After entering a password, your regular computer keyboard might appear to look the same as always, but a new approach harvesting thermal energy can illuminate the recently pressed keys, revealing that keyboard-based password entry is even less secure than previously thought. Computer Science Ph.D. students Tyler Kaczmarek and Ercan Ozturk in the Donald Bren School of Information and Computer Sciences (ICS), working with Chancellor’s Professor of Computer Science Gene Tsudik, have exploited thermal residue from human fingertips to introduce a new insider attack — the Thermanator.

“It’s a new attack that allows someone with a mid-range thermal camera to capture keys pressed on a normal keyboard, up to one minute after the victim enters them,” describes Tsudik. “If you type your password and walk or step away, someone can learn a lot about it after-the-fact.”

Their paper, “Thermanator: Thermal Residue-Based Post Factum Attacks On Keyboard Password Entry,” outlines the rigorous two-stage user study they conducted, collecting thermal residues from 30 users entering 10 unique passwords (both weak and strong) on four popular commodity keyboards. As noted in the paper, results show that entire sets of key-presses can be recovered by non-expert users as late as 30 seconds after initial password entry, while partial sets can be recovered as late as one minute after entry. The study further revealed that hunt-and-peck typists are particularly vulnerable.

Kaczmarek, Ozturk and Tsudik suggest some mitigation strategies, such as swiping your hands over the keyboard after password entry or selecting characters with the mouse. Regardless, based on the study results, they conclude that “Thermanator Attacks” represent a new credible threat for password-based systems, noting that “as formerly niche sensing devices become less and less expensive, new side-channel attacks move from ‘Mission: Impossible’ towards reality.”

— Shani Murray