Body Heat Password Threat
There are many warnings out there when it comes to keeping your passwords safe and private. Although it’s important to keep them all in mind, there is a new threat that is equally important to be aware of.
Researchers at the University of California Irvine tested four keyboards and came to the conclusion that once you type your password on a computer keyboard, the heat traces that you leave behind on the keys can be recovered by hackers. Although the thermal residue will dissipate over time, there is a thirty second window where your keyboard can be scanned and your full password can be obtained. After one minute, the thermal scans can obtain a partial password.
The heat is able to be captured by a FLIR camera. While conducting their experiment, researchers set up the camera tripod 24 inches away from the keyboard. Based on the infrared thermal imaging scans, 30 non-expert users tried to guess the passwords. For secure passwords, it took them between 19.5 and 31 seconds to guess the passwords. Weak passwords took between an average of 25.5 and 45.25 seconds. This experiment was done on “hunt and peck” typists, which is two-fingered typing.
The UC Irvine researchers realized that hunt and peck typists were the most susceptible, since they use their forefingers to type, which leaves a larger fingerprint on each key and more heat trace. Those with acrylic fingernails seemed to be more immune to the attacks, since they type with their fingernails and no heat is left on the keyboard.
Important points to be aware of:
When entering in a password, external keyboards are not necessarily secure.
Post factum (planned or impromptu) thermal imaging attacks do happen.
Researchers suggest that it may be time to either stop using keyboards for password entry, or stop using passwords altogether.
How to protect yourself:
Be wary of your surroundings, if you feel concerned, stay put for a few extra minutes to ensure your heat signature dissipates from the keyboard.
When utilizing a publicly accessible keypad, touch as many keys as possible to leave a misdirecting heat signature.
Whenever possible, utilize 2 Factor Authentication.
Categorised in: IT Threat
This post was written by Darrin Gonchar