THERMAL AND HYBRID THERMAL AUDIO SIDE-CHANNEL ATTACKS ON KEYBOARD INPUT Tyler Kaczmarek
2025-05-06
0
0
3.01MB
28 页
10玖币
侵权投诉
THERMAL (AND HYBRID THERMAL/AUDIO) SIDE-CHANNEL
ATTACKS ON KEYBOARD INPUT
Tyler Kaczmarek
MIT Lincoln Labs
MA, USA
Kaczmarek@ll.mit.edu
Ercan Ozturk
University of California, Irvine
CA, USA
ercano@uci.edu
Pier Paolo Tricomi
University of Padua
Padua, Italy
tricomi@math.unipd.it
Gene Tsudik
University of California, Irvine
CA, USA
gene.tsudik@uci.edu
ABSTRACT
To date, there has been no systematic investigation of thermal profiles of keyboards, and thus no efforts
have been made to secure them. This serves as our main motivation for constructing a means for
password harvesting from keyboard thermal emanations. Specifically, we introduce
Thermanator
:
a new post-factum insider attack based on heat transfer caused by a user typing a password on a
typical external (plastic) keyboard. We conduct and describe a user study that collected thermal
residues from
30
users entering
10
unique passwords (both weak and strong) on
4
popular commodity
keyboards. Results show that entire sets of key-presses can be recovered by non-expert users as late
as
30
seconds after initial password entry, while partial sets can be recovered as late as
1
minute
after entry. However, the thermal residue side-channel lacks information about password length,
duplicate key-presses, and key-press ordering. To overcome these limitations, we leverage keyboard
acoustic emanations and combine the two to yield
AcuTherm
, the first hybrid side-channel attack on
keyboards.
AcuTherm
significantly reduces password search without the need for any training on the
victim’s typing. We report results gathered for many representative passwords based on a user study
involving 19 subjects.
The takeaway of this work is three-fold: (1) using plastic keyboards to enter secrets (such as passwords
and PINs) is even less secure than previously recognized, (2) post-factum thermal imaging attacks
are realistic, and (3) hybrid (multiple side-channel) attacks are both realistic and effective.
Keywords Side-Channel ·Thermal Images ·Acoustic Emanations ·Hybrid Attack ·Password ·Security ·Keyboard
1 Introduction
Insider attacks are very common, estimated to account for
≈28%
of all electronic crimes in industry [
1
]. This includes
some high-profile attacks, such as the 2014 Sony hack [
2
]. The danger of insider attacks mainly stems from the fact
that insiders often have privileged access. More importantly, insider attackers might be able to surreptitiously obtain
credentials of their coworkers/colleagues, thus allowing lateral movement. Such credential theft attacks occur because
the attacker’s current privileges are insufficient to complete planned malicious tasks [
3
], or the attacker’s goal is to
evade accusations by putting the blame on others.
Since passwords are still the most common type of credentials, they are a major target for insider attackers. The danger
of password compromise attacks are amplified because: (1) people often use the same password on multiple systems,
and (2) most systems support “Forgot password?” schemes (to update or recover passwords) using the original email
account, which is often in a logged-in state due to convenience.
arXiv:2210.02234v1 [cs.CR] 5 Oct 2022
At the same time, it is well known that the security of a system is based on its weakest link. Furthermore, it is often
assumed that the involvement of a fallible (or simply gullible) human user corresponds to this weakest link, e.g., as in
Shoulder-Surfing and Lunch-Time attacks [
4
]. However, other insider attacks that focus on stealing passwords by
compromising the user environment, e.g., Acoustic Emanations [
5
,
6
,
7
] or Keyboard Vibrations [
8
], show that the
weakest link is a consequence of certain laws of Physics in the form of side-channels.
Although side-channels can be effective (with optimal environmental conditions, equipment and time), information
gleaned from them are usually incomplete, thus still leaving the attacker with a sizeable password search space. One
intuitive way to reduce the attacker’s search space is to combine multiple side-channels.
In this paper, we introduce Thermanator, a novel thermal residue side-channel attack on passwords entered on external
keyboards, and evaluate its efficacy. We then supplement the thermal side-channel with its audio counterpart (via
keyboard acoustic emanations) to yield
AcuTherm
, the first hybrid side-channel attack. Sections 1.1 and 1.2, overview
these two side-channels.
1.1 Heat Transfer & Thermal Emanations
Any time two objects with unequal temperatures come in contact with each other, an exchange of heat occurs. This
is unavoidable. Being warm-blooded, human beings naturally prefer environments that are colder than their internal
temperature. Because of this heat disparity, it is inevitable that we leave thermal residue on numerous objects that we
routinely touch, especially, with bare fingers. Furthermore, it takes time for these heated objects to cool off and lose
heat energy imparted by human contact. It is both not surprising and worrisome that this includes our interactions with
keyboards that are used for entering sensitive private information, such as passwords.
Based on this observation, we consider a mostly unexplored attack space where heat transfer and subsequent thermal
residue can be exploited by a clever adversary to steal passwords from a keyboard some time after it was used for
password entry. The main distinctive benefit of this attack type is that adversary’s real time presence is not required.
Instead, a successful attack can occur with after-the-fact adversarial presence: as our results show, many seconds later.
While there has been some prior work on using thermal emanations to crack PINs, mobile phone screen-locks and
opening combinations of vaults/safes [
9
,
10
,
11
,
12
], this work represents the first comprehensive investigation of
human-based thermal residues and emanations of external computer keyboards.
1.2 Keyboard Acoustics
Acoustic side-channel attacks rely on unique sounds produced during the processing of a secret to gather information.
Previous work includes recovering various types of secrets, such as printed texts [
13
], 3D-printed objects [
14
] and
cryptographic keys [15].
Generally, acoustic side-channel attacks against password entry are based on the sounds produced by pressed keys on a
keyboard. These sounds were shown to be distinct [
5
], allowing an attacker to differentiate among pressed keys and
thus recover passwords, even in a remote VoIP setting [
7
]. In addition, inter-keystroke timings can be used to reduce
password search space [16, 17] via various statistical techniques to determine likely candidate key-pairs. If dictionary
passwords are used, methods similar to those in [
6
] can be used due to the underlying base language properties. For
random passwords, dictionaries are not applicable, since they lack the structure that can be used to reduce password
search space. [
18
] investigates this phenomenon and suggests a brute-force password search mechanism based on 5
best-guesses for each key in the password, similar to the one in [7].
Unfortunately, acoustic side-channels often involve a lengthy training phase (i.e., profiling) of victim’s typing style
and provide incomplete information on the target secret, e.g., inter-keystroke timings can be same for many different
key-pairs. Moreover, extrapolating information obtained from individual key-pairs to passwords presents a challenge
that was only investigated with ad-hoc methods [18, 7].
1.3 Expected Contributions
In this paper, we propose and evaluate a new human-based side-channel attack class, Thermanator, based on thermal
residue left behind by a user (victim) who enters a password using a typical external keyboard. Shortly after password
entry, the victim either steps away inadvertently, or is drawn away (perhaps as a result of being prompted by the
adversary) from their personal workplace. Then, the adversary captures thermal images of the victim keyboard. We
examine the efficacy of Thermanator Attacks for a moderately sophisticated adversary equipped with a mid-range
thermal imaging camera.
2
To assess viability of Thermanator Attacks, we conducted a rigorous two-stage user study. The first stage collected
password entry data from 31 subjects using 4 common keyboards. In the second stage, 8 non-expert subjects acted as
adversaries and attempted to derive the set of pressed keys from the thermal imaging data collected in the first stage. Our
results show that even novice adversaries can use thermal residues to reliably determine the entire set of key-presses
up
to 30 seconds
after password entry. Furthermore, they can determine a partial set of key-presses as long as a full minute
after password entry. We provide a thorough discussion of the implications of this study, and mitigation techniques
against Thermanator Attacks. Furthermore, in the course of exploring Thermanator Attacks, we introduce a new
post factum adversarial model.
Due to inconsistencies in typing, we further find that thermal residue side-channel is not perfect, as it lacks information
about password length, duplicate key-presses and key-press orderings. Inspired by these challenges, we utilize another
(audio) side-channel within the same insider attacker model. This prompts a new challenge in terms of how to combine
these two side-channels. To this end, we design a general side-channel combination technique and describe a new hybrid
attacker model. We also introduce
AcuTherm
attack which leverages both thermal residue and keyboard acoustics
side-channels. This attack closely corresponds to real-world insider attacks, i.e., no dictionaries – which happens if
random passwords are used, and no prior acoustic typing data of the victim. We evaluate this attack over numerous
samples from 19 subjects entering representative passwords. Even with such limited capabilities,
AcuTherm
greatly
reduces the password search space.
Organization.
Section 2 gives the background for the paper. Section 3 introduces the adversarial models and Sections 4
and 5 describe our methodology for exploiting individual side-channels and combination thereof. Section 6 presents our
results which is followed by discussions, related work and conclusion – Sections 7, 8, and 9, respectively.
2 Thermal Background
This section provides some background on the physics of the thermal side-channel used in our experiments. Since
keyboard acoustics have been extensively studied, we refer to [
5
] for a comprehensive discussion of keyboard acoustic
emanations.
We start with a glossary of terms, then describe the form factor and material composition of the modern 104-key
“Windows” keyboards, and finish with certain Physics concepts. Given familiarity with elements of Conductive Heat
Transfer and Newton’s Law of Cooling, Sections 2.1, 2.2, and 2.3 can be skipped with no loss of continuity.
2.1 Basic Thermal Terminology
• Joule (J) – Unit of energy Corresponding to 1Newton-Meter (N·m)
•
Kelvin (
K
) – Base unit of temperature in Physics. The temperature T in Kelvin (K) minus
273.15
yields the
corresponding temperature in degrees Celsius (◦C).
• Watt (W) – Unit of power corresponding to 1 Joule per second: ( J
s)
•
Conduction – Transfer of Thermal Energy caused by two objects in physical contact that are at different
Temperatures.
• Convection – Transfer of Thermal Energy caused by submerging an object in a fluid.
•
Heat Transfer Coefficient - Property of a fluid that determines rate of convective heat flow. Expressed in Watts
per square meter Kelvin: W
m2K
•
Specific Heat – Amount of Thermal Energy in Joules that it takes to increase temperature of
1
kg of material by
1K. Expressed in Joules over kilograms degrees Kelvin: J
kgK .
•
Thermal Conductivity – Rate at which Thermal Energy passes through a material. Expressed in Watts per
meters Kelvin: W
mK
• Thermal Energy – Latent energy stored in an object due to heat flowing into it.
•
Thermal Source – Object or material that can internally generate Thermal Energy such that it can stay at
constant temperature during a thermal interaction, e.g., a heat pump.
2.2 Heating via Thermal Conduction
Thermal Conduction is transfer of heat between any two touching objects of different temperatures. It is expressed as
the movement of heat energy from the warmer to the cooler object. We are concerned with transfer of energy from a
human fingertip to a pressed keycap. This transfer is governed by Fourier’s Law of heat conduction which states that:
3
Heat transfer between two objects can be modeled by the equation:
q=KA(T1−T2)t
d
, where
K
is
thermal conductivity
1
of the object being heated,
A
is area of contact,
T1
is initial temperature of
the hotter object,
T2
is initial temperature of the cooler object,
t
is time, and
d
is the thickness of the
object being heated.
The relationship between an object’s heat energy and its temperature is governed by the object’s mass and specific heat,
as dictated by the formula:
q=cm∆T
, where
q
is total heat energy,
c
is object’s specific heat,
m
is object’s mass and
∆Tis change in temperature.
We consider the human body to be a thermal source, and we assume that any change in the fingertip temperature during
the (very short) fingertip-keycap contact period is negligible, due to internal heat regulation [
19
]. Furthermore, we
assume that:
• Average human skin temperature is 307.15K(= 34◦C) [20].
•
Keyboard temperature is the same of that as that of the air, which, for a typical office, is OSHA
2
-recommended
294.15K(= 21◦C) [21].
•
Keycap area is 0.00024025
m2
, keycap thickness is 0.0015 meter and keycap mass is
.4716g
(See: Section 2.4).
• Average duration of a key-press is 0.28s [22].
Therefore, for variables mentioned above, we have:
K=0.25, A=0.00024025, T1=34, T2=21, t=0.28, and d=0.0015
Plugging these values into Fourier’s Law, we get:
q=(0.25)(0.00024025)(34 −21)(.28)
0.0015 (1)
which yields total energy transfer:
q= 0.1458
J. We then use total energy
q
in the specific heat equation to determine
total temperature change:
0.1458 = (1000)(0.0004716)∆T
. This gives us a total temperature change of
∆T= 0.3092
.
Therefore, we conclude that the average human fingertip touching a keycap at the average room temperature results in
the keycap heating up by 0.3092K.
2.3 Cooling via Thermal Convection
After a keycap heats up as a result of conduction caused by a press by a warm(er) human finger, it begins to cool off
due to convective heat transfer with the air in the room. Convection is defined as the transfer of heat resulting from
the internal current of a fluid, which moves hot (and less dense) particles upward, and cold (and denser) particles –
downward. This interaction is governed by Newton’s Law of Cooling. Its particulars are impacted by the shape and
position of the heated object. In our case, there is a plane surface
3
facing towards the cooling fluid (i.e., a keycap
directly exposed to ambient air) which is described by the formula:
T(t) = Ts+ (T0−Ts)e−κt (2)
where
T(t)
is temperature at time
t
,
Ts
is temperature of ambient air,
T0
is initial object temperature, and
κ
is the
cooling constant of still (non-turbulent) air over a 0.00024025m2plane.
This comes with the additional intuitive notion that a surface convectively cools quicker when the temperature difference
between the heated object and the fluid is higher. Similarly, it cools slower when the temperature difference is smaller.
Finally, Newton’s Law of Cooling is asymptotic, and cannot be used to find the time at which the object reaches the
exact temperature of the ambient fluid. Thus, instead of finding the time when the temperatures are equal, we determine
the time when the temperature difference falls below an acceptable threshold, which we set at
0.04K
. Plugging this
into Newton’s Law of Cooling results in:
t=−ln(0.3092
0.04 )
0.037 (3)
which yields
t= 55.7
for total time for a pressed key to cool down to the point where it is indistinguishable from the
room temperature.
1Kshould not be confused with K– degrees Kelvin.
2OSHA = Occupational Safety and Hazards Administration, a United States federal agency.
3The actual keycap surface can be slightly concave.
4
2.4 Modern Keyboards
Most commodity external keyboard models are of the 104-key “Windows” variety, shown in Figure 1. On such
keyboards, the distance between centers of adjacent keys is about
19.05
mm, and a typical keycap shape is an
≈
[15.5mm x 15.5mm x 1.5mm]
rectangular prism, with an average travel distance of
3.55mm
[
23
]; see Figure 2. All
such keyboards are constructed out of Polybutylene Terephthalate (PBT) with density of
1.31g/cm3
, resulting in an
average keycap mass of
.4716g
[
24
]. PBT generally has the following characteristics: specific heat =
1,000 J
kgK
and
thermal conductivity = 0.274 W
mK [24].
Figure 1: Typical “Windows”-style Keyboard. Figure 2: Typical Keycap Profile.
2.5 Thermal Cameras
In the past few years, many niche computational and sensing devices have moved from Hollywood-style fantasy into
reality. This includes thermal imagers or cameras. In order to clarify their availability to individuals (or agencies) at
different levels of sophistication, we provide the following brief comparison of several types of readily-available FLIR:
F
orward-
L
ooking
I
nfra-
R
ed devices. (See: Figure 3 for product images and
https://www.flir.com/products
for
full product specifications.) In the rest of the paper, we use the following terms interchangeably: FLIR device, thermal
imager and thermal camera.
Figure 3: FLIR Devices / Thermal Imagers: FLIR ONE(top left), SC620 (top right), A6700sc (bottom left) and X8500sc (bottom
right).
FLIR One
– Price: About US$
300
. Thermal Sensitivity:
0.15
K. Thermal Accuracy:
±1.5
K or
1.5%
of reading.
Resolution:50x80. Image Capture: Manual, 1image at a time. Video Capture: None
SC620
– Price: About US$
1500
(used). Thermal Sensitivity:
0.04
K Thermal Accuracy:
±2
K or
2%
of reading.
Resolution:
640x480
. Image Capture: Automatic, programmable to capture images by timer, or when specific
criteria are met, at maximum rate of 1image per second. Video Capture: None.
A6700sc
– Price: About US$
25,000
. Thermal Sensitivity:
0.018
K Thermal Accuracy:
±2
K or
2%
of reading.
Resolution:
640x512
. Image Capture: Automatic, programmable to capture images by timer or when specific
criteria are met, at up to 100fps. Video Capture: High speed, up to 100fps.
X8500sc
– Price: About US$
100,000
. Thermal Sensitivity:
0.02
K: Thermal Accuracy:
±2
K or
2%
of reading.
Resolution:
1280x1024
Image Capture: Automatic, programmable to capture images by timer or when
specific criteria are met, at up to 180fps. Video Capture: High speed, up to 180fps.
Obviously, a sufficiently motivated organization or a nation-state could easily obtain thermal imagers of the highest
quality and price. However, we assume that the anticipated adversary is of a mid-range sophistication level, i.e., capable
5
摘要:
展开>>
收起<<
THERMAL(ANDHYBRIDTHERMAL/AUDIO)SIDE-CHANNELATTACKSONKEYBOARDINPUTTylerKaczmarekMITLincolnLabsMA,USAKaczmarek@ll.mit.eduErcanOzturkUniversityofCalifornia,IrvineCA,USAercano@uci.eduPierPaoloTricomiUniversityofPaduaPadua,Italytricomi@math.unipd.itGeneTsudikUniversityofCalifornia,IrvineCA,USAgene.tsudik...
声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!
相关推荐
-
【词汇变形总汇】2025高考词汇变形总汇 - 教师版VIP免费
2024-12-06 3 -
【超简37页】新课标高考英语考纲3500词汇VIP免费
2024-12-06 4 -
《高考英语3500词详解》(WORD版)VIP免费
2024-12-06 13 -
《高考英语3500词详解》VIP免费
2024-12-06 11 -
高中英语-[教师版]80天通关高考3500词汇VIP免费
2024-12-06 12 -
高中人教选修7课文逐句翻译VIP免费
2024-12-06 7 -
高中人教选修7课文原文及翻译VIP免费
2024-12-06 13 -
高中人教必修4课文逐句翻译VIP免费
2024-12-06 8 -
高中人教必修4课文原文及翻译VIP免费
2024-12-06 13 -
高考英语核心高频688词汇VIP免费
2024-12-06 10
分类:图书资源
价格:10玖币
属性:28 页
大小:3.01MB
格式:PDF
时间:2025-05-06
作者详情
-
Voltage-Controlled High-Bandwidth Terahertz Oscillators Based On Antiferromagnets Mike A. Lund1Davi R. Rodrigues2Karin Everschor-Sitte3and Kjetil M. D. Hals1 1Department of Engineering Sciences University of Agder 4879 Grimstad Norway10 玖币0人下载
-
Voltage-controlled topological interface states for bending waves in soft dielectric phononic crystal plates10 玖币0人下载
相关内容
-
文科数学02-2024届新高三开学摸底考试卷(全国通用)(A4考试版)
分类:中学教育
时间:2025-05-11
标签:无
格式:DOCX
价格:10 玖币
-
文科数学02-2024届新高三开学摸底考试卷(全国通用)(A3考试版)
分类:中学教育
时间:2025-05-11
标签:无
格式:DOCX
价格:10 玖币
-
文科数学
分类:中学教育
时间:2025-05-11
标签:无
格式:PDF
价格:10 玖币
-
文科答题卡
分类:中学教育
时间:2025-05-11
标签:无
格式:PDF
价格:10 玖币
-
文科答案
分类:中学教育
时间:2025-05-11
标签:无
格式:PDF
价格:10 玖币
渝公网安备50010702506394
