Researchers claim thieves can quickly identify heat signals and guess device passwords using inexpensive thermal cameras and machine learning.
Security specialists have created a device that can quickly decipher passwords by detecting the heat left behind by fingertips on keyboards and displays.
ThermoSecure was developed by researchers from the University of Glasgow to demonstrate how easily accessible and reasonably priced thermal imaging cameras, along with increasing access to machine learning, have produced new hazards in the form of so-called “thermal attacks.”
Researchers claim that customers who enter their passcode on a computer keyboard, smartphone screen, or ATM keypad and leave the device unattended are vulnerable to thermal attacks. A bystander could detect the heat signature by showing where fingers have touched the object with a thermal camera.
Researchers claim that identifying the precise letters, numbers, or symbols that make up the password is feasible by analyzing the warmer areas’ relative intensity.
The passwords can then be broken by attackers using various combinations.
ACM Transactions on Privacy and Security published the team’s study, ThermoSecure: Investigating the Effectiveness of AI-driven Thermal Attacks on Commonly Used Computer Keyboards.
86% of passwords can be decoded in 20 seconds by AI models.
Project leader Dr. Mohamed Khamis and team members Norah Alotaibi and Dr. John Williamson describe how they took 1,500 thermal images of recently used QWERTY keyboards from various angles and trained an artificial intelligence model to read the images and guess the passwords based on heat signature clues in a paper that was recently published in the journal ACM Transactions on Privacy and Security.
They discovered that ThermoSecure can reveal 86% of passwords when thermal photos are captured within 20 seconds, 76% when captured within 30 seconds, and just 62% when captured after 60 seconds.
According to Dr. Khamis of the University of Glasgow’s School of Computing Science, “Access to thermal imaging cameras is more economical than ever — they can be found for less than £200 — and machine learning is becoming increasingly accessible too.” This makes it quite probable that password-stealing systems modeled to ThermoSecure are being developed by individuals worldwide. We will continue evolving our technology to stay one step ahead of attackers. Computer security research must keep up with these advances to find new ways to limit risk.
According to the researchers, legislators will feel pressured to intervene, and one potential course of action is the implementation of rules relating to selling thermal cameras and the security features included in associated software.
Faces and fingerprints can aid in the fight against fraud
To defend against thermal attacks, the ThermoSecure team advises computer and smartphone users. “Longer passwords are more difficult for ThermoSecure to guess effectively, so we advise using long passphrases whenever possible,” adds Dr. Khamis. Longer passphrases need more time to enter, which makes it harder to get an accurate thermal camera reading, especially if the user types by touch.
Users can further safeguard devices using other authentication techniques, such as fingerprint or facial recognition. Dr. Khamis explains, “My colleagues and I have previously presented authentication techniques that rely on eye movements for password submission. “Gaze-based authentication is designed to be resilient to thermal attacks.”
The Engineering and Physical Sciences Research Council (EPSRC), the Royal Society of Edinburgh, the PETRAS National Centre of Excellence for IoT Systems Cybersecurity, which is also funded by the EPSRC, as well as a studentship sponsored by Taif University and the Royal Embassy of Saudi Arabia Cultural Bureau in London, all provided financial support for the study.
