The radioactive'miracle water' that killed its believers In the 1920s, Radithor promised to cure everything from wrinkles to leukemia, but its unintended results were deadly. While 1920s soda shops offered a plethora of sweet treats, nearby pharmacies served their own tinctures--like Radithor, certified radioactive water. Breakthroughs, discoveries, and DIY tips sent every weekday. William Bailey promised to cure anything that ailed you. " Just a tiny bottle of apparently lifeless, colorless, and tasteless water " was, he advertised in a 1929 pamphlet for his product, Radithor, "the greatest therapeutic force known to mankind."

To date, there has been no systematic investigation of thermal profiles of keyboards, and thus no efforts have been made to secure them. This serves as our main motivation for constructing a means for password harvesting from keyboard thermal emanations. Specifically, we introduce Thermanator: a new post-factum insider attack based on heat transfer caused by a user typing a password on a typical external (plastic) keyboard. We conduct and describe a user study that collected thermal residues from 30 users entering 10 unique passwords (both weak and strong) on 4 popular commodity keyboards. Results show that entire sets of key-presses can be recovered by non-expert users as late as 30 seconds after initial password entry, while partial sets can be recovered as late as 1 minute after entry. However, the thermal residue side-channel lacks information about password length, duplicate key-presses, and key-press ordering. To overcome these limitations, we leverage keyboard acoustic emanations and combine the two to yield AcuTherm, the first hybrid side-channel attack on keyboards. AcuTherm significantly reduces password search without the need for any training on the victim's typing. We report results gathered for many representative passwords based on a user study involving 19 subjects. The takeaway of this work is three-fold: (1) using plastic keyboards to enter secrets (such as passwords and PINs) is even less secure than previously recognized, (2) post-factum thermal imaging attacks are realistic, and (3) hybrid (multiple side-channel) attacks are both realistic and effective.

You probably assume that someone can only see what's on your computer screen by looking at it. But a team of researchers has found that they can glean a surprising amount of information about what a monitor displays by listening to and analyzing the unintended, ultrasonic sounds it emits. The technique, presented at the Crypto 2018 conference in Santa Barbara on Tuesday, could allow an attacker to initiate all sorts of stealthy surveillance by analyzing livestreams or recordings taken near a screen--say from a VoIP call or video chat. From there, the attacker could extract information about what content was on the monitor based on acoustic leakage. And though distance degrades the signal, especially when using low quality microphones, the researchers could still extract monitor emanations from recordings taken as far as 30 feet away in some cases . "I think there's a lesson here about being attuned to the unexpected in our physical environment and understanding the physical mechanisms that are behind these gadgets that we use," says Eran Tromer, a cryptography and systems security researcher at Tel Aviv University and Columbia University, who participated in the research.