Security researchers from the University of California have combined images from a thermal imager and recorded typing noise to reconstruct passwords.
The team around Professor Gene Tsudik calls the insider attack demonstrated by them “Thermanator”: the researchers from the University of California used a commercially available thermal imaging camera (FLIR SC620) to photograph a keyboard on which a potential victim has just entered his password.
Since plastic is a poor conductor of heat, the heat transmitted from the fingertips makes the pressed keys visible for up to 60 seconds after the input. With metal keyboards, as they sometimes used by gamers, the attack does not work. The presentation took place at the hacker event Black Hat Asia.
The respective temporal maximum, up to which the full set of keystrokes can still be detected, depends, among other things, on the size of the fingers and the ambient temperature, according to Mr. Tsudik, after 30 seconds, all prints are still visible after 60 seconds, still parts of the heat. The results are worse whit ten-finger tappers because the heat given off by the heel of the hand falsifies the results.
Heat Meets Sounds
Since the thermal image makes neither repetitions nor the order of the input visible, the researchers used a microphone to record noises of the keyboard entries provide information about the sequence and repeatedly pressed keys.
Using various methods, including machine learning and the Mel Frequency Cepstral Coefficients used for speech recognition, the researchers combine the information from image and sound. Part of their work is based on a previous Black Hat lecture in which Daniele Lain reconstructed the typed text by analyzing the typing noise.
Higher Success Rate On Logitech Keyboard
Why the probability of correct input was highest at 87 percent when the victim typed on a Logitech keyboard, the professor can not explain. The equally used keyboards from Azio and Dell brought less meaningful results.
Randomly generated or complex passwords were not used. According to Tsudik, the subjects could not remember these passwords, which led to an untypical delayed input and that to unreliable acoustic analysis.