Hackers have found a new way to sneak into computers and it’s through our own body heat.
Researchers at University of California found a new way of hacking, which is through a person’s own heat left by their fingers. When someone types in a password on their keyboards, they leave heat traces behind that are later picked up by hackers.
Naming the technique ‘Thermanator’, the team discovered this by using a thermal imaging camera and scanning the computer keyboard after a password has been typed. They noticed that key presses can be recovered as late as 30 seconds after the first key was pressed, reported Digital Trends.
Student arrested for hacking into school’s grading system
Publishing their findings in a paper Thermanator, the researchers wrote, “Although thermal residue dissipates over time, there is always a certain time window during which thermal energy readings can be harvested from input devices to recover recently entered, and potentially sensitive, information.”
This style was tested by 31 participants on four keyboards and full passwords can be gained by scanning thermal residues on keyboards after 30 seconds. After a minute passed by, partial passwords were obtained. For the tests, the infrared heat-detecting FLIR cameras were set on tripod 24-inches away from the keyboard.
Thirty non-expert users were made to guess the password based on the scans. The participants were able to guess passwords between 19.5 and 31 seconds after the first presses. Weak passwords were guessed in an average of 25.5 seconds whereas passwords like ‘12341234’ took 45.25 seconds to guess.
“The main takeaway of this work is three-fold. First is using external keyboards to enter (already much-maligned) passwords is even less secure than previously recognized, second is to post factum (planned or impromptu) thermal imaging attacks are realistic, and finally perhaps it is time to either stop using keyboards for password entry, or abandon passwords altogether,” researchers said.
Researchers said that this type of attack could be used to gain access to text, banking pins, and/or codes. They hope that their findings will encourage a move towards more secure methods, wrote Mirror.