Skip to main content

Your body heat can help attackers steal your password in new attack

If you’re typing your password on a computer keyboard, you’re leaving heat traces behind that could be picked up by hackers. By using a thermal imaging camera and scanning your computer keyboard after you typed your password, researchers at the University of California, Irvine discovered that key presses can be recovered as late as 30 seconds after the first key was pressed with off-the-shelf solutions from FLIR. The researchers published their findings on attacks by thermal imaging in a paper titled “Thermanator.”

“Although thermal residue dissipates over time, there is always a certain time window during which thermal energy readings can be harvested from input devices to recover recently entered, and potentially sensitive, information,” the researchers wrote.

Recommended Videos

This style of attack was tested on four keyboards, and researchers found that a full password can be obtained by scanning thermal residues on keyboards within 30 seconds of the first key being entered. And after one minute, partial passwords can be obtained from the thermal scans. For their experiment, researchers set the infrared heat-detecting FLIR cameras on a tripod 24 inches away from the keyboard.

Please enable Javascript to view this content

FLIR makes several models of its infrared cameras that capture heat. The basic model, called the FLIR One Pro, is a $400 accessory that is available as a smartphone attachment. Some phones, like the CAT S61, also ships with the FLIR camera module embedded.

Thirty non-expert users tried to guess the password based on the infrared thermal imaging scans. When “hunt and peck” typists entered their passwords, researchers found that the participants were able to guess secure passwords between 19.5 and 31 seconds after initial entry by examining the infrared thermal scans. Weak passwords, such as “football” and “12341234” can be obtained an average of 25.5 seconds and 45.25 seconds, respectively. Conversely, for touch typists, the “12341234” password was deemed the best of the tested combination in the study, requiring non-experts 47.6 seconds on average to guess, TechRepublic reported.

UC Irvine researchers concluded that hunt and peck typists were the most susceptible to Thermantor-style. By using just their forefingers to type, they leave a larger fingerprint on each key, leaving behind more heat trace. Because touch typists rest their fingers on the row of home key on a keyboard, they generate more thermal noise, making it difficult to analyze heat traces using the FLIR camera. However, those with acrylic fingernails are more immune to Thermanator attacks, because they type with the tip of their fingernails, leaving no heat traces behind on the keycaps.

“The main takeaway of this work is three-fold: (1) using external keyboards to enter (already much-maligned) passwords is even less secure than previously recognized, (2) post factum (planned or impromptu) thermal imaging attacks are realistic, and finally (3) perhaps it is time to either stop using keyboards for password entry, or abandon passwords altogether,” researchers said.

Additionally, if you have to enter your password in a public environment, one method to keep your information secure is to use two-factor authentication.

Chuong Nguyen
Silicon Valley-based technology reporter and Giants baseball fan who splits his time between Northern California and Southern…
How smart light bulbs could steal your password
GE Cync smart lights review

If it's connected to the internet, it can get hacked -- yes, even some of the best smart bulbs. While smart bulbs make it easy to adjust the lighting and ambiance in your room, they connect to Wi-Fi, which makes them susceptible to attacks. Researchers from the Universita di Catania and the University of London discovered a particular vulnerability in the TP-Link Tapo L530E smart bulb and the accompanying TP-Link Tapo app. It seems that hackers could gain access to your passwords just through the smart bulb.

These days, smart devices are more and more prominent in households across the globe. The TP-Link Tapo L530E is a popular smart bulb, which is what drove the researchers to analyze it and attempt to find flaws within its security. Unfortunately, they found at least four vulnerabilities, all stemming from the fact that the bulb's security measures might be insufficient.

Read more
AI can now steal your passwords with almost 100% accuracy — here’s how
A digital depiction of a laptop being hacked by a hacker.

Researchers at Cornell University have discovered a new way for AI tools to steal your data -- keystrokes. A new research paper details an AI-driven attack that can steal passwords with up to 95% accuracy by listening to what you type on your keyboard.

The researchers accomplished this by training an AI model on the sound of keystrokes and deploying it on a nearby phone. The integrated microphone listened for keystrokes on a MacBook Pro and was able to reproduce them with 95% accuracy -- the highest accuracy the researchers have seen without the use of a large language model.

Read more
Hackers may have stolen the master key to another password manager
Open padlock cybersecurity

The best password managers are meant to keep all your logins and credit card info safe and secure, but a major new vulnerability has just put users of the KeePass password manager at serious risk of being breached.

In fact, the exploit allows an attacker to steal a KeePass user’s master password in plain text -- in other words, in an unencrypted form -- simply by extracting it from the target computer’s memory. It’s a remarkably simple hack, yet one that could have worrying implications.

Read more