A person's fingers leave thermal residue on keyboard keys that a malicious observer could record and later determine the text a user has entered on the keyboard, according to a recently published research paper by three scientists from the University of California, Irvine (UCI).
"It’s a new attack that allows someone with a mid-range thermal camera to capture keys pressed on a normal keyboard, up to one minute after the victim enters them," says UCI Computer Science Professor Gene Tsudik, one of the three researchers who worked on the paper.
"If you type your password and walk or step away, someone can learn a lot about it after-the-fact," Tsudik said.
Thermanator attack can recover passwords, PINs
The UCI team calls this attack Thermanator, and they say it can be used to recover short strings of text, may it be a verification code, a banking PIN, or password.
Attackers need to be able to place a camera with thermal recording features near a victim, and the camera must have a clear view of the keys for the Thermanator attack to work.
But when these conditions are met, an attacker, even a non-expert one, can recover a collection of keys the victim has pressed, keys which it can later assemble into possible strings to be used in a dictionary attack.
Passwords can be recovered up to 30 seconds after input
In laboratory experiments, the research team had 31 users enter passwords on four different keyboard types. UCI researchers then asked eight non-experts to derive the set of pressed keys from the recorded thermal imaging data.
The test showed that thermal data recorded up to 30 seconds after the password entry is good enough for a non-expert attacker to recover the entire set of keys pressed by a victim.
Attackers can recover partial key sets when the thermal data is recorded up to one minute after the key presses.
Researchers say that users who type using a "
hunt and peck" technique of pressing one key at a time with two fingers while continually looking at the keyboard are more susceptible to having their key presses harvested by this technique.
