Is it possible to steal a password using a thermal camera?

0
41

When talking about security, specifically about password theft, this danger is usually associated with the application of sophisticated vulnerability methodologies. However, that is not necessarily the way forward for attackers.

An analysis focused on so-called “side channel attacks”, which make use of less common indirect signals, explores how feasible it is to steal a password by taking a picture of a keyboard using a thermal camera.

Thermal cameras used as a password stealing tool

When asked if it is possible to steal keys using this method, the short answer is yes, it is possible. However, there are some details to consider that reduce your chances of success, according to the security firm Kaspersky in one of his recent studies.

Putting ourselves in the case of the use of an ATM, illustrated in the images attached to this note, shared in the aforementioned report, the attacker’s action must be quick.

After using the machine, using a thermal camera, it is possible to identify which keys were pressed. If the attacker takes the photo within 30 seconds of using it, there is a 50% chance of guessing the numeric key. After that period, the possibilities are considerably reduced.

It should be noted that the attached thermal image, which clearly shows which keys were pressed, was taken immediately after using the keyboard. The maximum waiting time to obtain a useful image for the attacker is 90 seconds, with extremely low chances of success, almost zero.

Taking as a reference 54 studies previously carried out on this methodology, which has been the subject of analysis for more than 15 years by cybersecurity specialists, in approximately half of the cases observed it was possible to identify the buttons pressed, but not the correct numerical sequence. In fact, the correct PIN code was retrieved in only 10% of cases.

SEE ALSO  This mobile is a bargain in Spain: Motorola G04 for 129 euros with 128 GB of memory

If combinations with all available digits are tried, up to 10,000 possible number sequences can be generated. On the other hand, if the 4 digits of the password are known, the number of possible combinations is reduced to 24. Even so, for attackers this reduction in possibilities is not a great guarantee, because banks generally block cards at third attempt failed.

With mobiles protected with a numeric code, the situation is similar, but with unlocking patterns a potential invasion is more likely, also considering that the marks left by the fingers on the screen can be taken as a guide.

In the case of a computer keyboard, the possibility of a password being guessed is greater. Respecting the lapse of time required for a thermal photograph to be useful to an attacker, its chances of success are increased if automated tools are applied that are responsible for making comparisons between possible characters with common password database records. In view of this, it is essential use strong passwordswhich reduce the probability of success of these attacks.

The first commercially available thermal cameras could be obtained for thousands of euros. Now, depending on their technical qualities, they can be purchased for just hundreds, a condition that, despite the complexity of the attacks in which they can be used, still increases the probability of executing them.

This analysis is inserted in the midst of an active debate on the use of passwords, which has brought together various actors in the technology sector. looking for a safer alternativewhich is resistant not only to this type of attack, but also to phishing and other more common cases.