Hacker News new | comments | ask | show | jobs | submit login
Thermanator Attack Steals Passwords by Reading Thermal Residue on Keyboards (bleepingcomputer.com)
96 points by shreyanshd 6 months ago | hide | past | web | favorite | 90 comments

True story: A friend who was a heavy smoker asked me to fix his computer. I went to his house and saw the beige desktop and CRT were stained tobacco brown from second hand smoke. After fixing his "screen's all blurry" problem with some Windex I was ready to go in and see what kind of spyware and viruses he had managed to install on the machine.

I was about to ask for his password when I noticed the only spots not covered in ashes on his keyboard were the W, S, C, B, U, N, and I keys. Knowing he was a die hard Chicago Cubs fan it took me one try to guess the password: cubswin.

It was a nasty job but he was a good friend so I got his machine all straightened out for him without judgement.

The things I do for beer...

Isn't Windex bad for computer screens?

https://news.ycombinator.com/item?id=17416298 says "no Windex, as tempting as it might be!"

It's fine for CRTs as far as I know. And even if it's not, it's probably an improvement on tar.

I'm guessing this was a while ago when screens were still glass bubbles


>Attackers need to be able to place a camera with thermal recording features near a victim, and the camera must have a clear view of the keys for the Thermanator attack to work.

Wouldn't be easier to just set up a regular video camera which can be the size of a jacket button?

> The research team argues that it may be time to move away from passwords as a means to secure user data and equipment.

Many people have expressed this sentiment. By all means we should be using two-factor authentication everywhere. But what, besides a password, has the critical property of residing entirely within your mind and not being obtainable without your cooperation (barring issues like this)?

Physical tokens can be stolen. Biometrics can be obtained and forged, or physically coerced. Authenticating via a secondary device (such as a phone) just moves the problem to "how do you authenticate to that device".

On the other hand, if you ever type in your password in a place where someone can record you, someone could figure out your password, or at least get enough information to make it easier to brute-force your password.

Short of a challenge-response scheme that you can compute entirely within your mind without scratch materials, what could we use that would address both problems? Something that can't simply be stolen or used without your cooperation, but that also isn't potentially disclosed in reusable form every time you use it?

Yeah, and you can't rotate your fingerprints or retinal scans.

If you only train one fingerprint at a time, most people can rotate up to nine times. It's a bit inconvenient, though. :)

Yeah, but stealing a single glass could get all your future passwords.

Would holding your finger upside down on the scanner work?

(Nope. My Nexus 5X unlocks no matter the orientation of my finger)

Former NASA engineer turned YouTube science fun guy Mark Rober explained this attack in 2014 https://www.youtube.com/watch?v=8Vc-69M-UWk

and references this 2011 UCSD paper Heat of the moment: characterizing the efficacy of thermal camera-based attacks


So not sure what the Thermanator folks are adding here...

EDIT: Thermanator paper cites the UCSD research, focuses on qwerty keyboards, updated technology for thermal cameras, comparisons to other attack vectors for public password entry (when you are at coffee shop, airport, ATM etc.).

This is exactly how Theora Jones defeats Bryce Lynch's keypad in Max Headroom (Blipverts episode)...in 1987. :)

Ha! I was going to reference Splinter Cell, but that's probably where they got it from.

> THERMANATOR - The hottest attack of the summer! Coming soon to a computer near you!

Are our jobs really this dull that we have to give our projects stupid hollywood names


What if you could say "Yeah boss, Thermanator is complete and ready to be unleashed." and mean it?

I spent thirty years turning in shit like "PrimitiveSpoofAttackDHCP" and "TCPThreadPoolFlooder" but now I'm realizing I couldve been writing bond villain superweapons all this time.

I thought naming things was one of those aspects of the job which can be nice and entertaining. It's easy to remember, where is the harm in this?

Clearly the naming is wrong anyway - while the terminator saw in monochrome (infra?)red, thermal vision surely points to Predator, not The Terminator...

Makes me wonder about the variable names.

When I use an ATM, I always run my fingers along all of the keys after entering my pin. Nice to know it's not totally crazy.

The classic opsec-germs tradeoff

You can also use something other than your fingers to press the buttons.

Apparently the attacker has never seen my macbook air running a heavy compilation job. Fan is cranked and the keyboard is so hot that there is no way they are getting my password!

Nothing but noise to a thermal camera...

Maybe they would look for cool spots. I assume you would only run into problems where the key was the same temperature as your finger.

I was half making a joke... but I believe if you have a large external thermal source or sink the time for keys to renormalize would be dramatically shorter.

I tried this using a flir one on my iPhone.


Sorry, it sounds like a really good idea, but it just doesn't work very well in practise.

The users fingers don't sit on the keys long enough to transfer enough heat to last. Just use a standard video camera if this is your thing.

great job getting by my mission impossible style laser beams, hackerman

now please enter your non-SMS two-factor authentication code

I like how this exact attack is used in the Splinter Cell games.

I knew I saw this somewhere!

I wonder what other security issues / lessons I internalized from that game...

Don't have open man-sized vents lead into your SCIF?

Until now I never even questioned why there would be man-sized vents in every bulding

Makes me wonder if you could achieve a similar effect by spraying some residue over the keypad before the victim uses it, then looking at it after PIN entry. For example, a fluorescing dust. As well a special fingerprinting powders (e.g. https://optimumtechnology.com.au/latent-fingerprint-powders/) you can get stuff from art supplies stores: https://www.glowpaint.com.au/blue-uv-black-light-powder/ .

There is also thermochromic ink, e.g. a grey ink that changes to colourless at 15C. http://www.smarol.com/Ultraviolet-Fluorescent-Powder.html

At this point, I don't think it is viable to pretend that long lifetime secrets, like your bank PIN, are safe if entered into hundreds of different keypads in insecure settings.

I thought I read about this thing a long time ago, maybe on Brian Krebs' blog (?) but I can't find it. It was in the context of ATMs but the idea seems the same. All I can find at the moment, also on ATMs, is this from last year:


EDIT: That paper is actually cited in this work. They don't discuss the novelty of their approach compared to this though. Just a bigger search space due to more keys?

I always heard you should type your PIN at the ATM, then touch all of the buttons a bunch to block this ability. That way they only see that all the buttons were touched, not your PIN. Especially important now that thermal cameras (crappy ones) are pretty cheap.

Why should I care? It's the bank's responsibility to secure their equipment and refund any dollars stolen from me.

Two reasons: if the bank can convince the court that you withdrew the money you are stuck with the lass. Even if the bank does suck up the loss, you will be out your own money for several months while they investigate (they could be the police or the bank)

at first, this seems completely harmless, but there are a few scenarios in which this could potentially be a viable attack.

I doubt it's much use on computers, but imagine someone rigging a candid infrared camera across the street from an ATM. You'd block the cameras view while typing, but then you leave and it's game over.

This is a fairly well known attack on ATMs with plastic keys, but last I heard metal keys make it nearly impossible to carry out.

Whenever possible I type in the PIN with a house key or car key. That way there's little, if not none at all, heat left behind and I don't have to contact a germ-laden touchpad. #germaphobe

replace ATM with the CC terminal in your favorite foodtruck then. this is even better, since you're not likely to type in a withdrawal amount into those (and thus adding noise by pressing more keys)

same thing goes, but they're rarely made of metal

A debit card can be used as a credit card at a CC terminal. No PIN and no transaction fee. I don't think you'll find many people typing a PIN into a CC terminal in the wild.

AFAIK it's mostly in the US that using cards don't always require PINs. Here in Canada I have to enter my PIN whether it's my credit or debit card, for every purchase at a CC terminal. The only exception is if I'm using contactless payment. This was also true in Europe last I checked.

All the time in the EU, except if the card has NFC, then without PIN up to 20€ (depending on the bank).

Well you still have to get the order right, though it might be possible to have an idea through the temperature differences

Yeah metal reflects thermal IR like a mirror.

It also generates IR by itself. It wouldn't be a big problem to carry out the attack, as long as the keypad isn't reflecting any strong IR source towards the camera.

A thermal camera that have enough resolution to get individual keys from across the street is not gonna be cheap, A 1.8Mpx @30Hz is above $20k without lens.

This is why I habitually run my fingers across the keypad after entering my PIN. Paranoid thinking? Maybe.

I do something similar but I think it's far more likely that a cheap webcam is positioned where it can view the keypad of those who don't screen it well. I always throw in a few "phantom" keypresses when entering a pin for my cc or bank card.

How is it 2018 and I can enable 2-factor auth on Twitter but not where I withdraw money from my bank account?

Is an ATM card and PIN not two factors?

I can wire my entire bank account away without any 2FA with online banking. My bank just started doing SMS verification for new devices but that's still not really enough. Like just get on the TOPT train and leave it alone.

I believe some banks have 2FA. My bank's app will require me to setup SMS verification by October. A little late, but better than never I guess

Not even a TAN?

I think you need to change banks.

Yes. I didn't really consider that. I was thinking more along the lines of an expiring token. If you had to punch it in, someone who came around and Thermanator'd it would always be too late.

Not exactly novel research, the earliest mention I could quickly find of pretty much the same idea was from 2005


and then dozen different iterations since then.

If the adversary has the level of physical access required to pull this off you've already lost.

Exactly. If the adversary has a camera pointed at your keyboard, they can even possibly attempt the more radical (and indefensible) “I literally recorded what you typed” attack. Scary stuff.

I think the argument here is that, since it can happen 30s later, you could enter your password, look at the screen, lock your screen & walk away, without being safe. Imagine a location where the mobo itself is secure enough to prevent anyone from quickly inserting something, but anyone could have quick access to the keyboard & monitor.

In that (highly contrived) situation, this attack is useful, since all you'd need is a quick thermal pic, no longer recording needed.

Keypads arem by far, the biggest target for this attack

Indefensible is debatable. It can be defeated using any of the major 2FA mechanisms (FIDO U2F, HOTP/TOTP come to mind).

It seems like a limitation of this attack is that you must have the camera pointed at the keys ~1 minute from the last time it was used. (Presumably because the heat dissipates quite quickly.)

With that in mind a TOTP solution probably won't help, most systems that use 2FA will allow two adjacent codes to be considered valid to cope with "minor" clock-drift. If you're already using the computer 1 minute after the real owner has left it is possible you could reuse any valid code - if you captured it.

Allowing adjacent codes and accepting the same code twice is not the same. I would be surprised if TOTP allowed for accepting the same code twice.

I wouldn't be surprised... Seeing how bad we generally are at infosec. But it'd definitely be against a sane totp spec to allow a "one time pass" more than once.

In general you should store the most recently accepted counter (or epoch timestamp) and never allow travel back in time. That allows for clock drift, if the time between authentication attempts is less than the otherwise accepted drift.

Typically this is allowed. Probably because otherwise the server would have to store and compare state, but also because otherwise the user could be locked out for 60s.

> but also because otherwise the user could be locked out for 60s.

I don't see this. Note that it's not about rate limiting unsuccessful attempts (which obviously should be done to some extent) but not allowing the valid OTP to be used twice. In the worst case once the user logged in he can't login from an other device for 60s. Not a huge limitation. Also AFAIK 30s rotation of the OTP is more common/standard.

>It seems like a limitation of this attack is that you must have the camera pointed at the keys ~1 minute from the last time it was used. (Presumably because the heat dissipates quite quickly.)

An attacker could just stick a camera into a dark corner of a room and have it run perpetually. Video exfiltration might be an issue but certainly not insurmountable.

RE: your second point: that's true, but the point of TOTPs is that they expire before they can realistically be guessed (assuming rate limiting on the TOTP server).

What's that saying, 'physical access is total access'?

Physical access is often considered total access in the infosec community.

It implies the ability to, with enough prep time ahead of the actual physical access, inject malware through a physical interface (USB flash drive, rogue peripheral/HID, directly interfacing with an existing HID device), among others.

Edit: and in this case it includes planting cameras and other recording devices which can be assumed to have effectively limitless video/audio resolution.

It implies using your laptop in public, or typing in a keypad. And keypads tend to be used to separate public and private areas (and even worse, people leave the scene immediately after using it, making the attack even more inconspicuous).

One can easily attach a long tele lens to one of these cameras, so one could capture passwords through windows. Specialized IR lenses are expensive, but regular lenses can do a good enough job.

Edit: my bad IR doesn't go through most glass material. Still, laptops are commonly used in public, and through lenses or otherwise, your password can be leaked. That's worrying enough to stop the "physical access means total access" adagio in this thread.

Good IR tele lenses are not just expensive, the don't even have prices, they have "phone numbers". So you would have to get money from really a lot of people just to pay they IR camera and the lenses.


Basically double that of high end SLR lenses.

Thermal cameras don't really work through glass

I've always thought you could predict the characters in a password by looking at the oil/polish on the keycaps.

I always figured this could be an attack someday. But didn't know the tech was cheap enough/sensitive enough yet. I need to start being more paranoid.

Which is why keeping your keyboards wiped down (I use baby wipes) isn't just for compulsives.

It's a hygiene and security best practice.

The oils on my fingers attack the print on my keyboard. After a few years the "home row" is very faded. Fortunately my password is not something I type enough other things that you can figure out passwords out based on this.

Probably a good idea to repeat at least one character.

Depends on what the password is for. If it can be brute forced offline then you’ll need a lot more than one character to make any difference.

I think you missed my point. If you use a key more than once, heat can't be used to figure out the first time that key was pressed. Only the second press of it can be deduced.

Sure but you reduce the search space considerably anyway.

Yeah, and just use lots of characters. And at least one use of the shift key :)

This seems like it's probably more crucial for pins terminals at ATMS and such.

Is the link down due to the HN hug of death? Edit: Seems back now...

would continuing to type or holding the keys after/before entering my password help?

Yes. Just hold your fingers over some random keys after inserting the card and wait to enter the pin. And after that just keep your hand over the keypad while you wait for the money.

(I work for over 10 years with thermal cameras and know the limits)

Slightly, as well as removing^H^H^H^H^H^H^H^Hdeleting characters, but the picture invariably shows the keys used, so it will in any case reduce the complexity of brute force attacks by several orders of magnitude.

If I was an attacker and had easy to recover footage and weird "whole keyboard is highlighted" footage - I would just discard the bad footage.

so is the hardware keys the only answer?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact