This isn't news to me at all. For ATM/Pin pads, I wipe my fingers across every button as I press in the code, so it obscures what was actually pressed, and linger fingers on keys not even in my pin code. With enough practice, it doesn't take more than a second or two longer than normally entering it.
As far as keyboards, I really don't ever interact with computers that don't belong to me or aren't in a secure area, but I have a custom scripted "keyboard" USB circuit thing that emulates keypresses for me. I don't know what to even call it, but it's like a mini Arduino sorta thing that emulates a generic Microsoft keyboard to whatever you plug it into. It looks like a stick of RAM with a USB plug, kinda. I have a few preset buttons that'll type in my login info to automate logging into things. I made it as a hardware password manager.
Indeed, this is not a new idea. The news here is about particular implementation for extracting passwords from QWERTY keyboards.
That said, this is not a big problem for ATM pin pads with metal keys, because these conduct heat well and so a heat pattern is hard to detect after few seconds. See: https://www.youtube.com/watch?v=PJCfTlQ82Fw
I've been in a hotel where the rooms had pin pads as locks that required you to press two random numbers every time you want to enter. The pad was a bit sensitive to fingerprints, but due to this mechanism there would be fingerprints all over the device.
My list of ATM defensive rituals grows even longer.
For those who think time at ATM matters, consider a thermal camera like the one at the start of the video, concealed in the cabinet by fake panels. You enter your PIN, move your hand away to touch the screen seconds later, you're pwned. Thermal cam has your digits and vague sense of hand movements.
Cover the keypad with your other hand, take detours when moving your hand, and, now, pretend press a handful of random keys.
I will try inserting bogus numbers into my PIN ritual and pretend pressing them as part of entry. Should protect against hand movements and thermal imaging as well.
what's easier, doing an elaborate dance every single time you touch an ATM, or cancelling your card and having the bank revert the transactions in the relatively slim chance of fraud ? :)
Thinking about this for an ATM. How about entering your password and then pushing every other key. That would leave approximately the same heat signature in every key. Maybe.
Long passwords with repeated characters are the easiest defeat on this "attack". A simple camera that records the actual keypresses is a much more sensical attack. After all, if you can present a thermal camera to the keypad, you can present an actual camera. Why use heat residue to "guess" keypresses with an 80-ish% accuracy rate at best, when you can record the actual keypresses, in the right order, including repeated characters with a much higher accuracy rate? The only possible use for this "attack" is for analyzing residual heat with a handheld thermal camera after the person is gone, but as mentioned, long passwords with repeated keypresses is the defeat as is simply holding your hand on the keyboard after the password is entered. If you can protect against a visual camera then that's more important.
No, I meant palindrome, so that you end up repeating the same letters with little increase in memorization complexity, but that works too - throw together a few anagrams and you're golden.
My favorite palindrome is "A man, a plan, a canal, Panama". Supposedly a reference to former US president Theodore Roosevelt and his quest for the Panama canal.
It is well past time to stop using passwords. We should be using TLS client certs (as in mutual TLS aka mTLS) or WebAuthn passkeys already. I prefer certs because they don't require support in the web application, but they have a terrible UI and browsers seem to be making that worse, so WebAuthn it is, I just wish WebAuthn would have a standardised HTTP header or TLS extension so it would be usable without JavaScript, currently every website has to implement their own login protocol in JavaScript.
That's probably better. But moving entirely from "things I know" to "things I own" comes with its own set of security disasters waiting to happen. We are better off using those to augment the password than to replace it.
Yes. Either you use one physical key for everything, in which case you have to keep it with you all the time, which makes it only a matter of time before you lose it, or you have one ultra-secure key which you don’t normally use, leading to another problem:
I don't think "things I own" is a bad security model in itself.
The ideal of authentication (to me) seems to be some kind of USB dongle with your private key baked in the hardware, that you can use to create digital signatures proving your identity. Short of stealing the dongle, there is no way anyone can steal your identity.
Using your dongle example, how do you access important services away from home? Carry the dongle everywhere? If so, you risk losing the dongle.
Same with your phone as the "thing I own". That's great, until the phone dies/breaks/gets lost. Hopefully you have a tablet as backup, or the paper copy of your one-time codes in your wallet.
I don't have a good answer. I just hate the idea of needing to access banking services when traveling should my phone become unavailable.
> Carry the dongle everywhere? If so, you risk losing the dongle.
To be fair, we also carry our IDs everywhere and risk losing them all the time, yet it works pretty fine in most cases. Losing your ID is painful, and so would be losing the dongle, but the security of it outweighs the risk, IMHO.
Even more if we create dongles that are shaped like cards, so we can keep them in our wallets like IDs.
Normally you do not use the ID in day to day operations.
A better example would be a credit card, which combines a password (or pin) with a cryptographic chip.
The card itself is too easy to steal, hence the backup password.
The other possibility is biometrics, but these come with their own problems.
The answer with WebAuthn devices is to have more than one of them. When traveling, keep one in your safe, one with your home computer, one in the hotel and one along with your laptop. With WebAuthn passkeys, they are synced to the cloud so are available on all your devices or anywhere you have access to your cloud accounts.
Apple/Microsoft are also adding WebAuthn "passkeys", which is basically the same as the USB device thing, except the keys are stored on your laptop instead, perhaps in the TPM or similar. They are also synced across devices using their cloud services.
Passwords for websites are (hopefully) hashed locally. And more importantly, how does it make a difference whether you or the password manager types in the password into the web form?
They appear to be using a somewhat costly handheld thermal camera, which likely has a FLIR Boson or equivalent sensor. Those are pretty bulky and expensive, making it hard to use this attack without hanging out near the keyboard/keypad you want to surveil.
A FLIR Lepton series[0], or similar, is much smaller, but still ~$160/ea., and even though it is "smaller", it's not as easy to hide in an ATM as a cheap pinhole camera. It is also much lower resolution and has lower thermal sensitivity. Which would most likely greatly reduce the places where you could deploy this equip in a leave-behind covert setup.
It looks like a neat proof of concept, but probably not a day to day risk the average person needs to be concerned about.
Yes, you're much more likely to have a regular camera installed on the ATM or keypad. Night vision makes it work at all times. Or you can instrument a keypad with a laser sensor overlay.
The IR camera is used to defeat obscured keypads only...
People in urban public spaces are already entering passwords to
phones, tablets and laptops within full view of cameras that can see
the dirt under their fingernails.
There's a bit of a problem in academia / academic papers, where the researchers feel compelled to comment on "impact", i.e., "why is this important / what are the implications". This is often required by the journal / reviewers as well. I confess I have been guilty of it as well (both as an author and as a reviewer).
Which is not bad in itself, but sometimes there's no obvious immediate impact. That's the beauty of science. You do it to learn about something, and somebody may be interested in that something further down the line. E.g. MRI research came from hypercolliders / space research. It's unlikely particle smashers wrote "this could be used to generate medical images" in their conclusions section. At most they probably wrote "this could be used to create black holes and kill everybody" instead. (/s)
Having to come up with a half-baked impact case as an afterthought in the conclusion, often manages to ruin the entire paper for me. It's the case for this article too. I was like, "wow, wow, wow, interesting", until I reached the "this could be used to ban thermal cameras" part, at which point I was "no, no, no, God no".
Really? Was fairly sure Splinter Cell really didn't invent this, but it was what came to mind. Didn't know it went back that far. I'll have to look that up, I only know Max Headroom from clips.
There would still be a temperature difference for some time after entering a PIN until the keys used are fully cooled. So this method might not fully mitigate the attack.
A better solution could be to heat the keys to about the same temperature as a human's finger tips, so that no heat is being transferred while entering a PIN.
Exactly, easier and much more effective than the mitigation suggested by the scientists:
>One potential risk-reduction pathway could be to make it illegal to sell thermal cameras without some kind of enhanced security included in their software.
Maybe something loosely similar to the protection that is said to be present in very high level colour photocopier that prevents from photocopying money?
This is actually a great point I hadn't even considered. I had heard of cretins using a small grease film like a tiny layer of vasolene etc on pinpads and then after the victim uses, they would shine a light on it to see.
My bank ATM randomly sends a One-time-passcode to my mobile phone and challenges me to enter that on the ATM pinpad (in addition to my ATM pin). This is especially true when I try to withdraw from an ATM that is not my usual location (or I guess is an ATM at a location that is internally flagged for high number of ATM fraud incidents).
There are ATMs in Europe that will take the card, ask for what you want to do, ask the amount if it’s a withdrawal, and then ask for the PIN and dispense it. This reduces the time between typing and dispensing. No idea if it’s a significant enough reduction in the time versus card, pin, navigate to withdraw, dispense such that it would enable this attack.
I have already seen some ATMs that shuffle the numbers on the numberpad around for each PIN entry. It is inconvenient for muscle memory, but prevents this kind of attack.
I know somebody working at a bank talking about their implementation, and how many elderly customers block their cards after wrongly entering their pin.
Also, to mitigate the problem somewhat, one could obfuscate the order at which the numbers were pressed by setting a custom pin with repeating numbers. Ideally, just repeating one./s
That's how pin pads on doors work: you punch in the PIN, then immediately go through the door. And those pin pads are somewhat popular in commercial settings because it's easier to distribute knowledge than to distribute physical keys.
As far as keyboards, I really don't ever interact with computers that don't belong to me or aren't in a secure area, but I have a custom scripted "keyboard" USB circuit thing that emulates keypresses for me. I don't know what to even call it, but it's like a mini Arduino sorta thing that emulates a generic Microsoft keyboard to whatever you plug it into. It looks like a stick of RAM with a USB plug, kinda. I have a few preset buttons that'll type in my login info to automate logging into things. I made it as a hardware password manager.