New “thermal attacks” can crack device passwords in seconds

Security experts have developed a system that can crack passwords in seconds by tracking traces of heat left by fingers on keyboards and screens.

Researchers from the University of Glasgow developed ThermoSecure to illustrate how readily available and inexpensive thermal imaging cameras, combined with the increased availability of machine learning, have created new risks in the shape of so-called “thermal attacks”.

Thermal attacks can occur after users type their passcode on a computer keyboard, smartphone screen or ATM keypad and then leave the device unguarded, say researchers. A passerby with a thermal camera could see the heat signature indicating where fingers have touched the device.

By measuring the relative intensity of the warmer areas, it is possible to determine the specific letters, numbers or symbols that make up the password, explain researchers. Attackers can then try different combinations to crack the passwords.

The team’s paper, ThermoSecure: Investigating the Effectiveness of AI-driven Thermal Attacks on Commonly Used Computer Keyboards, was published in ACM Transactions on Privacy and Security. 

AI models take 20 seconds to guess 86% of passwords

In a paper published in the journal ACM Transactions on Privacy and Security, project leader Dr Mohamed Khamis and fellow team members Norah Alotaibi and Dr John Williamson explain how they took 1,500 thermal photos of recently-used QWERTY keyboards from different angles and then trained an artificial intelligence model to read the images and guess the passwords based on heat signature clues.

They found ThermoSecure could reveal 86 per cent of passwords when thermal images are taken within 20 seconds, and 76 per cent when taken within 30 seconds, dropping to 62 per cent after 60 seconds.

“Access to thermal imaging cameras is more affordable than ever – they can be found for less than £200 – and machine learning is becoming increasingly accessible too,” says Dr Khamis, of the University of Glasgow’s School of Computing Science. “That makes it very likely that people around the world are developing systems along similar lines to ThermoSecure in order to steal passwords. It’s important that computer security research keeps pace with these developments to find new ways to mitigate risk, and we will continue to develop our technology to try to stay one step ahead of attackers.”

The team says policymakers will be compelled to take action, with one possible measure being the introduction of regulations linked to the sale of thermal cameras and the security included in corresponding software.

Fingerprints and faces can help in the fight against fraud

The ThermoSecure team also offers suggestions for computer and smartphone users to help protect against thermal attacks.“Longer passwords are more difficult for ThermoSecure to guess accurately, so we would advise using long passphrases wherever possible,” says Dr Khamis. “Longer passphrases take longer to type, which also makes it more difficult to get an accurate reading on a thermal camera, particularly if the user is a touch typist.”

Users can also help secure devices using alternative authentication methods, including fingerprint or facial recognition. “In my team, we have previously proposed authentication schemes that rely on eye movements for password entry,” explains Dr Khamis. “Gaze-based authentication is resistant to thermal attacks by design.”

The research was supported by funding from the Royal Society of Edinburgh, the Engineering and Physical Sciences Research Council (EPSRC), and the PETRAS National Centre of Excellence for IoT Systems Cybersecurity which is also funded by the EPSRC, as well as by a studentship sponsored by Taif University and the Royal Embassy of Saudi Arabia Cultural Bureau in London.