True story: A friend who was a heavy smoker asked me to fix his computer. I went to his house and saw the beige desktop and CRT were stained tobacco brown from second hand smoke. After fixing his "screen's all blurry" problem with some Windex I was ready to go in and see what kind of spyware and viruses he had managed to install on the machine.
I was about to ask for his password when I noticed the only spots not covered in ashes on his keyboard were the W, S, C, B, U, N, and I keys. Knowing he was a die hard Chicago Cubs fan it took me one try to guess the password: cubswin.
It was a nasty job but he was a good friend so I got his machine all straightened out for him without judgement.
>Attackers need to be able to place a camera with thermal recording features near a victim, and the camera must have a clear view of the keys for the Thermanator attack to work.
Wouldn't be easier to just set up a regular video camera which can be the size of a jacket button?
> The research team argues that it may be time to move away from passwords as a means to secure user data and equipment.
Many people have expressed this sentiment. By all means we should be using two-factor authentication everywhere. But what, besides a password, has the critical property of residing entirely within your mind and not being obtainable without your cooperation (barring issues like this)?
Physical tokens can be stolen. Biometrics can be obtained and forged, or physically coerced. Authenticating via a secondary device (such as a phone) just moves the problem to "how do you authenticate to that device".
On the other hand, if you ever type in your password in a place where someone can record you, someone could figure out your password, or at least get enough information to make it easier to brute-force your password.
Short of a challenge-response scheme that you can compute entirely within your mind without scratch materials, what could we use that would address both problems? Something that can't simply be stolen or used without your cooperation, but that also isn't potentially disclosed in reusable form every time you use it?
So not sure what the Thermanator folks are adding here...
EDIT: Thermanator paper cites the UCSD research, focuses on qwerty keyboards, updated technology for thermal cameras, comparisons to other attack vectors for public password entry (when you are at coffee shop, airport, ATM etc.).
What if you could say "Yeah boss, Thermanator is complete and ready to be unleashed." and mean it?
I spent thirty years turning in shit like "PrimitiveSpoofAttackDHCP" and "TCPThreadPoolFlooder" but now I'm realizing I couldve been writing bond villain superweapons all this time.
Clearly the naming is wrong anyway - while the terminator saw in monochrome (infra?)red, thermal vision surely points to Predator, not The Terminator...
Apparently the attacker has never seen my macbook air running a heavy compilation job. Fan is cranked and the keyboard is so hot that there is no way they are getting my password!
I was half making a joke... but I believe if you have a large external thermal source or sink the time for keys to renormalize would be dramatically shorter.
At this point, I don't think it is viable to pretend that long lifetime secrets, like your bank PIN, are safe if entered into hundreds of different keypads in insecure settings.
I thought I read about this thing a long time ago, maybe on Brian Krebs' blog (?) but I can't find it. It was in the context of ATMs but the idea seems the same.
All I can find at the moment, also on ATMs, is this from last year:
EDIT:
That paper is actually cited in this work. They don't discuss the novelty of their approach compared to this though. Just a bigger search space due to more keys?
I always heard you should type your PIN at the ATM, then touch all of the buttons a bunch to block this ability. That way they only see that all the buttons were touched, not your PIN. Especially important now that thermal cameras (crappy ones) are pretty cheap.
Two reasons: if the bank can convince the court that you withdrew the money you are stuck with the lass. Even if the bank does suck up the loss, you will be out your own money for several months while they investigate (they could be the police or the bank)
at first, this seems completely harmless, but there are a few scenarios in which this could potentially be a viable attack.
I doubt it's much use on computers, but imagine someone rigging a candid infrared camera across the street from an ATM. You'd block the cameras view while typing, but then you leave and it's game over.
Whenever possible I type in the PIN with a house key or car key. That way there's little, if not none at all, heat left behind and I don't have to contact a germ-laden touchpad. #germaphobe
replace ATM with the CC terminal in your favorite foodtruck then. this is even better, since you're not likely to type in a withdrawal amount into those (and thus adding noise by pressing more keys)
A debit card can be used as a credit card at a CC terminal. No PIN and no transaction fee. I don't think you'll find many people typing a PIN into a CC terminal in the wild.
AFAIK it's mostly in the US that using cards don't always require PINs. Here in Canada I have to enter my PIN whether it's my credit or debit card, for every purchase at a CC terminal. The only exception is if I'm using contactless payment. This was also true in Europe last I checked.
It also generates IR by itself. It wouldn't be a big problem to carry out the attack, as long as the keypad isn't reflecting any strong IR source towards the camera.
A thermal camera that have enough resolution to get individual keys from across the street is not gonna be cheap, A 1.8Mpx @30Hz is above $20k without lens.
I do something similar but I think it's far more likely that a cheap webcam is positioned where it can view the keypad of those who don't screen it well. I always throw in a few "phantom" keypresses when entering a pin for my cc or bank card.
I can wire my entire bank account away without any 2FA with online banking. My bank just started doing SMS verification for new devices but that's still not really enough. Like just get on the TOPT train and leave it alone.
Yes. I didn't really consider that. I was thinking more along the lines of an expiring token. If you had to punch it in, someone who came around and Thermanator'd it would always be too late.
Exactly. If the adversary has a camera pointed at your keyboard, they can even possibly attempt the more radical (and indefensible) “I literally recorded what you typed” attack. Scary stuff.
I think the argument here is that, since it can happen 30s later, you could enter your password, look at the screen, lock your screen & walk away, without being safe. Imagine a location where the mobo itself is secure enough to prevent anyone from quickly inserting something, but anyone could have quick access to the keyboard & monitor.
In that (highly contrived) situation, this attack is useful, since all you'd need is a quick thermal pic, no longer recording needed.
It seems like a limitation of this attack is that you must have the camera pointed at the keys ~1 minute from the last time it was used. (Presumably because the heat dissipates quite quickly.)
With that in mind a TOTP solution probably won't help, most systems that use 2FA will allow two adjacent codes to be considered valid to cope with "minor" clock-drift. If you're already using the computer 1 minute after the real owner has left it is possible you could reuse any valid code - if you captured it.
I wouldn't be surprised... Seeing how bad we generally are at infosec. But it'd definitely be against a sane totp spec to allow a "one time pass" more than once.
In general you should store the most recently accepted counter (or epoch timestamp) and never allow travel back in time. That allows for clock drift, if the time between authentication attempts is less than the otherwise accepted drift.
Typically this is allowed. Probably because otherwise the server would have to store and compare state, but also because otherwise the user could be locked out for 60s.
> but also because otherwise the user could be locked out for 60s.
I don't see this. Note that it's not about rate limiting unsuccessful attempts (which obviously should be done to some extent) but not allowing the valid OTP to be used twice. In the worst case once the user logged in he can't login from an other device for 60s. Not a huge limitation. Also AFAIK 30s rotation of the OTP is more common/standard.
>It seems like a limitation of this attack is that you must have the camera pointed at the keys ~1 minute from the last time it was used. (Presumably because the heat dissipates quite quickly.)
An attacker could just stick a camera into a dark corner of a room and have it run perpetually. Video exfiltration might be an issue but certainly not insurmountable.
RE: your second point: that's true, but the point of TOTPs is that they expire before they can realistically be guessed (assuming rate limiting on the TOTP server).
Physical access is often considered total access in the infosec community.
It implies the ability to, with enough prep time ahead of the actual physical access, inject malware through a physical interface (USB flash drive, rogue peripheral/HID, directly interfacing with an existing HID device), among others.
Edit: and in this case it includes planting cameras and other recording devices which can be assumed to have effectively limitless video/audio resolution.
It implies using your laptop in public, or typing in a keypad. And keypads tend to be used to separate public and private areas (and even worse, people leave the scene immediately after using it, making the attack even more inconspicuous).
One can easily attach a long tele lens to one of these cameras, so one could capture passwords through windows. Specialized IR lenses are expensive, but regular lenses can do a good enough job.
Edit: my bad IR doesn't go through most glass material. Still, laptops are commonly used in public, and through lenses or otherwise, your password can be leaked. That's worrying enough to stop the "physical access means total access" adagio in this thread.
Good IR tele lenses are not just expensive, the don't even have prices, they have "phone numbers".
So you would have to get money from really a lot of people just to pay they IR camera and the lenses.
The oils on my fingers attack the print on my keyboard. After a few years the "home row" is very faded. Fortunately my password is not something I type enough other things that you can figure out passwords out based on this.
I think you missed my point. If you use a key more than once, heat can't be used to figure out the first time that key was pressed. Only the second press of it can be deduced.
Yes. Just hold your fingers over some random keys after inserting the card and wait to enter the pin. And after that just keep your hand over the keypad while you wait for the money.
(I work for over 10 years with thermal cameras and know the limits)
Slightly, as well as removing^H^H^H^H^H^H^H^Hdeleting characters, but the picture invariably shows the keys used, so it will in any case reduce the complexity of brute force attacks by several orders of magnitude.
I was about to ask for his password when I noticed the only spots not covered in ashes on his keyboard were the W, S, C, B, U, N, and I keys. Knowing he was a die hard Chicago Cubs fan it took me one try to guess the password: cubswin.
It was a nasty job but he was a good friend so I got his machine all straightened out for him without judgement.
The things I do for beer...