” and ”secure” categories. The former passwords were culled from the top 100 passwords by popularity that adhere to common password requirements, such as Gmail 555see: https://support.google.com for details. Whereas, ”secure” passwords were created by randomly generating 8-, 10-, and 12-character strings of lower/uppercase letters as well as numbers and symbols that adhere to Gmail restrictions. Our selection criteria resulted in the following 10 candidate passwords:

  • [Insecure]: ”password”, ”12345678”, ”football”, ”iloveyou”, ”12341234”, ”passw0rd”, and ”jordan23”,

  • [Secure]: ”jxM#1CT[”, ”3xZFkMMv—Y”, and
    ”6pl;0¿6t(OvF”.

4.2.2. Stage Two: Data Inspection

Figure 9. Thermal image of ”passw0rd” seconds after entry.

The second stage of the experiment has subjects act as adversaries conducting Thermanator Attacks. Subjects were shown images obtained from the first stage of the experiment, e.g., Figure 9, and were instructed to identify the ”lit” regions. Each subject was shown recordings of password entries in random order. On average, a subject could process a single recording in seconds. Total time for each Stage 2 subject varied in the range of minutes.

4.3. Subject Recruitment Procedure

Subjects were recruited from the (student body of a large public University using a unified Human Subjects Pool designated for undergraduate volunteers seeking to participate in studies such as ours. Subjects were compensated with course credit. Because of this, overwhelming majority of subjects were of college age: . The subject gender breakdown was: male and female.

All experiments were authorized by the Institutional Review Board (IRB) of the authors’ employer, well ahead of the commencement of the study. The level of review was: Exempt, Category II. No sensitive data was collected during the experiments and minimal identifying information was retained. In particular, no subject names, phone numbers or other personally identifying information (PII) was collected. All data is stored pseudonymously.

5. Results

We now describe the results of Stage 2 analysis of thermal images obtained in Stage 1. We divide it into two categories:

  • Hunt-and-Peck Typists — ‘those who do not rest their fingertips on, or hover their fingers just over, the home-row of keys:

  • Touch Typists – those whose fingertips routinely hover over, or lightly touch, the home-row, as shown by Figure 10.

Figure 10. A Touch Typist’s Hands Perched on the Home-Row

As it turns out, our study results indicate that the category of the typist is the most influential factor for the quality thermal imaging data. For each category, we separately analyze ”secure” and ”insecure” passwords types

For full context, aggregate results (identification rates) from the entire subject population are shown in Figures 11 and 12; they correspond to stage 2 subjects’ analysis of ”insecure” and ”secure” passwords, respectively. In each graph, ”d = 0” refers to average latest time when stage 2 subjects could correctly identify every keystroke of the entered password, while ”d = 1” denotes average latest time when subjects could identify all-but-one keystroke, ”d = 2” denotes the average latest time when subjects could identify all-but-two keystrokes and so on.

Figure 11. ID Rates for All Subjects: ”Insecure” Passwords

Figure 12. ID Rates for All Subjects: ”Secure” Passwords

5.1. Hunt-and-Peck Typists

Our analysis of Hunt-and-Peck typists was straightforward. Because these typists do not rest their fingertips on (or hover right above) the keyboard home-row, it is readily apparent that each bright spot on the thermal image corresponds to a key-press. However, as discussed below, we encountered some challenges with ”secure” passwords.

5.1.1. Insecure Passwords

Figure 13. ID Rates for Hunt-and-Peck: ”Insecure” Passwords

As Figure 13 shows, analysis of Hunt-and-Peck typists entering ”insecure” passwords is straightforward. In fact, in the best-case of ”12341234” subjects could correctly recall every keystroke, on average, seconds after entry. Even the weakest result, ”football” was fully recoverable seconds later, on average. This is in line with conventional thought. Hunt-and-Peck typists typically only use their forefingers to type. Because of this, they make contact with a larger finger over a large surface area. Also, since Hunt-and-Peck typists are generally less skilled, they take longer for each keystroke, resulting in longer contact time. These two factors combined yield high-quality thermal residue for Thermanator Attacks.

5.1.2. Secure Passwords

Figure 14. ID Rates for Hunt-and-Peck: ”Secure” Passwords

”Secure” passwords are more challenging to analyze. As shown in Figure 14 full recall was possible, on average, up to seconds after recording started, in the best case, and seconds, in the worst case. Performance of stage 2 subjects was uniform in terms of password length: the shortest password was the easiest to analyze correctly. Anecdotally, this is not surprising. It was quite common for Hunt-and-Peck typists to look back and forth between the characters of a relatively complex ”secure” passwords, and their keyboards. This resulted in longer completion times, which left longer time for keycaps to cool off before recording began.

5.2. Touch Typists

Analyzing data from Touch typists was a challenge for stage 2 subjects. Since a typical Touch typist’s fingers are constantly in contact with (or in very close proximity of) the home-row of the keyboard, there are two incidental sources of thermal noise. First, there is thermal residue on the 2 groups of 4 home-row keys: ”asdf” and ”jkl;” which results from the typist’s fingertips. However, whenever typist’s ingers rest on the keyboard for a long time, additional observed effects occur outside (though near) the home-row, on the following keys:

"qwertgvcxz" on the left, "][poiuhnm,./" on the right
Even though this secondary thermal residue was not as drastic as that on the home-row, it had a more pronounced effect on stage 2 subjects. In many cases, a subject was uncertain whether a key was lit on the thermal image because it was actually pressed, or because it was simply close to the home-row. This uncertainty in turn led to mis-classification of some keys as unpressed. Also, mis-classification of home-row keys as pressed keys was not counted in the distance. We justify this choice in Section 6.

5.2.1. Insecure Passwords

Figure 15. ID Rates for Touch Typists: ”Insecure” Passwords

While more difficult than analysis of ”insecure” password for Hunt-and-Peck typists, phase 2 subjects has moderate success analyzing Touch typists entering ”insecure” passwords. As Figure 15 shows, the best average time for full recall was for password: ”12341234” at seconds, and the worst was for ”jordan23”, at

 seconds. This follows the notion that stage 2 subjects were hesitant to classify home-row-adjacent key-presses, e.g., ”o”, ”r” and ”n” in ”jordan23”. Furthermore, this supports the notion that a simple, repeated password such as ”12341234” leaves ideal thermal residue. Since each key is repeated, it is analogous to each key being pressed once for twice as long. This results in twice as much thermal energy being transferred from the fingertip to the keycap.

5.2.2. Secure Passwords

Figure 16. ID Rates for Touch Typists: ”Secure” Passwords

Touch typists entering ”secure” passwords were the most difficult for the stage 2 subjects to analyze. As shown in Figure 16, full recall was only possible, on average, within the first seconds. Surprisingly, the password with the smallest window for full recall was ”jxM#1CT[”. We believe that many phase 2 subjects were hesitant to classify home-row-adjacent keys in this password as keystrokes (as opposed to thermal noise). This might explain why the window for full recall is so small. As with all other cases, the time window between full recall at and a single mis-identification was much greater than any other window between and , which is consistent with Newton’s Law of Cooling.

5.3. Outlier: Acrylic Nails

There was a single Stage 1 subject that had long acrylic fingernails. Instead of typing with fingertips, this person tapped the keys with nail-tips. Since these do not have nearly as much surface area as fingertips, and false nails do not have any blood vessels to regulate their temperature, this subject left almost no thermal residue. In fact, not a single key-press could be correctly identified in any of the password entry trials. Consequently, this subject is not included in either Touch or Hunt-and-Peck typist populations. However, as a side curiosity, we note that, although it may be a rare occurrence, any user with long acrylic fingernails is virtually immune to Thermanator Attacks.

6. Discussion

In this section, we break down our observations from Section 5 between two password classes, and among two categories of typists.

6.1. Results with Common Passwords

Stage 2 subjects were particularly adept at identifying passwords that are English words or phrases. Even though we could not reliably detect the exact sequence of pressed keys, ordering can be found indirectly by mapping the set of pressed keys to words (essentially, solving an anagram puzzle). Furthermore, a list of distances between detected keys (characters) and possible words, can be used to reconstruct full passwords from incomplete thermal residues.. Finally, the same list of distances can help determine when a key is pressed multiple times. These combinations highlight the threat posed by Thermanator Attacks to already insecure passwords.

6.2. Results with Random Passwords

However, strong results from Stage 2 subjects’ identification of English-language words does not extend to secure, randomly-selected passwords. First, inability to reliably determine the order of pressed keys can not be mitigated by leveraging the underlying linguistic structure. Moreover, it is unclear whether a given set of emanations represents the whole password, or if some information was lost. Finally, it is impossible to tell if a key was pressed multiple times. However, even with these shortcomings, our subjects managed to greatly reduce the password search space from to where is the total number of characters in the password, and is the number of identified key-presses.

6.3. Results with Hunt-and-Peck Typists

Figure 17. Password ”iloveyou” entered by a Hunt-and-Peck typist.

As described in Section 5.1, Hunt-and-Peck typists are particularly vulnerable to Thermanator Attacks. This is not surprising, given that these less-skilled typists tend to type more slowly, and primarily use their index fingers, which have greater fingertip surface area than ring or pinky fingers (peters2009diminutive, ). This results in greater heat transfer, due to longer contact duration with a larger contact area. Also, as seen from Figure 17, Hunt-and-Peck typists do not touch any keys that are not part of the password. Therefore, every observed key-press is part of the password.

6.4. Results with Touch Typists

Figure 18. Password ”iloveyou” Entered by a Touch Typist.

For Touch typists, two factors confuse their thermal residues and make passwords harder to harvest. One is their habit to rest their hands on the home-row, which introduces potential false positives. as Figure 18 shows. This is exacerbated by the possibility that any home-row key might actually be part of the password. Because of this, stage 2 subjects were not penalized for classifying the home-row keys as pressed; they were instructed to identify all keys that looked to them as having been pressed.

Another issue is that Touch typists tend to use all fingers of both hands while typing. This causes two advantages over their Hunt-and-Peck counterparts. First, they touch individual keys for a shorter time, thus transferring less heat to the key-cap. Second, they type much more quickly and also use their ring and pinky fingers. Fingertips of these smaller fingers tend to have of the surface area of larger index or middle fingers. Thus, they transfer half of the total heat energy due to conduction during a key-press (peters2009diminutive, ). Such factors make Touch typists much more resistant to Thermanator Attacks, particularly, at the level of our moderately sophisticated adversarial model.

6.5. Ordering

Figure 19. Password ”passw0rd” thermal residue after 0(top left), 15 (top right), 30 (bottom left), and 45 (bottom right) seconds after entry

Unfortunately, inspection of thermal images by stage 2 subjects did not yield any reliable key-press ordering information. Newton’s Law of Cooling might seem to indicate that any reduction in heat energy would occur uniformly across all pressed keys, resulting in exposure of ordering. However, this is not true in practice. One reason is due to by keystroke inconsistency in the dynamics of Touch typists. Factors, such as the travel distance between keys and the particular finger used to press a key, result in small differences in the duration, and total surface area of, contact. Since each key-press is distinct, intensity of a given thermal residue does not correspond to its relative position in the target password. This holds even for Hunt-and-Peck typists, who tend to use only their index fingers. As evidenced by Figure 19, Hunt-and-Peck typist does not necessarily press keys with uniform force or for a uniform duration. These inconsistencies make reliable ordering of key-presses infeasible in our analysis framework. However, as mentioned above, for insecure (language-based) passwords, dictionary tools can be used to infer the most likely key-press order.

6.6. Mitigation Strategies

There are several simple strategies to mitigate or reduce the threat of Thermanator Attacks, without modifying any existing hardware. The most intuitive solution is to introduce Chaff typing right after a password is entered. This can be as simple as asking the users to swipe their hands along the keyboard after password entry, or requiring them to introduce noise by typing arbitrary “chaff”. This would serve to obscure the password by introducing useless thermal residues, and thus make the password key-presses much more difficult to retrieve. Another way is to avoid keyboard entry altogether and use the mouse to select (click on) password characters displayed on the on-screen keyboard. A variation is to have drop-down menu for each position of the password and the user selects each character individually. A more burdensome alternative is to use the keyboard arrow keys to adjust a random character string (displayed on the screen) to the actual password. All such methods are well-known and are quite viable. However, they are more vulnerable to Shoulder-Surfing Attacks, due to the ease of watching a victim’s larger, visible screen instead of their smaller, partially occluded keyboard. Finally, a user who is willing to go to extreme lengths to avoid leaving thermal residues could wear insulating gloves or rubber thimblettes over their fingers during password entry. This would greatly reduce thermal residues, and make Thermanator ineffective, since thermal conductivity of the insulating material would be much less than that of human skin.

If hardware changes are possible, other mitigation techniques might be appropriate. For example, a touch-screen would allow password entry without the use of a keyboard. However, this would be more (than keyboard entry) vulnerable to Shoulder-Surfing Attacks. Also, the use of touch-screens opens the door for attacks that exploit smudge patterns left behind by fingers (aviv2010smudge, ). Alternatively, common plastic keyboards could be replaced with metallic ones. Metals have much higher thermal conductivity than plastics. Thus, any localized thermal residues very quickly dissipate throughout the keyboard. A similar strategy was adopted to protect ATMs from thermal attacks (mowery2011heat, ).

7. Comparison with Similar Attacks

We now compare Thermanator with several similar human factors-based insider attacks. We focus on several aspects: adversary’s Goal, any Required Equipment, the Timeliness requirements, whether a Careless Victim is needed, and finally, if Prior Profiling of the victim is required. Summary of the comparison is shown in Table 1.

Attack Attack Adversary Careless Equipment Prior Profiling
Type: Goal: Timeliness Victim? Needed: Required?
Lunch-Time Hijack min (default) YES None NO
Log-in Session
Shoulder-Surfing Password Real-Time YES Pair of Eyes NO
or Video Camera
Acoustic Emanations Password Real-Time NO Audio YES
Recorder
Keyboard Vibrations Password Real-Time NO Accelerometer YES
Thermanator Password up to min NO Thermal NO
Camera
Table 1. Feature Comparison of Common Human-Based Attack Types.

7.1. Lunch-Time

Lunch-Time Attacks are performed by the insider adversary who relies on a careless victim that neglects to terminate their secure log-in session (shamir1999playing, ).

  • Objective: to gain access to a single secure (authenticated) session.

  • Required Equipment: none, the adversary only needs to physically access the computer once the victim leaves.

  • Timeliness: determined by the de-authentication technique(s) used by the victim. For example, the default inactivity timeout for Windows machines is a generous minutes.

  • Careless Victim: required for this attack to work. At the minimum, the victim needs to leave their workstation unattended without logging out or locking the screen.

  • Profiling: no prior victim profiling is needed. The adversary can be opportunistic; it gains access to an authenticated session with out any additional or prior knowledge required.

7.2. Shoulder-Surfing

Shoulder-Surfing Attacks are performed by the insider adversary who looks over the shoulder of a careless victim while the password is entered. It can also be performed with the aid of a (perhaps hidden) camera pointed at the victim’s keyboard, in which case adversarial presence is not required.

  • Objective: to learn the victim’s password.

  • Required Equipment: none, though a video camera can be useful.

  • Timeliness real-time, as the adversary must watch victim password entry as it occurs.

  • Careless Victim: required, since the adversary has to stand over the victim’s terminal to watch them type in their password. Careless victim is not required in case of a pre-placed viceoa camera.

  • Profiling: no prior victim profiling is needed and the adversary can be opportunistic: it learns the victim’s password with no additional or prior knowledge.

7.3. Acoustic Emanations

Acoustic Emanations Attacks are performed by the insider adversary who instruments the victim’s environment with an audio recording device and exploits acoustic dynamics (zhuang2009keyboard, )

  • Objective: learn the victim’s password.

  • Required Equipment: an audio recording device, placed nearby.

  • Timeliness: real-time, since the adversary must record the keyboard sounds instantaneously.

  • Careless Victim: not required; the recording device can be hidden from view.

  • Profiling: prior victim profiling is needed; the adversary must build an acoustic profile of the victim to accurately interpret keystroke sounds.

7.4. Keyboard Vibrations

Vibration Attacks are performed by the insider adversary using an accelerometer to record vibrations created by a victim typing into a keyboard, in order to reconstruct what was typed (marquardt2011sp, ).

  • Objective: learn the victim’s password.

  • Required Equipment: an accelerometer, placed nearby (closer than in Acoustic Emanations Attacks).

  • Timeliness: real-time, since the adversary must record the victim’s vibrations instantaneously.

  • Careless Victim: not required; the recording device can be hidden from view.

  • Profiling: prior victim profiling is needed; the adversary must build a vibration profile in order to accurately interpret keystroke vibration patterns.

7.5. Thermanator

Thermanator Attacks are performed by an insider adversary who records thermal residues users after recent password entry.

  • Objective: learn the victim’s password.

  • Required Equipment: thermal camera.

  • Timeliness: up to minute, the adversary must record the keyboard before thermal residues dissipate.

  • Careless Victim: not required; recording/imaging takes place after the victim leaves.

  • Profiling: prior victim profiling not needed. The adversary does not need any prior knowledge of the victim to analyze thermal images (though it obviously helps, especially with insecure passwords).

8. Related Work

Real-time attacks that target passwords (and countermeasures to them) have been studied extensively in the literature. Many methods have been proposed to mitigate Shoulder-Surfing Attacks (brudy2014anyone, ; kumar2007reducing, ; yamamoto2009shoulder, ). (asonov2004keyboard, ; zhuang2009keyboard, ; berger2006dictionary, ; zhu2014context, ) have shown that keyboard acoustic emanations leak information about pressed keys. (halevi2012closer, ) investigated how typing style (Hunt-and-Peck vs. Touch) influences keyboard acoustic emanation attacks. As was recently shown, such attacks can be even mounted remotely (compagno2017don, ).

The earliest attempt to use a thermal camera was focused on recovering key-codes entered into a rubber keypad of an industrial-grade safe (SafeCracking, ). Although not much detail is provided, it is argued that the attack can successfully yield key-codes up to minutes after initial entry.

Androitis et al. (andriotis2013pilot, ) discuss using a thermal camera to infer screen-lock patterns of smartphones. This study reports that screen-lock patterns can be seen up to seconds after entry when using a cold just-booted smartphone. After a few seconds, it was no longer possible to extract any information about screen-lock patterns. In a similar effort, (abdelrahman2017stay, ) conducted more extensive experiments with users to assess efficacy of thermal imaging attacks against screen-lock patterns. it was shown that PINs are vulnerable to such an approach, while swipe-patterns are not.

Mowery et al. (mowery2011heat, ) investigated the influence of material composition (metal vs. plastic) and camera distance (14 vs. 28 inches) on PIN recovery, using a US$

thermal camera, on commercial PoS-style PIN pads. Results showed that metallic PIN pads are not prone to password recovery since thermal residue dissipates rapidly and metallic surfaces partially reflect thermal energy. For plastic PIN pads, given a thermal camera placed

inches away, % of pressed keys were correctly identified immediately after entry. Success rate dropped down to % and % after and seconds, respectively. Perfect code recovery at any time is rather low: %.

(sidhustudy, ) discuss the effectiveness of a low-cost thermal camera (, attachable to a smartphone) to recover 4-digit PINs entered into rubber keypads. Analysis shows that the camera’s distance from the keypad is important: from and centimeters, and digits can be identified, respectively up to seconds after entry.

Finally, (wodo2016thermal, ) discusses viability of thermal imaging attacks on various PIN-entry devices. Analysis showed that the attack is a credible threat. In addition, the study discusses how metallic surfaces can be conditioned to make thermal imaging attack successful. Surface conditioning methods include: hair spray, stretch foil or transparent nail polish. Nail polish was reported to be the best, though success rates were not provided.

9. Conclusions & Future Work

As formerly niche sensing devices become less and less expensive, new side-channel attacks move from ”Mission: Impossible” towards reality. This strongly motivates exploration of novel human-factors attacks, such as those based on Thermanator. Work described in this paper sheds some light on understanding the thermodynamic relationship between human fingers and external computer keyboards. In particular, it exposes the vulnerability of standard password-based systems to adversarial collection of thermal emanations.

Based on the results of our study, we believe that Thermanator Attacks represent a new credible threat for password-based systems, and that human-induced thermal side-channels deserve further study. This is especially true considering the constantly decreasing cost and increasing availability of high-quality thermal imagers. To this end, we anticipate the following future work directions:

Figure 20. ”jordan23”, seconds after entry, captured by TG165.
  • Given marked differences in collectible data between Touch and Hunt-and-Peck typists, one interesting next step is to further refine our attack approach to handle expert typists who introduce natural chaff through resting their hands on the keyboard home-row. Correct disambiguation of a home-row key being a part of the password rather than thermal noise, would be very helpful in limiting the password search space.

  • Another future direction is a longitudinal study to model multiple instances of

    Thermanator Attacks, i.e., ,where the adversary, over time, has several chances to obtain thermal imaging data against the same victim. Our study only measured thermal residues from each subject once, per password per keyboard. We hypothesize that a more persistent adversary would be more successful and would be more likely to recover the entire password after multiple Thermanator instances. However, substantial further experiments are needed to substantiate this claim.

  • It would also be useful to investigate lowering the bar for adversarial sophistication. Figure 20 shows an image of password “jordan23” entered by a Hunt-and-Peck typist, seconds after entry, as captured by the inexpensive FLIR TG165. Specifications for this camera are detailed in Section 2.5. This image suggests that, in the long run, even a less capable (in terms of equipment) adversary may pose a credible threat.

  • Finally, we intend to explore collected thermal data to find ordering effects on typed passwords. Currently, we can not correctly determine the sequence of pressed keys. However, this is probably a limitation of our specific equipment and not of the laws of thermodynamics. As shown in Section

    2 although the rate of cooling slows down markedly as a hot object approaches room temperature, there remains some heat difference that can be observed by a sensitive tool. Perhaps if we modify our approach to pick apart these differences, the overall strength of Thermanator Attacks would be greatly increased.

Acknowledgements

We would like to thank Derek Dunn-Rankin and Michela Vicariotto for their generosity in lending us the FLIR SC620 for use in this study.

References

  • (1) Abdelrahman, Y., Khamis, M., Schneegass, S., and Alt, F. Stay cool! understanding thermal attacks on mobile-based user authentication. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems (2017), ACM, pp. 3751–3763.
  • (2) Andriotis, P., Tryfonas, T., Oikonomou, G., and Yildiz, C. A pilot study on the security of pattern screen-lock methods and soft side channel attacks. In Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks (2013), ACM, pp. 1–6.
  • (3) Asonov, D., and Agrawal, R. Keyboard acoustic emanations. In Security and Privacy, 2004. Proceedings. 2004 IEEE Symposium on (2004), IEEE, pp. 3–11.
  • (4) Aviv, A. J., Gibson, K. L., Mossop, E., Blaze, M., and Smith, J. M. Smudge attacks on smartphone touch screens. Woot 10 (2010), 1–7.
  • (5) Berger, Y., Wool, A., and Yeredor, A. Dictionary attacks using keyboard acoustic emanations. In Proceedings of the 13th ACM conference on Computer and communications security (2006), ACM, pp. 245–254.
  • (6) Brudy, F., Ledo, D., Greenberg, S., and Butz, A. Is anyone looking? mitigating shoulder surfing on public displays through awareness and protection. In Proceedings of The International Symposium on Pervasive Displays (2014), ACM, p. 1.
  • (7) Burton, A. The range and variability of the blood flow in the human fingers and the vasomotor regulation of body temperature. American Journal of Physiology-Legacy Content 127, 3 (1939), 437–453.
  • (8) Compagno, A., Conti, M., Lain, D., and Tsudik, G. Don’t skype & type!: Acoustic eavesdropping in voice-over-ip. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (2017), ACM, pp. 703–715.
  • (9) Dai, T., Pikkula, B. M., Wang, L. V., and Anvari, B. Comparison of human skin opto-thermal response to near-infrared and visible laser irradiations: a theoretical investigation. Physics in Medicine & Biology 49, 21 (2004), 4861.
  • (10) Halevi, T., and Saxena, N. A closer look at keyboard acoustic emanations: random passwords, typing styles and decoding techniques. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security (2012), ACM, pp. 89–90.
  • (11) Kumar, M., Garfinkel, T., Boneh, D., and Winograd, T. Reducing shoulder-surfing by using gaze-based password entry. In Proceedings of the 3rd symposium on Usable privacy and security (2007), ACM, pp. 13–19.
  • (12) Marquardt, P., Verma, A., Carter, H., and Traynor, P. (sp) iphone: decoding vibrations from nearby keyboards using mobile phone accelerometers. In Proceedings of the 18th ACM conference on Computer and communications security (2011), ACM, pp. 551–562.
  • (13) Mickelberg, K., Pollard, N., and Schive, L. Us cybercrime: rising risks, reduced readiness key findings from the 2014 us state of cybercrime survey. US Secret Service, National Threat Assessment Center. Pricewaterhousecoopers (2014).
  • (14) Mowery, K., Meiklejohn, S., and Savage, S.

    Heat of the moment: Characterizing the efficacy of thermal camera-based attacks.

    In Proceedings of the 5th USENIX conference on Offensive technologies (2011), USENIX Association, pp. 6–6.
  • (15) Noyes, J. The qwerty keyboard: A review. International Journal of Man-Machine Studies 18, 3 (1983), 265–281.
  • (16) Occupational Safety and Health Administration and others. Osha technical manual. Section VIII (1999).
  • (17) Owusu, E., Han, J., Das, S., Perrig, A., and Zhang, J. Accessory: password inference using accelerometers on smartphones. In Proceedings of the Twelfth Workshop on Mobile Computing Systems & Applications (2012), ACM, p. 9.
  • (18) Peters, R. M., Hackeman, E., and Goldreich, D. Diminutive digits discern delicate details: fingertip size and the sex difference in tactile spatial acuity. Journal of Neuroscience 29, 50 (2009), 15756–15761.
  • (19) Pyda, M., Nowak-Pyda, E., Mays, J., and Wunderlich, B. Heat capacity of poly (butylene terephthalate). Journal of Polymer Science Part B: Polymer Physics 42, 23 (2004), 4401–4411.
  • (20) Robb, D. Sony hack: A timeline. http://deadline.com/2014/12/sony-hack-timeline-any-pascal-the-interview-north-korea-1201325501/, 2014.
  • (21) Sauro, J. Estimating productivity: composite operators for keystroke level modeling. In International Conference on Human-Computer Interaction (2009), Springer, pp. 352–361.
  • (22) Shamir, A., and Van Someren, N. Playing hide and seek with stored keys. In International conference on financial cryptography (1999), Springer, pp. 118–124.
  • (23) Sidhu, J. S., Butakov, S., and Zavarsky, P. Study of potential attacks on rubber pin pads based on mobile thermal imaging.
  • (24) Wodo, W., and Hanzlik, L. Thermal imaging attacks on keypad security systems. In SECRYPT (2016), pp. 458–464.
  • (25) Yamamoto, T., Kojima, Y., and Nishigaki, M. A shoulder-surfing-resistant image-based authentication system with temporal indirect image selection. In Security and Management (2009), pp. 188–194.
  • (26) Zalewski, M. Cracking safes with thermal imaging. http://lcamtuf.coredump.cx/tsafe/, 2005. Accessed: 2018-04-02.
  • (27) Zhu, T., Ma, Q., Zhang, S., and Liu, Y. Context-free attacks using keyboard acoustic emanations. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (2014), ACM, pp. 453–464.
  • (28) Zhuang, L., Zhou, F., and Tygar, J. D. Keyboard acoustic emanations revisited. ACM Transactions on Information and System Security (TISSEC) 13, 1 (2009), 3.