An age-old vulnerability of physical keypads is visibly worn keys. For example, a number pad with numbers clearly worn from repeated use provides an attacker with a clear starting point. The same concept can be applied to keyboards by using a thermal camera with the help of machine learning, but we’ve found that some types of keys and typing styles are harder to read than others.
Touching the keys with your fingertips generates a slight amount of body heat, which is detected by the temperature sensor. I’ve seen this basic approach in use since at least 2005, but two things have changed since then. Thermal cameras have become much more commonplace. Researchers have found that combining thermal reading and machine learning can pull out the hardest details. It’s subtle to find with just the human eye and judgment.
Here is a link to the University of Glasgow research and findings. This shows that even a 16 symbol password can be attacked with an average accuracy of 55%. Short passwords are much easier to crack, and the system hits his 6-symbol and 8-symbol passwords with 92% to 80% accuracy, respectively. In this study, temperature readings were taken up to 1 minute after the password was entered, although earlier readings are more accurate.
Some things make things difficult for the system. A fast typist has less time to touch the keys, so less heat is transferred when touching them, making the task a little more difficult. Interestingly, the keycap material plays a big role. ABS keycaps retain heat far It’s more effective than PBT (a material often found in custom keyboard builds like this one), and we’ve also found that the slight heat from the LEDs in backlit keyboards can effectively interfere with temperature readings. I’m here.
Interestingly, this sort of very modern attack is completely useless against a scramblepad. A scramble pad is a vintage device that confuses which number matches which button every time you use the pad. Thermal imaging and machine learning can tell which buttons were pressed and in what order, but it still doesn’t help! When it comes to security, technology is important, but the fundamentals can be more important. Remember that there is
