What’s a thermal attack? How to guard yourself against heat-sniffing hackers?

Thermal camera. Credit: University of Glasgow.

Have you ever considered that the heat from your fingers could give away your passwords?

A group of computer whizzes are warning us about a sneaky method hackers might use to steal our secrets: thermal attacks.

What’s a thermal attack? Imagine typing your bank PIN into an ATM. When you walk away, your fingers leave behind a faint heat map of where you pressed.

Using special cameras that detect this heat, hackers can figure out your password. Dr. Mohamed Khamis and his team from the University of Glasgow showed how these cameras could easily reveal our secret codes using a system they made called ThermoSecure.

This might sound like science fiction, but the threat is real. The good news is that Dr. Khamis and friends have been hard at work, looking into ways to stop these attacks.

Their findings were presented at a big computer security event in California.

The researchers had quite a few ideas on how to protect ourselves from these heat-snooping tactics:

  1. Wearing gloves or special finger covers.
  2. Cooling our hands by touching something cold before typing.
  3. Pressing our hands on devices after typing to spread the heat.
  4. Installing heaters in devices to erase the heat marks.
  5. Using materials that cool down quickly for device surfaces.
  6. Using shields that cover keypads after use.
  7. Eye-tracking or using fingerprint and face scans for extra security.

The team also asked 306 people about which methods they’d prefer and what they might do to keep their passwords safe.

Most people liked ideas they already knew about, like using a second step to verify their identity. Some folks came up with their own strategies, like using the ATM when it feels safest or waiting a bit to enter their PIN.

However, some ideas weren’t popular at all. For instance, people didn’t like the thought of breathing on devices to hide the heat (because, yuck, germs).

And, while some liked the idea of using face or fingerprint scans for extra protection, others were worried about privacy.

Dr. Khamis emphasized that while this all might sound complicated, what’s essential is for everyone to find a method they’re comfortable with and use it regularly. That way, it becomes a habit, and we’re safer for it.

Prof. Karola Marky, a researcher on the team, suggests that people should always be aware of their surroundings. If someone’s watching, maybe don’t type in that password. She also says gloves or other finger protection might be handy, and using multiple ways to verify our identity is a smart move. For example, a password AND a fingerprint.

Dr. Shaun Macdonald, another expert from the team, advises companies making public devices like ATMs to think about thermal attacks from the start.

They could design devices that shuffle keys around after use or use screens to block views. And if devices are already out there, maybe software updates could remind people to be cautious.

In the end, Dr. Khamis hopes even the companies that make those heat-detecting cameras can play a part by stopping the cameras from taking pictures of sensitive surfaces, like bank PIN pads.

For now, the key takeaway is to be aware and find a simple trick or two that helps you shield your secrets from any heat-hungry hackers lurking around.

Follow us on Twitter for more articles about this topic.

Source: University of Glasgow.