Thermal Attacks - How Heat From Fingertips Can Reveal Passwords

Since a single password only safeguards so much personal information, it is sadly unsurprising that some people take advantage of the flaws in this security technique to access sensitive data. While you might already be familiar with some of the most used hacking methods, such as phishing, malware and brute force attacks, researchers have recently shed light on an unexpectedly bizarre new attack alternative: Thermal Attacks.

One of the most common method of thermal tracking is called the "Thermanator". This somewhat strange name for the hacking method combines the title of the famous cyborg assassin “Terminator” with the prefix “therm” (meaning heat), thus accurately reflecting the attack's strategy: using user-left heat signatures to exploit keyboards.

This article discusses the phenomenon of thermal attacks and how we can avoid falling victim to them. 

What are Thermal Attacks?

If you have ever looked into a thermal camera, you might find traces of human touch remain visible on an object or surface in the form of fingerprints. This phenomenon also applies to common input devices such as phones and keyboards, which you may use to enter sacred credentials. Unfortunately, hackers are no strangers to this fact. 

While the prints fade after a while, there is always a window of time where thermal energy measurements from input devices can be collected to retrieve recently submitted information, which can range from a harmless text message to a password you use to access sensitive data. 

Image Source: SciencePhotoLibrary

The Thermanator

This hidden danger of seemingly harmless thermal residues was unveiled within the framework of an experiment carried out by three scientists from the University of California, Irvine (UCI). The researchers analyzed a distinct type of insider attack they titled “thermanator,” which involves an attacker exploiting the function of a thermal camera to reveal passwords that have been entered on a keyboard. Astonishingly, this thermanator-experiment led the researchers to correctly recall whole sets of key presses as late as 30 seconds after the initial character was entered, following four simple steps:

“STEP 1: The victim uses a keyboard to enter a genuine password as part of the log-in (or session unlock) procedure. 

STEP 2: Shortly after that, the victim either: (1) willingly steps away or (2) gets drawn away from the workplace.

STEP 3: Using thermal imaging (e.g., photos taken by a commodity FLIR camera), the adversary harvests thermal residues from the keyboard.

STEP 4: Later, the adversary uses the “heat map” of the images to determine recently pressed keys. This can be done manually (i.e., via visual inspection) or automatically (i.e., via specialized software).

REPEAT: The adversary can choose to repeat STEPS [1-4] over multiple sessions.”

ThermoSecure: The Thermanator gets an Upgrade

While the previously mentioned Thermanator attack already had a high success rate in guessing passwords with the help of thermal residues, it ultimately comes with the handicap of a time limit. For the attack to work, the attacker would have to take the picture with the thermal camera just thirty seconds after the first key was entered; accordingly, this practice might prove extremely hard to conduct in an everyday scenario.

However, thermal attacks do not admit defeat just yet. In a newer study for ACM Transactions on Privacy and Security, the research team led by Dr. Khamis could astonishingly reveal that the time limit and the accuracy of the guesses can be further expanded by leveraging deep learning techniques. According to the team, due to machine learning becoming increasingly accessible, it is more and more likely that attackers will employ it to improve their thermal attacks.

This discovery of the ThermoSecure attack was made possible by the researchers' probabilistic training of an artificial intelligence model to efficiently scan the thermal photos and generate educated predictions about the passwords from the heat signature clues. Evidently, the help of an AI has significantly changed the success rate of this hacking method: Not only did ThermoSecure guess passwords of an average length (8 characters) with 93% accuracy within 20 seconds after they have been entered, but the attack could even reveal long passwords of 16 characters with almost 70% accuracy.

However, the biggest revelation lies in the technique’s capability of accurately revealing passwords, even if the thermal image was taken over a minute after the keys were pressed. The success rate of the AI guessing the secret code lies at 62% at the 60-second mark. 

How to stay safe

As thermal cameras become cheaper and easier to access, the chance of misuse is correspondingly increasing as well. Fortunately, there are some factors that can significantly decrease the success rate of thermal attacks.

Touch typing over Hunt-and-Peck

Despite using keyboards for the same ultimate purpose, surprisingly, the technique by which people press the keys has a significant effect on the quality of thermal imaging data. Generally, typists can be grouped into two main categories:

• Hunt-and-Peck typists - Keyboard users who do not rest their fingertips on the home row and usually spend more time looking for the key to press.
• Fast / Touch typists – They rest their fingers on (or lightly touch) the home row while typing.

It likely comes as no surprise that the former method, which involves the person only touching the keys included in the password, leaves little room for interpretation. Accordingly, hunt-and-peck typists are more vulnerable to thermal attacks than fast typists, with a success rate increase of around 10%.

PBT keycaps

Even though typing behavior can influence the success rate of thermal attacks, there is another factor at play that is arguably even more relevant: the interface of the keyboard in use. While the material of the keycaps usually plays a lesser role in the purchase of a new keyboard for most people, in the context of thermal attacks, it becomes imperative.

Objects created out of a material with a lower heat conductivity can retain the thermal trace of human touch for a more extended period. This rule, of course, also applies to keyboards: As an example, Polybutylene Terephthalate plastic (PBT) keycaps are known to be significantly less vulnerable to thermal attacks than ones made out of Acrylonitrile Butadiene Styrene plastic (ABS) due to the faster fading of its heat traces. 

Regardless of the length of your password, using a PBT keyboard is a reasonably practical protection measure against thermal attacks. However, it is worth noting that higher durability comes with a higher price.

The ultimate solution – Ditching passwords

While a thermal attack might seem like an unlikely crime to fall victim to, unfortunately, it is but one name on the long list of cyber-attacks exploiting the simplicity of password-based authentication.

The main reason behind the increasing vulnerability of passwords is evident: The paradox of it having to be both complex and easily recallable. This dilemma of choosing a password often leads people to either select a string of characters that could be hacked in seconds or one that they might forget the next day – a middle ground is increasingly harder to find. 

Fortunately, there are alternate authentication methods that are more effective in protecting you from attacks that prey on your password. One of the most notable examples is Multi-Factor Authentication (MFA). MFA commonly utilizes a passwordless factor (such as Fingerprint, Face ID, or physical tokens) in addition to the regular username-password login method, providing a secondary layer of security for your data. While each method of MFA is significantly safer than a password alone, in the context of protecting yourself from a thermal attack, an out-of-band or off device factor would generally be most effective. Thus, even if an attacker manages to take a picture of your keyboard, they could still not access your account without the additional authentication factor sent to the other device.  

Alternatively, you can protect your data by authenticating yourself using a** passwordless method**. This alternative completely substitutes passwords with a passwordless factor, whereas the formerly mentioned MFA operates using a combination of the two. Akin to the case of MFA, it is advised to authenticate yourself via an off device passwordless factor to minimze your chances of falling victim to a thermal attack.