Langbahn Team – Weltmeisterschaft

Thermal attack

Thermal attacks can leak information about entered PINs and Lock Patterns on mobile devices. They do not only leak the entered digits, but also the order at which they were entered. Analysis of heat traces using computer vision can yield even more accurate results compared to visual inspection by the naked eye.

A thermal attack (aka thermal imaging attack) is an approach that exploits heat traces to uncover the entered credentials. These attacks rely on the phenomenon of heat transfer from one object to another. During authentication, heat transfers from the users' hands to the surface they are interacting with, leaving heat traces behind that can be analyzed using thermal cameras that operate in the far-infrared spectrum. These traces can be recovered and used to reconstruct the passwords.[1][2] In some cases, the attack can be successful even 30 seconds after the user has authenticated.[1]

Thermal attacks can be performed after the victim had authenticated, alleviating the need for in-situ observation attacks (e.g., shoulder surfing attacks) that can be affected by hand occlusions. While smudge attacks can reveal the order of entries of graphical passwords, such as the Android Lock Patterns, thermal attacks can reveal the order of entries even in the case of PINs or alphanumeric passwords. The reason thermal attacks leak information about the order of entry is because keys and buttons that the user touches first lose heat over time, while recently touched ones maintain the heat signature for a longer time. This results in distinguishable heat patterns that can tell the attacker which entry was entered first.

Thermal attacks were shown to be effective against plastic keypads, such as the ones used to enter credit card's PINs in supermarkets and restaurants,[2] and on handheld mobile devices such as smartphones and tablets.[1]

In their paper published at the Conference on Human Factors in Computing Systems (CHI 2017), Abdelrahman et al. showed that the attack is feasible on today's smartphones. They also proposed some ways to mitigate the attack, such as swiping randomly on the screen to distort the heat traces, or forcing maximum CPU usage for a few seconds.

Thermal attacks can also infer passwords from heat traces on keyboards. Researchers at the University of Glasgow[3] showed that attackers who use AI methods can be more effective in performing thermal attacks. Their study presents a new tool called ThermoSecure and evaluates it in two user studies. The results show that ThermoSecure can successfully attack passwords with an average accuracy of 92% to 55%, depending on the length of the password. The effectiveness of thermal attacks also depends on typing behavior and the material of the keycaps. ABS keycaps, which retain heat traces longer, are more vulnerable to thermal attacks. The study also discusses ways to protect against thermal attacks and presents seven potential mitigation approaches.

Dr Khamis, who led the development of the technology with Norah Alotaibi and John Williamson, said with thermal imaging cameras more affordable than ever and machine learning becoming more accessible, it was "very likely that people around the world are developing systems along similar lines to ThermoSecure in order to steal passwords".[4]

Thermal Attack Mitigation

Simple and Practical Measures

One basic and effective way to mitigate thermal attacks is to deliberately create heat noise over the input interface, such as a keypad or keyboard, after entering a password. For instance, placing one's palm over the entire interface for a few seconds after use can obscure the thermal pattern left by the fingers, making it much more difficult for an unauthorized user to interpret the heat traces.

Range of Proposed Strategies

In addition to simple methods, researchers have developed a spectrum of mitigation strategies to counter thermal attacks.[5] These strategies encompass 15 different approaches including:

  • Use of Biometrics: Replacing traditional pin codes or passwords with biometric authentication, such as fingerprint recognition or facial recognition, eliminates the issue of residual heat on keypads.
  • Heating the Interface: Implementing technology to slightly warm up the keypad can effectively neutralize the heat traces left by fingers, preventing thermal cameras from capturing the pattern.
  • Randomizing Key Layouts: Employing dynamic key layouts that change positions every time the interface is used, making it impossible to correlate heat patterns with static input positions.

Technological Intervention on Thermal Cameras

Another avenue for mitigation is to address the issue at the source by modifying thermal cameras. Proposals have been made to develop thermal cameras that can automatically detect vulnerable interfaces such as keyboards or keypads.[6] When these interfaces are detected within the camera's field of view, the camera would be programmed to prevent the user from recording images of them.

This solution, however, would require widespread adoption by thermal camera manufacturers. Additionally, the approach is particularly viable for thermal cameras connected to a computing device, such as a smartphone, which can process the images in real time. Many affordable thermal cameras are standalone and do not have connectivity or processing capabilities. However, thermal cameras designed for connection to mobile devices can utilize the smartphone's processing power, making this mitigation approach feasible for such devices.

References

  1. ^ a b c Abdelrahman, Yomna; Khamis, Mohamed; Schneegass, Stefan; Alt, Florian (2017-05-02). Stay Cool! Understanding Thermal Attacks on Mobile-based User Authentication (PDF). ACM. pp. 3751–3763. doi:10.1145/3025453.3025461. ISBN 9781450346559. S2CID 1419311.
  2. ^ a b Mowery, Keaton; Meiklejohn, Sarah; Savage, Stefan (2011-08-08). "Heat of the moment: characterizing the efficacy of thermal camera-based attacks". USENIX Association: 6. {{cite journal}}: Cite journal requires |journal= (help)
  3. ^ Alotaibi, Norah; Williamson, John; Khamis, Mohamed (15 September 2022). "ThermoSecure: investigating the effectiveness of AI-driven thermal attacks on commonly used computer keyboards" (PDF). ACM Transactions on Privacy and Security. 26 (2): 1–24. doi:10.1145/3563693. S2CID 252222915. Retrieved 20 December 2022.
  4. ^ Barker, Dan. "Heat from fingertips can be used to crack passwords, researchers find". The Independent. The Independent. Retrieved 20 December 2022.
  5. ^ Marky, Karola; Macdonald, Shaun; Abdrabou, Yasmeen; Khamis, Mohamed. "In the Quest to Protect Users from Side-Channel Attacks – A User-Centred Design Space to Mitigate Thermal Attacks on Public Payment Terminals" (PDF). USENIX Security.
  6. ^ "Thermal Imaging Attacks".