Hackers now use thermal attacks to steal passwords in seconds

Among the images taken within 20 seconds, the system could also guess long passwords that used as many as 16-characters 67 percent of the time. As the passwords grew shorter, the accuracy increased, reaching 100 percent for passwords that were six characters long, the press release said.

“Access to thermal imaging cameras is more affordable than ever – they can be found for less than £200 (US$225) – and machine learning is becoming increasingly accessible too,” said Khamis in the press release. “It’s important that computer security research keeps pace with these developments to find new ways to mitigate risk, and we will continue to develop our technology to try to stay one step ahead of attackers.”

What can be done to avert this?

The research also provided insights into what mitigation strategies could be adopted to prevent a thermal attack. The researchers found that users who typed slower and left their fingers on the keyboard longer were more likely to see their passwords being guessed accurately than those who typed fast.

Also, the material that was used to make the keyboard also had an impact on the system’s ability to guess passwords. Thermosecure could accurately guess passwords typed on keycaps made from ABS plastics about 50 percent of the time. However, the success rate dropped considerably to 14 percent when keycaps made from PBT plastics were used.

Apart from moving to sophisticated means of authentication, such as fingerprint and facial recognition, users could adopt long passphrases as passwords.

The research findings were published in the journal ACM Transactions on Privacy and Security.


Thermal cameras can reveal heat traces on user interfaces, such as keyboards. This can be exploited maliciously to infer sensitive input, such as passwords. While previous work considered thermal attacks that rely on visual inspection of simple image processing techniques, we show that attackers can perform more effective AI-driven attacks. We demonstrate this by presenting the development of ThermoSecure, and its evaluation in two user studies (N=21, N=16) which reveal novel insights about thermal attacks. We detail the implementation of ThermoSecure and make a…