I have a thermal imaging camera made by FLIR Systems. These cameras are really interesting devices; they pick up long-wavelength infrared radiation (wavelengths of 8-12μm, versus 380-750nm for visible light). We’ve all seen objects heated until they’re hot enough to glow visibly, but it takes a lot less heat to glow in the infrared spectrum!
Why, you might ask, do I have a thermal camera? Because. That’s why. Actually, there is a reason.
In addition to being cool toys, they’re actually quite useful in a data center environment where a lot of heat-producing equipment is packed into a very small space. It’s also the best demonstrator I’ve ever found for showing the potential of a low-bandwidth “covert channel” attack to a client. A little application that works the CPU hard when an event occurs causes it to heat up a bit, which is instantly visible from a distance even though the machine in question has been literally “air-gapped” from anything else in the room.
Here’s a quick shot of my TV and the equipment underneath it.
It’s easy to see what’s generating heat (and that the box at the very bottom of the frame is turned off entirely).
The camera also has a very useful visible light fusion mode, which adds some features from the visible spectrum to help you understand what you’re looking at. Here’s the same image with that feature turned on:
The camera I have is FLIR System’s least expensive infrared camera, the E4. “Least expensive” is a relative thing, though; it’s still close to a thousand bucks. It’s part of a range of cameras that function similarly but that offer different image resolutions. The entry-level E4 produces 80×60-pixel thermal images, whereas the high end of the series, the E8, offers 320×240 thermal resolution for six times the price. These are certainly low resolutions by digital camera standards, but the sensors are costly and it turns out you don’t need that much resolution for thermal imagery since it’s unusual to have many large temperature variations in a very small area).
Still, 320×240 is lots better than 80×60!
Amusingly, the hardware for the $1,000 E4 and the $6,000 E8 is identical including the sensor. As with the Rigol oscilloscope I mentioned earlier, participants on David L. Jones’ EEVblog site discovered this a while ago and have been sharing lots of information ever since.
Over time it became clear that the thermal camera has a built-in USB TCP/IP stack and web/FTP server that can be used to gain access to its filesystem. A set of configuration files defines the capabilities of the camera when it’s booted.
The configuration files are tied to the camera’s serial number—but unlike the Rigol scope, they don’t use public-key cryptography but instead a simple CRC scheme to authenticate the configuration files.
Folks disassembled the code in the device and figured out the algorithm in short order, and now there are a lot of people with E4s (including me) who are rocking the feature set of the E8 (actually a superset due to some capabilities that were inexplicably turned off even on the high-end model). The additional resolution is a nice thing, and there’s also a new USB Video Class mode that lets you use the thing as an infrared webcam.
FLIR appears to feel a lot more threatened by this development than Rigol did about the oscilloscope feature codes. Part of this may stem from the fact that the Rigol options cost a few hundred dollars and aren’t useful to everyone. Higher infrared resolution is useful to everyone, though, and it can’t make FLIR look good to be selling identical hardware for $1,000 and $6,000—even if that is the most cost-effective way to segment the market and recoup development costs.
So they’ve rushed new firmware onto the market to counter this threat. It remains to be seen whether hobbyist tinkerers will figure out how to re-enable the capabilities that have been removed, but I wouldn’t bet against them.