
Thermanator Attack Steals Passwords by Reading Thermal Residue on Keyboards - shreyanshd
https://www.bleepingcomputer.com/news/security/thermanator-attack-steals-passwords-by-reading-thermal-residue-on-keyboards/
======
edmanet
True story: A friend who was a heavy smoker asked me to fix his computer. I
went to his house and saw the beige desktop and CRT were stained tobacco brown
from second hand smoke. After fixing his "screen's all blurry" problem with
some Windex I was ready to go in and see what kind of spyware and viruses he
had managed to install on the machine.

I was about to ask for his password when I noticed the only spots not covered
in ashes on his keyboard were the W, S, C, B, U, N, and I keys. Knowing he was
a die hard Chicago Cubs fan it took me one try to guess the password: cubswin.

It was a nasty job but he was a good friend so I got his machine all
straightened out for him without judgement.

The things I do for beer...

~~~
jwilk
Isn't Windex bad for computer screens?

[https://news.ycombinator.com/item?id=17416298](https://news.ycombinator.com/item?id=17416298)
says "no Windex, as tempting as it might be!"

~~~
sevensor
It's fine for CRTs as far as I know. And even if it's not, it's probably an
improvement on tar.

------
neuralRiot
>Attackers need to be able to place a camera with thermal recording features
near a victim, and the camera must have a clear view of the keys for the
Thermanator attack to work.

Wouldn't be easier to just set up a regular video camera which can be the size
of a jacket button?

------
JoshTriplett
> The research team argues that it may be time to move away from passwords as
> a means to secure user data and equipment.

Many people have expressed this sentiment. By all means we should be using
two-factor authentication everywhere. But what, besides a password, has the
critical property of residing entirely within your mind and not being
obtainable without your cooperation (barring issues like this)?

Physical tokens can be stolen. Biometrics can be obtained and forged, or
physically coerced. Authenticating via a secondary device (such as a phone)
just moves the problem to "how do you authenticate to that device".

On the other hand, if you ever type in your password in a place where someone
can record you, someone could figure out your password, or at least get enough
information to make it easier to brute-force your password.

Short of a challenge-response scheme that you can compute entirely within your
mind without scratch materials, what could we use that would address both
problems? Something that can't simply be stolen or used without your
cooperation, but that also isn't potentially disclosed in reusable form every
time you use it?

~~~
cortesoft
Yeah, and you can't rotate your fingerprints or retinal scans.

~~~
seandougall
If you only train one fingerprint at a time, most people can rotate up to nine
times. It's a bit inconvenient, though. :)

~~~
cortesoft
Yeah, but stealing a single glass could get all your future passwords.

------
jmcmaster
Former NASA engineer turned YouTube science fun guy Mark Rober explained this
attack in 2014
[https://www.youtube.com/watch?v=8Vc-69M-UWk](https://www.youtube.com/watch?v=8Vc-69M-UWk)

and references this 2011 UCSD paper Heat of the moment: characterizing the
efficacy of thermal camera-based attacks

[https://dl.acm.org/citation.cfm?id=2028058](https://dl.acm.org/citation.cfm?id=2028058)

So not sure what the Thermanator folks are adding here...

EDIT: Thermanator paper cites the UCSD research, focuses on qwerty keyboards,
updated technology for thermal cameras, comparisons to other attack vectors
for public password entry (when you are at coffee shop, airport, ATM etc.).

------
neoteo
This is exactly how Theora Jones defeats Bryce Lynch's keypad in Max Headroom
(Blipverts episode)...in 1987. :)

~~~
closetohome
Ha! I was going to reference Splinter Cell, but that's probably where they got
it from.

------
fabricexpert
> THERMANATOR - The hottest attack of the summer! Coming soon to a computer
> near you!

Are our jobs really this dull that we have to give our projects stupid
hollywood names

~~~
qop
Counterpoint:

What if you could say "Yeah boss, Thermanator is complete and ready to be
unleashed." and mean it?

I spent thirty years turning in shit like "PrimitiveSpoofAttackDHCP" and
"TCPThreadPoolFlooder" but now I'm realizing I couldve been writing bond
villain superweapons all this time.

------
_raoulcousins
When I use an ATM, I always run my fingers along all of the keys after
entering my pin. Nice to know it's not totally crazy.

~~~
jfktrey
The classic opsec-germs tradeoff

------
blobbers
Apparently the attacker has never seen my macbook air running a heavy
compilation job. Fan is cranked and the keyboard is so hot that there is no
way they are getting my password!

Nothing but noise to a thermal camera...

~~~
nomel
Maybe they would look for cool spots. I assume you would only run into
problems where the key was the same temperature as your finger.

~~~
blobbers
I was half making a joke... but I believe if you have a large external thermal
source or sink the time for keys to renormalize would be dramatically shorter.

------
sbhn
I tried this using a flir one on my iPhone.

[https://youtu.be/IMxZQ922rLs](https://youtu.be/IMxZQ922rLs)

Sorry, it sounds like a really good idea, but it just doesn't work very well
in practise.

The users fingers don't sit on the keys long enough to transfer enough heat to
last. Just use a standard video camera if this is your thing.

------
Talyen42
great job getting by my mission impossible style laser beams, hackerman

now please enter your non-SMS two-factor authentication code

------
grumio
I like how this exact attack is used in the Splinter Cell games.

~~~
mieseratte
I knew I saw this somewhere!

I wonder what other security issues / lessons I internalized from that game...

~~~
blattimwind
Don't have open man-sized vents lead into your SCIF?

~~~
frockington
Until now I never even questioned why there would be man-sized vents in every
bulding

------
angry_octet
Makes me wonder if you could achieve a similar effect by spraying some residue
over the keypad before the victim uses it, then looking at it after PIN entry.
For example, a fluorescing dust. As well a special fingerprinting powders
(e.g. [https://optimumtechnology.com.au/latent-fingerprint-
powders/](https://optimumtechnology.com.au/latent-fingerprint-powders/)) you
can get stuff from art supplies stores: [https://www.glowpaint.com.au/blue-uv-
black-light-powder/](https://www.glowpaint.com.au/blue-uv-black-light-powder/)
.

There is also thermochromic ink, e.g. a grey ink that changes to colourless at
15C. [http://www.smarol.com/Ultraviolet-Fluorescent-
Powder.html](http://www.smarol.com/Ultraviolet-Fluorescent-Powder.html)

At this point, I don't think it is viable to pretend that long lifetime
secrets, like your bank PIN, are safe if entered into hundreds of different
keypads in insecure settings.

------
black_puppydog
I thought I read about this thing a long time ago, maybe on Brian Krebs' blog
(?) but I can't find it. It was in the context of ATMs but the idea seems the
same. All I can find at the moment, also on ATMs, is this from last year:

[https://www.albany.edu/iasymposium/proceedings/2017/Study%20...](https://www.albany.edu/iasymposium/proceedings/2017/Study%20of%20Potential%20-%20P15.pdf)

EDIT: That paper is actually cited in this work. They don't discuss the
novelty of their approach compared to this though. Just a bigger search space
due to more keys?

~~~
chris_mc
I always heard you should type your PIN at the ATM, then touch all of the
buttons a bunch to block this ability. That way they only see that all the
buttons were touched, not your PIN. Especially important now that thermal
cameras (crappy ones) are pretty cheap.

~~~
mikec3010
Why should I care? It's the bank's responsibility to secure their equipment
and refund any dollars stolen from me.

~~~
bluGill
Two reasons: if the bank can convince the court that you withdrew the money
you are stuck with the lass. Even if the bank does suck up the loss, you will
be out your own money for several months while they investigate (they could be
the police or the bank)

------
amarant
at first, this seems completely harmless, but there are a few scenarios in
which this could potentially be a viable attack.

I doubt it's much use on computers, but imagine someone rigging a candid
infrared camera across the street from an ATM. You'd block the cameras view
while typing, but then you leave and it's game over.

~~~
faitswulff
This is a fairly well known attack on ATMs with plastic keys, but last I heard
metal keys make it nearly impossible to carry out.

~~~
amarant
replace ATM with the CC terminal in your favorite foodtruck then. this is even
better, since you're not likely to type in a withdrawal amount into those (and
thus adding noise by pressing more keys)

same thing goes, but they're rarely made of metal

~~~
brianberns
A debit card can be used as a credit card at a CC terminal. No PIN and no
transaction fee. I don't think you'll find many people typing a PIN into a CC
terminal in the wild.

~~~
taumhn
AFAIK it's mostly in the US that using cards don't always require PINs. Here
in Canada I have to enter my PIN whether it's my credit or debit card, for
every purchase at a CC terminal. The only exception is if I'm using
contactless payment. This was also true in Europe last I checked.

------
chenning
How is it 2018 and I can enable 2-factor auth on Twitter but not where I
withdraw money from my bank account?

~~~
mrguyorama
Is an ATM card and PIN not two factors?

~~~
moftz
I can wire my entire bank account away without any 2FA with online banking. My
bank just started doing SMS verification for new devices but that's still not
really enough. Like just get on the TOPT train and leave it alone.

~~~
mrguyorama
I believe some banks have 2FA. My bank's app will require me to setup SMS
verification by October. A little late, but better than never I guess

------
zokier
Not exactly novel research, the earliest mention I could quickly find of
pretty much the same idea was from _2005_

[http://lcamtuf.coredump.cx/tsafe/](http://lcamtuf.coredump.cx/tsafe/)

and then dozen different iterations since then.

------
dsfyu404ed
If the adversary has the level of physical access required to pull this off
you've already lost.

~~~
DylanBohlender
Exactly. If the adversary has a camera pointed at your keyboard, they can even
possibly attempt the more radical (and indefensible) “I literally recorded
what you typed” attack. Scary stuff.

~~~
biggerfisch
I think the argument here is that, since it can happen 30s later, you could
enter your password, look at the screen, lock your screen & walk away, without
being safe. Imagine a location where the mobo itself is secure enough to
prevent anyone from quickly inserting something, but anyone could have quick
access to the keyboard & monitor.

In that (highly contrived) situation, this attack is useful, since all you'd
need is a quick thermal pic, no longer recording needed.

~~~
Uberphallus
Keypads arem by far, the biggest target for this attack

------
spitfire
I've always thought you could predict the characters in a password by looking
at the oil/polish on the keycaps.

I always figured this could be an attack someday. But didn't know the tech was
cheap enough/sensitive enough yet. I need to start being more paranoid.

~~~
r00fus
Which is why keeping your keyboards wiped down (I use baby wipes) isn't just
for compulsives.

It's a hygiene and security best practice.

~~~
bluGill
The oils on my fingers attack the print on my keyboard. After a few years the
"home row" is very faded. Fortunately my password is not something I type
enough other things that you can figure out passwords out based on this.

------
stretchwithme
Probably a good idea to repeat at least one character.

~~~
deno
Depends on what the password is for. If it can be brute forced offline then
you’ll need a lot more than one character to make any difference.

~~~
stretchwithme
I think you missed my point. If you use a key more than once, heat can't be
used to figure out the first time that key was pressed. Only the second press
of it can be deduced.

~~~
deno
Sure but you reduce the search space considerably anyway.

------
eurticket
This seems like it's probably more crucial for pins terminals at ATMS and
such.

------
orliesaurus
Is the link down due to the HN hug of death? Edit: Seems back now...

------
whatcanthisbee
would continuing to type or holding the keys after/before entering my password
help?

~~~
Uberphallus
Slightly, as well as removing^H^H^H^H^H^H^H^Hdeleting characters, but the
picture invariably shows the keys used, so it will in any case reduce the
complexity of brute force attacks by several orders of magnitude.

~~~
ajuc
If I was an attacker and had easy to recover footage and weird "whole keyboard
is highlighted" footage - I would just discard the bad footage.

