![\"Thermanator\"](\"https:\/\/www.helpnetsecurity.com\/images\/posts2018\/thermal-emanation2.jpg\" "\\"Thermal")
<\/p>\nAfter entering a password, your regular computer keyboard might appear to look the same as always, but a new approach harvesting thermal energy can illuminate the recently pressed keys, revealing that keyboard-based password entry is even less secure than previously thought.<\/p>\n
<\/p>\n
Thermal image of \u201cpassw0rd\u201d 20 seconds after entry<\/p>\n
Computer Science Ph.D. students Tyler Kaczmarek and Ercan Ozturk from UC Irvine\u2019s Donald Bren School of Information and Computer Sciences (ICS), working with Chancellor\u2019s Professor of Computer Science Gene Tsudik, have exploited thermal residue from human fingertips to introduce a new insider attack the Thermanator.<\/p>\n
\u201cIt\u2019s a new attack that allows someone with a mid-range thermal camera to capture keys pressed on a normal keyboard, up to one minute after the victim enters them,\u201d describes Tsudik. \u201cIf you type your password and walk or step away, someone can learn a lot about it after-the-fact.\u201d<\/p>\n
Their paper, \u201cThermanator: Thermal Residue-Based Post Factum Attacks On Keyboard Password Entry,\u201d outlines the rigorous two-stage user study they conducted, collecting thermal residues from 30 users entering 10 unique passwords (both weak and strong) on four popular commodity keyboards.<\/p>\n
As noted in the paper, results show that entire sets of key-presses can be recovered by non-expert users as late as 30 seconds after initial password entry, while partial sets can be recovered as late as one minute after entry. The study further revealed that hunt-and-peck typists are particularly vulnerable.<\/p>\n
Kaczmarek, Ozturk and Tsudik suggest some mitigation strategies, such as swiping your hands over the keyboard after password entry or selecting characters with the mouse. Regardless, based on the study results, they conclude that \u201cThermanator Attacks\u201d represent a new credible threat for password-based systems, noting that \u201cas formerly niche sensing devices become less and less expensive, new side-channel attacks move from \u2018Mission: Impossible\u2019 towards reality.\u201d<\/p>\n
![\"Thermanator\"](\"https:\/\/www.helpnetsecurity.com\/images\/posts2018\/thermal-emanation.jpg\" "\\"Example")
<\/p>\n
Example of thermal emanations being recorded<\/p>\n
The same research team also recently developed a novel technique aimed at mitigating \u201cLunchtime Attacks.\u201d Such attacks occur when an insider adversary takes over an authenticated state of a careless user who has left his or her computer unattended.<\/p>\n
Tsudik, Kaczmarek and Ozturk have come up with an unobtrusive and continuous biometic-based \u201cde-authentication,\u201d i.e., a means of quickly terminating the secure session of a previously authenticated user after detecting that user\u2019s absence.<\/p>\n
The paper, \u201cAssentication: User De-Authentication and Lunchtime Attack Mitigation with Seated Posture Biometric,\u201d presents a hybrid biometic based on the user\u2019s seated posture pattern. By instrumenting the seat and lower back of a standard office chair with 16 tiny pressure sensors, they found a way to capture a unique combination of physiological and behavioral traits to provide continuous user authentication (and de-authentication). Results from user experiments involving a cohort of 30 subjects show that Assentication yields very low false accept and false reject rates.<\/p>\n
After entering a password, your regular computer keyboard might appear to look the same as always, but a new approach harvesting thermal energy can illuminate the recently pressed keys, revealing that keyboard-based password entry is even less secure than previously thought. Thermal image of \u201cpassw0rd\u201d 20 seconds after entry Computer Science Ph.D. students Tyler Kaczmarek … <\/p>\n