Password Thieves Are Detecting Body Heat to Track Keystrokes

Malicious actors use a wide range of practices to implement their malicious activities, but the depths that they would sink to can often take us by surprise. The latest technique that malicious actors appear to be using involves tracking keystrokes by detecting body heat, and they can use all sorts of heat detecting cameras that can easily be bought for a couple hundred dollars online to do this. A researcher at the University of Glasgow by the name of Mohamed Khamis recently tried to show an example of how this can be done.

This test involved the use of a new form of tech that his team developed which they are calling ThermoSecure. It detected traces of heat that were left behind after a user put in the keystrokes related to their password, and with all of that having been said and now out of the way it is important to note that it was able to take 86% of passwords if used within 20 seconds after the password was put in.

This decreased only slightly to 76% if the wait lasted 30 seconds, and up to 62% of passwords were still detectable around one minute after they were typed in. One might assume that longer passwords would be easier for evading detection, but in spite of the fact that this is the case sixteen character passwords were still captured 65% of the time on average if no longer than 20 seconds had elapsed.

Longer passwords can reduce the chances of the password getting captured, with 12 character passwords being cracked 82% of the time and 8 character pass phrased 93% of the time, but they are not immune to this type of threat with all things having been considered and taken into account.

This highlights the urgent need for governments to regulate the purchasing of heat sensitive cameras. Such cameras can contribute to people being less secure than might have been the case otherwise, and they are just the latest in a long line of new techniques that are used by threat actors to try to steal your log in credentials.

Read next: Only 10% of Companies Avoided Ransomware in 2022

No comments: