Thermal (and Hybrid Thermal/Audio) Side-Channel Attacks on Keyboard Input

TL;DR

This paper demonstrates that thermal and hybrid thermal/audio side-channel attacks can effectively recover passwords from keyboards within seconds after entry, revealing significant security vulnerabilities in common plastic keyboards.

Contribution

It introduces Thermanator, a thermal side-channel attack, and AcuTherm, a hybrid attack combining thermal and acoustic data, both showing practical password recovery methods.

Findings

Thermal residues allow password recovery up to 30 seconds after entry

Hybrid thermal/audio attacks improve password guessing accuracy

Plastic keyboards are more vulnerable to side-channel attacks than previously thought

Abstract

To date, there has been no systematic investigation of thermal profiles of keyboards, and thus no efforts have been made to secure them. This serves as our main motivation for constructing a means for password harvesting from keyboard thermal emanations. Specifically, we introduce Thermanator: a new post-factum insider attack based on heat transfer caused by a user typing a password on a typical external (plastic) keyboard. We conduct and describe a user study that collected thermal residues from 30 users entering 10 unique passwords (both weak and strong) on 4 popular commodity keyboards. Results show that entire sets of key-presses can be recovered by non-expert users as late as 30 seconds after initial password entry, while partial sets can be recovered as late as 1 minute after entry. However, the thermal residue side-channel lacks information about password length, duplicate key-presses, and key-press ordering. To overcome these limitations, we leverage keyboard acoustic emanations and combine the two to yield AcuTherm, the first hybrid side-channel attack on keyboards. AcuTherm significantly reduces password search without the need for any training on the victim's typing. We report results gathered for many representative passwords based on a user study involving 19 subjects. The takeaway of this work is three-fold: (1) using plastic keyboards to enter secrets (such as passwords and PINs) is even less secure than previously recognized, (2) post-factum thermal imaging attacks are realistic, and (3) hybrid (multiple side-channel) attacks are both realistic and effective.