Skip to main content

Your body heat can help attackers steal your password in new attack

If you’re typing your password on a computer keyboard, you’re leaving heat traces behind that could be picked up by hackers. By using a thermal imaging camera and scanning your computer keyboard after you typed your password, researchers at the University of California, Irvine discovered that key presses can be recovered as late as 30 seconds after the first key was pressed with off-the-shelf solutions from FLIR. The researchers published their findings on attacks by thermal imaging in a paper titled “Thermanator.”

“Although thermal residue dissipates over time, there is always a certain time window during which thermal energy readings can be harvested from input devices to recover recently entered, and potentially sensitive, information,” the researchers wrote.

This style of attack was tested on four keyboards, and researchers found that a full password can be obtained by scanning thermal residues on keyboards within 30 seconds of the first key being entered. And after one minute, partial passwords can be obtained from the thermal scans. For their experiment, researchers set the infrared heat-detecting FLIR cameras on a tripod 24 inches away from the keyboard.

FLIR makes several models of its infrared cameras that capture heat. The basic model, called the FLIR One Pro, is a $400 accessory that is available as a smartphone attachment. Some phones, like the CAT S61, also ships with the FLIR camera module embedded.

Thirty non-expert users tried to guess the password based on the infrared thermal imaging scans. When “hunt and peck” typists entered their passwords, researchers found that the participants were able to guess secure passwords between 19.5 and 31 seconds after initial entry by examining the infrared thermal scans. Weak passwords, such as “football” and “12341234” can be obtained an average of 25.5 seconds and 45.25 seconds, respectively. Conversely, for touch typists, the “12341234” password was deemed the best of the tested combination in the study, requiring non-experts 47.6 seconds on average to guess, TechRepublic reported.

UC Irvine researchers concluded that hunt and peck typists were the most susceptible to Thermantor-style. By using just their forefingers to type, they leave a larger fingerprint on each key, leaving behind more heat trace. Because touch typists rest their fingers on the row of home key on a keyboard, they generate more thermal noise, making it difficult to analyze heat traces using the FLIR camera. However, those with acrylic fingernails are more immune to Thermanator attacks, because they type with the tip of their fingernails, leaving no heat traces behind on the keycaps.

“The main takeaway of this work is three-fold: (1) using external keyboards to enter (already much-maligned) passwords is even less secure than previously recognized, (2) post factum (planned or impromptu) thermal imaging attacks are realistic, and finally (3) perhaps it is time to either stop using keyboards for password entry, or abandon passwords altogether,” researchers said.

Additionally, if you have to enter your password in a public environment, one method to keep your information secure is to use two-factor authentication.

Editors' Recommendations

Chuong Nguyen
Silicon Valley-based technology reporter and Giants baseball fan who splits his time between Northern California and Southern…
Grammarly’s new ChatGPT-like AI generator can do a lot more than proofread your writing
GrammarlyGO's Rewrite for Length feature is shown.

Grammarly, one of the biggest names in writing tools, is adding AI-generated text to its repertoire on the heels of the wild popularity of ChatGPT. Known as GrammarlyGO, this new tool is focused on improving writing rather than replacing the writer.

GrammarlyGO will roll out in beta form to existing users in April. All tiers, including developers, business, education, and premium users, will have access. You can even use GrammarlyGO with a free account.

Read more
This major Apple bug could let hackers steal your photos and wipe your device
A physical lock placed on a keyboard to represent a locked keyboard.

Apple’s macOS and iOS are often considered to be more secure than their rivals, but that doesn’t make them invulnerable. One security team recently proved that by showing how hackers could exploit Apple’s systems to access your messages, location data, and photos -- and even wipe your device entirely.

The discoveries were published on the blog of security research firm Trellix, and will be of major concern to iOS and macOS users alike, since the vulnerabilities can be exploited on both operating systems. Trellix explains that Apple patched the exploits in macOS 13.2 and iOS 16.3, which were released in January 2023, so you should update your devices as soon as you can.

Read more
This huge password manager exploit may never get fixed
A large monitor displaying a security hacking breach warning.

It’s been a bad few months for password managers -- albeit mostly just for LastPass. But after the revelations that LastPass had suffered a major breach, attention is now turning to open-source manager KeePass.

Accusations have been flying that a new vulnerability allows hackers to surreptitiously steal a user’s entire password database in unencrypted plaintext. That’s an incredibly serious claim, but KeePass’s developers are disputing it.

Read more