Skip to content

The Abstract Cheetos Attack.

I need to write a CERT paper for this –

  • Name of Attack:The Abstract Cheetos Attack
  • Type of Attack: Password Vulnerability / Local Exploit / Brute Force
  • Known fix: Lack of Cheetos
  • Attack Vector: Food[1]/Social Engineering
  • Exploit Details: It is possible to determine the most-frequently used letters on a given keyboard on the target’s computer by providing the target with a “friendly” package of Cheetos at some regular interval, and then examining, over time, the build up of dangerously cheesey residue on the target’s keyboard. Armed with the most frequent keystrokes, it is possible to perform a reduced brute-force attack on the target’s account password. Due to the reduction in keys, it is possible to grossly reduce the time and resources required to identify the target’s password. This attack also enables the attacker to determine other personal information including frequency of hand-washing, like/dislike of said “Food” and frequency at which the target cleans their clothes.

[1] Note that Cheetos may not be classified as “Food”

  • Probably works best in the PIN setting mentioned by Passive above, since password characters may not be the most frequently used. Take a password like "eleph@nt", for example. "e" is the most commonly used character in English, as in this password. And if the target types many email addresses (which is not too far-fetched), even the @ symbol may be explained away.

    All that said, this can be a very useful attack in the right context.
  • Well, that spoiled my dangerously cheesey fun :)
  • Remind me never to borrow your laptop ...
  • Or my clothes for that matter!
  • Passive
    Interestingly enough, a similar attack has proved very useful against building security systems that require PIN entry to disable. Usually, the keypads are only used for entering the PINs, so by examining the wear on the keypad, it is often clear which are the PIN keys. In an old office I worked at, the order of the PIN numbers was even clear, as the first key was both the most worn, and the dirtiest, due to force of pressing, and transfer of dirt/oils from the pressers fingers. It seems that the first keys is always jabbed rather fiercely, with the amount of force generally being reduced on each subsequent press.
  • I worked at a small company in the East Bay that had a small shroud around the keypad and the numbers showed up in random locations on the keypad for each attempted pin entry. They had good security for the time.
blog comments powered by Disqus