This keyboard attack steals passwords by reading heat from your fingers

Thermanator harvests thermal energy to steal passwords directly from your fingertips.
Written by Charlie Osborne, Contributing Writer

A new attack has been presented by researchers which is able to record thermal residue from keyboards in order to steal credentials.

According to scientists Tyler Kaczmarek, Ercan Ozturk, and Gene Tsudik from the University of California, Irvine (UCI), the "Thermanator" approach could be used to exploit keyboards based on the heat signatures left by users.

"It's a new attack that allows someone with a mid-range thermal camera to capture keys pressed on a normal keyboard, up to one minute after the victim enters them," said Tsudik. "If you type your password and walk or step away, someone can learn a lot about it after-the-fact."

You may think nothing of entering a password through your keyboard, but the insider attack allows the harvest of thermal energy from these PC peripherals.

These energy signatures, based on recently-pressed keys, can then be used to collect strings of code which represent passwords, PINs, and other sensitive information.

"Being warm-blooded, human beings naturally prefer environments that are colder than their internal temperature," the researchers say. "Because of this heat disparity, it is inevitable that we leave thermal residue on numerous objects that we routinely touch, especially, with bare fingers."

The attack exploits heat disparity in stages. The victim must first use a typical keyboard to enter a password. This individual must then be drawn away from their system, either willingly or through an insider directly luring them, whether in person or through an accomplice.

While the victim is not present, a camera capable of thermal imaging -- and set up before the attack -- must rapidly take a set of images to record the thermal residue present on the keyboard before it dissipates.

Getty Images

This "heat map" can then be analyzed to determine recently-pressed keys, either manually or through specialized software.

TechRepublic: Pixel 2 encryption is so good it can even fend off insider attacks, Google says

In laboratory tests, the researchers collected thermal residues left from 31 participants who typed ten unique passwords -- considered both "weak" and "strong" -- on four common keyboards.

The scientists then asked eight non-experts to recover the key collections. After initial password entry, full key sets could be stolen in a time frame of up to 30 seconds, while partial sets could be recovered up to a minute after entry.

According to the team, "hunt and peck" typists, who do not use touch-typing but rather two-fingered keyboard operation to press keys individually, are particularly vulnerable to the Thermanator cyberattack.

CNET: The FBI wants you to factory reset your router. Here's how to do it

While Thermanator has to meet a number of insider conditions to work, the UCI scientists say that the attack "represent[s] a new credible threat for password-based systems."

"As formerly niche sensing devices become less and less expensive, new side-channel attacks move from 'Mission: Impossible' towards reality," the team added.

The research, dubbed "Thermanator: Thermal Residue-Based Post Factum Attacks On Keyboard Password Entry," has been published online (.PDF) in the Cornell University Library.

Android, iOS mobile apps to download before disaster strikes

Previous and related coverage

Editorial standards