Researchers from the University of California at Irvine recently discovered and demonstrated a technique that involves the use of a thermal imaging camera to capture heat traces left by human fingertips as they type passwords into a keyboard. In fact, their technique is effective for up to thirty seconds after the user removes his hands from the keyboard.
Per the researchers, “Although thermal residue dissipates over time, there is always a certain time window during which thermal energy readings can be harvested from input devices to recover recently entered, and potentially sensitive information.”
The team tested their technique using off the shelf technologies, and on four different keyboards. Their findings indicated that a full password could be obtained by scanning for thermal residues on those keyboards, provided that the scan was taken within thirty seconds of the first key being pressed. After a full minute, it was still possible to obtain partial passwords.
They used an FLIR camera on a tripod set two feet from the keyboards being tested, and the results of their findings were published in a paper called simply, “Thermanator.”
FLIR makes a number of different camera models that can capture heat. Their most basic model, the FLIR One Pro is a $400 accessory available as a smartphone attachment. Some phones (like the CAT S61) ship with the FLIR module embedded in the technology.
The team noted that the ease with which a password could be detected in this manner had a lot to do with the typing style of the target being monitored. Passwords entered by “hunt and peck” typists could be gleaned between 19.5 and 31 seconds, while passwords entered by touch typists took upwards of 50 seconds to be gleaned.
Obviously, this is a fairly exotic form of attack. Although it utilizes off the shelf technology, it would require an extraordinary level of access to set the equipment up, and an extraordinary lack of vigilance on the part of security personnel not to detect the equipment in relatively short order. Even so, it’s certainly within the realm of possibility, and one more thing to be on guard against.