• Explore
    • Contact Us
  • Faculty
  • Research
    • Research Areas
    • Research Centers
  • Graduate Degrees
    • Computer Science Programs
    • Current Graduate Students
  • Undergraduate Degrees
  • News & Events
    • News
    • Seminar Series
    • Distinguished Lecture Series
    • Research Showcase
  • Apply Now
    • Undergraduate Admissions
    • Graduate Admissions
    • Faculty Candidates

ICS Researchers Introduce Thermanator, Revealing a New Threat to Using Keyboards to Enter Passwords and Other Sensitive Information

June 29, 2018

A thermal image of “iloveyou” 20 seconds after entry.

After entering a password, your regular computer keyboard might appear to look the same as always, but a new approach harvesting thermal energy can illuminate the recently pressed keys, revealing that keyboard-based password entry is even less secure than previously thought. Computer Science Ph.D. students Tyler Kaczmarek and Ercan Ozturk in the Donald Bren School of Information and Computer Sciences (ICS), working with Chancellor’s Professor of Computer Science Gene Tsudik, have exploited thermal residue from human fingertips to introduce a new insider attack — the Thermanator.

“It’s a new attack that allows someone with a mid-range thermal camera to capture keys pressed on a normal keyboard, up to one minute after the victim enters them,” describes Tsudik. “If you type your password and walk or step away, someone can learn a lot about it after-the-fact.”

Their paper, “Thermanator: Thermal Residue-Based Post Factum Attacks On Keyboard Password Entry,” outlines the rigorous two-stage user study they conducted, collecting thermal residues from 30 users entering 10 unique passwords (both weak and strong) on four popular commodity keyboards. As noted in the paper, results show that entire sets of key-presses can be recovered by non-expert users as late as 30 seconds after initial password entry, while partial sets can be recovered as late as one minute after entry. The study further revealed that hunt-and-peck typists are particularly vulnerable.

Kaczmarek, Ozturk and Tsudik suggest some mitigation strategies, such as swiping your hands over the keyboard after password entry or selecting characters with the mouse. Regardless, based on the study results, they conclude that “Thermanator Attacks” represent a new credible threat for password-based systems, noting that “as formerly niche sensing devices become less and less expensive, new side-channel attacks move from ‘Mission: Impossible’ towards reality.”

— Shani Murray

« Gene Tsudik, ICS Exchange Students on International Team Studying Information Leakage
‘Sankofa’ Receives Bronze Medal at 2018 International Serious Play Awards »

Latest news

  • HackUCI 2021: Award-Winning Hacks from Home March 3, 2021
  • UCI Students Cultivate Culture of Innovation with New VC Fund March 3, 2021
  • Alumni Chapter’s Lunch & Learn Panel Discussion Showcases Black Superstar Leaders in ICS February 23, 2021
  • ICS Researchers Publish Novel Paper on System Design for Virtual Beings February 18, 2021
  • Professor Amiri Sani’s Research Group Wins 2020 Android Security and PrIvacy REsearch (ASPIRE) Award February 12, 2021
  • © 2021 UC Regents
  • Feedback
  • Privacy Policy