• Explore
    • Contact Us
  • Faculty
  • Research
    • Research Areas
    • Research Centers
  • Graduate Degrees
    • Computer Science Programs
    • Current Graduate Students
  • Undergraduate Degrees
  • News & Events
    • News
    • Seminar Series
    • Distinguished Lecture Series
    • Research Showcase
  • Apply Now
    • Undergraduate Admissions
    • Graduate Admissions
    • Faculty Candidates

ICS Researchers Introduce Thermanator, Revealing a New Threat to Using Keyboards to Enter Passwords and Other Sensitive Information

June 29, 2018

A thermal image of “iloveyou” 20 seconds after entry.

After entering a password, your regular computer keyboard might appear to look the same as always, but a new approach harvesting thermal energy can illuminate the recently pressed keys, revealing that keyboard-based password entry is even less secure than previously thought. Computer Science Ph.D. students Tyler Kaczmarek and Ercan Ozturk in the Donald Bren School of Information and Computer Sciences (ICS), working with Chancellor’s Professor of Computer Science Gene Tsudik, have exploited thermal residue from human fingertips to introduce a new insider attack — the Thermanator.

“It’s a new attack that allows someone with a mid-range thermal camera to capture keys pressed on a normal keyboard, up to one minute after the victim enters them,” describes Tsudik. “If you type your password and walk or step away, someone can learn a lot about it after-the-fact.”

Their paper, “Thermanator: Thermal Residue-Based Post Factum Attacks On Keyboard Password Entry,” outlines the rigorous two-stage user study they conducted, collecting thermal residues from 30 users entering 10 unique passwords (both weak and strong) on four popular commodity keyboards. As noted in the paper, results show that entire sets of key-presses can be recovered by non-expert users as late as 30 seconds after initial password entry, while partial sets can be recovered as late as one minute after entry. The study further revealed that hunt-and-peck typists are particularly vulnerable.

Kaczmarek, Ozturk and Tsudik suggest some mitigation strategies, such as swiping your hands over the keyboard after password entry or selecting characters with the mouse. Regardless, based on the study results, they conclude that “Thermanator Attacks” represent a new credible threat for password-based systems, noting that “as formerly niche sensing devices become less and less expensive, new side-channel attacks move from ‘Mission: Impossible’ towards reality.”

— Shani Murray

« Gene Tsudik, ICS Exchange Students on International Team Studying Information Leakage
‘Sankofa’ Receives Bronze Medal at 2018 International Serious Play Awards »

Latest news

  • Identifying the Building Blocks of Attention in Deep Learning March 21, 2023
  • Faculty Spotlight: Jennifer Wong-Ma and the Power of Community March 20, 2023
  • Computer Science Ph.D. Candidate Takami Sato Named Public Impact Fellow March 14, 2023
  • Irani Builds New Collaborations as Associate Director of the Simons Institute March 6, 2023
  • UC Irvine Partners With Linux Foundation to Welcome New Open Source Projects from Peraton Labs to Scale 5G Security March 3, 2023
  • © 2023 UC Regents
  • Feedback
  • Privacy Policy