AcuTherm: A Hybrid Attack on Password Entry Based on Both Acoustic and Thermal Side-Channels presented at BlackHatAsia2019 2019

by Gene Tsudik, Tyler Kaczmarek, Ercan Ozturk, Pier Paolo Tricomi,

Summary : Despite predictions of their demise and calls for their deprecation, passwords remain the most popular form of user authentication. Traditional password vulnerabilities stem from their storage and/or low entropy. However, in light of increasing insider threats, attacks on password entry have become quite realistic. Although obvious attacks, such as shoulder-surfing, can be addressed, subtler side channel-based attacks are much harder to mitigate.A recent class of opportunistic password attacks (called Thermanator) is based on the thermal side-channel, targeting password entry on commodity plastic keyboards. A successful attack requires the victim to step away from the keyboard relatively soon after password entry, allowing the attacker to snap a photo of the keyboard using an inexpensive thermal camera. Results show that a full set of password key-presses can be recovered up to 30 seconds after entry, and a large subset thereof can be recovered up to a minute later. Nonetheless, Thermanator attacks do not yield ordering of key-presses or expose repeated keys. This limits attack practicality, due to potentially large password search space.(Un)fortunately, there are multiple side-channels during password entry. In particular, the acoustic side-channel (i.e., keyboard acoustic emanations) has been studied extensively and is fairly effective. However, it usually requires a lengthy victim-specific learning/training phase.In this talk, we introduce a new class of hybrid AcuTherm attacks that combine respective powers (and advantages) of thermal and acoustic side-channels. To the best of our knowledge, AcuTherm is the first hybrid side-channel attack to be systematically investigated. Our experiments included over 20 subjects using 3 common keyboards and many representative passwords. Results clearly show that AcuTherm substantially improves accuracy of combined side-channels in determining key ordering and duplicate pressed keys. This significantly reduces password search space *without* requiring acoustic models of the victim's typing.