Thermanator and the Thermal Residue Attack

The presentation discusses the Terminator attack, a thermal side-channel attack that can recover passwords from external keyboards. The study investigates the success rate of the attack and factors that affect it.

• The Terminator attack is a thermal side-channel attack that can recover passwords from external keyboards.
• The study investigates the success rate of the attack and factors that affect it.
• The attack can be opportunistic or orchestrated.
• The success of the attack depends on factors such as password strength, typing style, and keyboard type.
• Hunt-and-peck typists are more vulnerable to the attack than touch typists.
• The attack can recover entire sets of key presses as late as 30 seconds and partial sets up to one minute.
• The study did not find reliable key press ordering information.
• The study provides a distance metric for non-random passwords.

The Terminator attack comes in two flavors: opportunistic and orchestrated. In the opportunistic version, the victim steps away after typing their password on their own accord. In the orchestrated version, an accomplice draws the victim away, allowing the attacker to take a thermal picture of the keyboard. The study found that hunt-and-peck typists are especially vulnerable to the attack since every key they press is a key in the password. The study also discovered that touch typists perch their hands on the home row, which creates confusion for the attacker since thermal residues lead to other keys close by those home row keys. The study did not find reliable key press ordering information, possibly due to pressure timing and area differences of fingers and presses and combinations of all these factors. However, the study provides a distance metric for non-random passwords.

As warm-blooded mammals, humans routinely leave thermal residue on various objects with which they come in contact. This includes common input devices, such as keyboards, that are used for entering (among other things) secret information: passwords and PINs. Although thermal residue dissipates over time, there is always a certain time window during which thermal energy readings can be harvested from input devices to recover recently entered, and potentially sensitive, information. To-date, there has been no systematic investigation of thermal profiles of keyboards, and thus no efforts have been made to secure them. This is the main motivation for designing Thermanator -- a framework for password harvesting from keyboard thermal emanations. In this talk, we introduce Thermanator and show that several popular keyboards by different manufacturers are vulnerable to thermal side-channel attacks. Thermanator allows us to correctly determine entire passwords tens of seconds after entry, as well as greatly reduce password search. The latter is effective even as late as 60 seconds after password entry. Furthermore, we show that thermal side-channel attacks work from as far as several feet away. Our results are based on extensive experiments conducted with a multitude of subjects using several common keyboards and many representative passwords. We demonstrate thermal side-channel attacks using a thermal (FLIR) camera. We also describe a very realistic "Coffee-Break Attack" that allows the adversary to surreptitiously capture a victim's password via the thermal side-channel in a realistic multi-user office setting or in a public space.