As malware in IoT devices !ourishes, defenses are lacking. Traditional antivirus or intrusion detection-based defense techniques fail for the limited computational capabilities and the large diversity of platforms and environments. In this paper, we present ThermWare, a non-intrusive screening method to detect anomalous operations on embedded devices at run-time. ThermWare relies on the observation that electronic circuits generate subtle patterns of heat at the component level when the corresponding module is accessed by the micro-operations (e.g., file-write) of the running code. We propose the use of these side-channel heat signatures captured by a thermal camera to determine the sequence of underlying computations in real time. An early implementation of ThermWare shows success in detecting common malware routines in general-purpose IoT devices. We envision leveraging the thermal side-channel to track the internal operations of an embedded device, which can potentially lead to broader applications in engineering embedded systems, monitoring device health and run-time capacity, assisting embedded coding optimization, and physical layer security analysis.