Slightly, as well as removing^H^H^H^H^H^H^H^Hdeleting characters, but the picture invariably shows the keys used, so it will in any case reduce the complexity of brute force attacks by several orders of magnitude.
Yes. Just hold your fingers over some random keys after inserting the card and wait to enter the pin. And after that just keep your hand over the keypad while you wait for the money.
(I work for over 10 years with thermal cameras and know the limits)
Physical access is often considered total access in the infosec community.
It implies the ability to, with enough prep time ahead of the actual physical access, inject malware through a physical interface (USB flash drive, rogue peripheral/HID, directly interfacing with an existing HID device), among others.
Edit: and in this case it includes planting cameras and other recording devices which can be assumed to have effectively limitless video/audio resolution.
It implies using your laptop in public, or typing in a keypad. And keypads tend to be used to separate public and private areas (and even worse, people leave the scene immediately after using it, making the attack even more inconspicuous).
Exactly. If the adversary has a camera pointed at your keyboard, they can even possibly attempt the more radical (and indefensible) “I literally recorded what you typed” attack. Scary stuff.
It seems like a limitation of this attack is that you must have the camera pointed at the keys ~1 minute from the last time it was used. (Presumably because the heat dissipates quite quickly.)
With that in mind a TOTP solution probably won't help, most systems that use 2FA will allow two adjacent codes to be considered valid to cope with "minor" clock-drift. If you're already using the computer 1 minute after the real owner has left it is possible you could reuse any valid code - if you captured it.
>It seems like a limitation of this attack is that you must have the camera pointed at the keys ~1 minute from the last time it was used. (Presumably because the heat dissipates quite quickly.)
An attacker could just stick a camera into a dark corner of a room and have it run perpetually. Video exfiltration might be an issue but certainly not insurmountable.
RE: your second point: that's true, but the point of TOTPs is that they expire before they can realistically be guessed (assuming rate limiting on the TOTP server).
I wouldn't be surprised... Seeing how bad we generally are at infosec. But it'd definitely be against a sane totp spec to allow a "one time pass" more than once.
In general you should store the most recently accepted counter (or epoch timestamp) and never allow travel back in time. That allows for clock drift, if the time between authentication attempts is less than the otherwise accepted drift.
Typically this is allowed. Probably because otherwise the server would have to store and compare state, but also because otherwise the user could be locked out for 60s.
> but also because otherwise the user could be locked out for 60s.
I don't see this. Note that it's not about rate limiting unsuccessful attempts (which obviously should be done to some extent) but not allowing the valid OTP to be used twice. In the worst case once the user logged in he can't login from an other device for 60s. Not a huge limitation. Also AFAIK 30s rotation of the OTP is more common/standard.
I think the argument here is that, since it can happen 30s later, you could enter your password, look at the screen, lock your screen & walk away, without being safe. Imagine a location where the mobo itself is secure enough to prevent anyone from quickly inserting something, but anyone could have quick access to the keyboard & monitor.
In that (highly contrived) situation, this attack is useful, since all you'd need is a quick thermal pic, no longer recording needed.
One can easily attach a long tele lens to one of these cameras, so one could capture passwords through windows. Specialized IR lenses are expensive, but regular lenses can do a good enough job.
Edit: my bad IR doesn't go through most glass material. Still, laptops are commonly used in public, and through lenses or otherwise, your password can be leaked. That's worrying enough to stop the "physical access means total access" adagio in this thread.
Good IR tele lenses are not just expensive, the don't even have prices, they have "phone numbers".
So you would have to get money from really a lot of people just to pay they IR camera and the lenses.
I thought I read about this thing a long time ago, maybe on Brian Krebs' blog (?) but I can't find it. It was in the context of ATMs but the idea seems the same.
All I can find at the moment, also on ATMs, is this from last year:
EDIT:
That paper is actually cited in this work. They don't discuss the novelty of their approach compared to this though. Just a bigger search space due to more keys?
I always heard you should type your PIN at the ATM, then touch all of the buttons a bunch to block this ability. That way they only see that all the buttons were touched, not your PIN. Especially important now that thermal cameras (crappy ones) are pretty cheap.
Two reasons: if the bank can convince the court that you withdrew the money you are stuck with the lass. Even if the bank does suck up the loss, you will be out your own money for several months while they investigate (they could be the police or the bank)
at first, this seems completely harmless, but there are a few scenarios in which this could potentially be a viable attack.
I doubt it's much use on computers, but imagine someone rigging a candid infrared camera across the street from an ATM. You'd block the cameras view while typing, but then you leave and it's game over.
It also generates IR by itself. It wouldn't be a big problem to carry out the attack, as long as the keypad isn't reflecting any strong IR source towards the camera.
replace ATM with the CC terminal in your favorite foodtruck then. this is even better, since you're not likely to type in a withdrawal amount into those (and thus adding noise by pressing more keys)
A debit card can be used as a credit card at a CC terminal. No PIN and no transaction fee. I don't think you'll find many people typing a PIN into a CC terminal in the wild.
AFAIK it's mostly in the US that using cards don't always require PINs. Here in Canada I have to enter my PIN whether it's my credit or debit card, for every purchase at a CC terminal. The only exception is if I'm using contactless payment. This was also true in Europe last I checked.
Whenever possible I type in the PIN with a house key or car key. That way there's little, if not none at all, heat left behind and I don't have to contact a germ-laden touchpad. #germaphobe
I do something similar but I think it's far more likely that a cheap webcam is positioned where it can view the keypad of those who don't screen it well. I always throw in a few "phantom" keypresses when entering a pin for my cc or bank card.
A thermal camera that have enough resolution to get individual keys from across the street is not gonna be cheap, A 1.8Mpx @30Hz is above $20k without lens.
I think you missed my point. If you use a key more than once, heat can't be used to figure out the first time that key was pressed. Only the second press of it can be deduced.
Apparently the attacker has never seen my macbook air running a heavy compilation job. Fan is cranked and the keyboard is so hot that there is no way they are getting my password!
I was half making a joke... but I believe if you have a large external thermal source or sink the time for keys to renormalize would be dramatically shorter.
True story: A friend who was a heavy smoker asked me to fix his computer. I went to his house and saw the beige desktop and CRT were stained tobacco brown from second hand smoke. After fixing his "screen's all blurry" problem with some Windex I was ready to go in and see what kind of spyware and viruses he had managed to install on the machine.
I was about to ask for his password when I noticed the only spots not covered in ashes on his keyboard were the W, S, C, B, U, N, and I keys. Knowing he was a die hard Chicago Cubs fan it took me one try to guess the password: cubswin.
It was a nasty job but he was a good friend so I got his machine all straightened out for him without judgement.
What if you could say "Yeah boss, Thermanator is complete and ready to be unleashed." and mean it?
I spent thirty years turning in shit like "PrimitiveSpoofAttackDHCP" and "TCPThreadPoolFlooder" but now I'm realizing I couldve been writing bond villain superweapons all this time.
Clearly the naming is wrong anyway - while the terminator saw in monochrome (infra?)red, thermal vision surely points to Predator, not The Terminator...
I can wire my entire bank account away without any 2FA with online banking. My bank just started doing SMS verification for new devices but that's still not really enough. Like just get on the TOPT train and leave it alone.
Yes. I didn't really consider that. I was thinking more along the lines of an expiring token. If you had to punch it in, someone who came around and Thermanator'd it would always be too late.
> The research team argues that it may be time to move away from passwords as a means to secure user data and equipment.
Many people have expressed this sentiment. By all means we should be using two-factor authentication everywhere. But what, besides a password, has the critical property of residing entirely within your mind and not being obtainable without your cooperation (barring issues like this)?
Physical tokens can be stolen. Biometrics can be obtained and forged, or physically coerced. Authenticating via a secondary device (such as a phone) just moves the problem to "how do you authenticate to that device".
On the other hand, if you ever type in your password in a place where someone can record you, someone could figure out your password, or at least get enough information to make it easier to brute-force your password.
Short of a challenge-response scheme that you can compute entirely within your mind without scratch materials, what could we use that would address both problems? Something that can't simply be stolen or used without your cooperation, but that also isn't potentially disclosed in reusable form every time you use it?
So not sure what the Thermanator folks are adding here...
EDIT: Thermanator paper cites the UCSD research, focuses on qwerty keyboards, updated technology for thermal cameras, comparisons to other attack vectors for public password entry (when you are at coffee shop, airport, ATM etc.).
The oils on my fingers attack the print on my keyboard. After a few years the "home row" is very faded. Fortunately my password is not something I type enough other things that you can figure out passwords out based on this.
>Attackers need to be able to place a camera with thermal recording features near a victim, and the camera must have a clear view of the keys for the Thermanator attack to work.
Wouldn't be easier to just set up a regular video camera which can be the size of a jacket button?
At this point, I don't think it is viable to pretend that long lifetime secrets, like your bank PIN, are safe if entered into hundreds of different keypads in insecure settings.
93 comments
[ 3.0 ms ] story [ 172 ms ] thread(I work for over 10 years with thermal cameras and know the limits)
It implies the ability to, with enough prep time ahead of the actual physical access, inject malware through a physical interface (USB flash drive, rogue peripheral/HID, directly interfacing with an existing HID device), among others.
Edit: and in this case it includes planting cameras and other recording devices which can be assumed to have effectively limitless video/audio resolution.
With that in mind a TOTP solution probably won't help, most systems that use 2FA will allow two adjacent codes to be considered valid to cope with "minor" clock-drift. If you're already using the computer 1 minute after the real owner has left it is possible you could reuse any valid code - if you captured it.
An attacker could just stick a camera into a dark corner of a room and have it run perpetually. Video exfiltration might be an issue but certainly not insurmountable.
RE: your second point: that's true, but the point of TOTPs is that they expire before they can realistically be guessed (assuming rate limiting on the TOTP server).
In general you should store the most recently accepted counter (or epoch timestamp) and never allow travel back in time. That allows for clock drift, if the time between authentication attempts is less than the otherwise accepted drift.
I don't see this. Note that it's not about rate limiting unsuccessful attempts (which obviously should be done to some extent) but not allowing the valid OTP to be used twice. In the worst case once the user logged in he can't login from an other device for 60s. Not a huge limitation. Also AFAIK 30s rotation of the OTP is more common/standard.
In that (highly contrived) situation, this attack is useful, since all you'd need is a quick thermal pic, no longer recording needed.
Edit: my bad IR doesn't go through most glass material. Still, laptops are commonly used in public, and through lenses or otherwise, your password can be leaked. That's worrying enough to stop the "physical access means total access" adagio in this thread.
Basically double that of high end SLR lenses.
now please enter your non-SMS two-factor authentication code
https://www.albany.edu/iasymposium/proceedings/2017/Study%20...
EDIT: That paper is actually cited in this work. They don't discuss the novelty of their approach compared to this though. Just a bigger search space due to more keys?
I doubt it's much use on computers, but imagine someone rigging a candid infrared camera across the street from an ATM. You'd block the cameras view while typing, but then you leave and it's game over.
same thing goes, but they're rarely made of metal
Nothing but noise to a thermal camera...
I was about to ask for his password when I noticed the only spots not covered in ashes on his keyboard were the W, S, C, B, U, N, and I keys. Knowing he was a die hard Chicago Cubs fan it took me one try to guess the password: cubswin.
It was a nasty job but he was a good friend so I got his machine all straightened out for him without judgement.
The things I do for beer...
https://news.ycombinator.com/item?id=17416298 says "no Windex, as tempting as it might be!"
Are our jobs really this dull that we have to give our projects stupid hollywood names
What if you could say "Yeah boss, Thermanator is complete and ready to be unleashed." and mean it?
I spent thirty years turning in shit like "PrimitiveSpoofAttackDHCP" and "TCPThreadPoolFlooder" but now I'm realizing I couldve been writing bond villain superweapons all this time.
I wonder what other security issues / lessons I internalized from that game...
https://youtu.be/IMxZQ922rLs
Sorry, it sounds like a really good idea, but it just doesn't work very well in practise.
The users fingers don't sit on the keys long enough to transfer enough heat to last. Just use a standard video camera if this is your thing.
Many people have expressed this sentiment. By all means we should be using two-factor authentication everywhere. But what, besides a password, has the critical property of residing entirely within your mind and not being obtainable without your cooperation (barring issues like this)?
Physical tokens can be stolen. Biometrics can be obtained and forged, or physically coerced. Authenticating via a secondary device (such as a phone) just moves the problem to "how do you authenticate to that device".
On the other hand, if you ever type in your password in a place where someone can record you, someone could figure out your password, or at least get enough information to make it easier to brute-force your password.
Short of a challenge-response scheme that you can compute entirely within your mind without scratch materials, what could we use that would address both problems? Something that can't simply be stolen or used without your cooperation, but that also isn't potentially disclosed in reusable form every time you use it?
(Nope. My Nexus 5X unlocks no matter the orientation of my finger)
and references this 2011 UCSD paper Heat of the moment: characterizing the efficacy of thermal camera-based attacks
https://dl.acm.org/citation.cfm?id=2028058
So not sure what the Thermanator folks are adding here...
EDIT: Thermanator paper cites the UCSD research, focuses on qwerty keyboards, updated technology for thermal cameras, comparisons to other attack vectors for public password entry (when you are at coffee shop, airport, ATM etc.).
I always figured this could be an attack someday. But didn't know the tech was cheap enough/sensitive enough yet. I need to start being more paranoid.
It's a hygiene and security best practice.
Wouldn't be easier to just set up a regular video camera which can be the size of a jacket button?
http://lcamtuf.coredump.cx/tsafe/
and then dozen different iterations since then.
There is also thermochromic ink, e.g. a grey ink that changes to colourless at 15C. http://www.smarol.com/Ultraviolet-Fluorescent-Powder.html
At this point, I don't think it is viable to pretend that long lifetime secrets, like your bank PIN, are safe if entered into hundreds of different keypads in insecure settings.