New “thermal attacks” can crack device passwords in seconds

Machine learning and cheap thermal cameras can be used by criminals to spot heat signals and guess device passwords in less than a minute, say researchers

Security experts have developed a system that can crack passwords in seconds by tracking traces of heat left by fingers on keyboards and screens.

Researchers from the University of Glasgow developed ThermoSecure to illustrate how readily available and inexpensive thermal imaging cameras, combined with the increased availability of machine learning, have created new risks in the shape of so-called “thermal attacks”.

Thermal attacks can occur after users type their passcode on a computer keyboard, smartphone screen or ATM keypad and then leave the device unguarded, say researchers. A passerby with a thermal camera could see the heat signature indicating where fingers have touched the device.

By measuring the relative intensity of the warmer areas, it is possible to determine the specific letters, numbers or symbols that make up the password, explain researchers. Attackers can then try different combinations to crack the passwords.

The team’s paper, ThermoSecure: Investigating the Effectiveness of AI-driven Thermal Attacks on Commonly Used Computer Keyboards, was published in ACM Transactions on Privacy and Security

AI models take 20 seconds to guess 86% of passwords

In a paper published in the journal ACM Transactions on Privacy and Security, project leader Dr Mohamed Khamis and fellow team members Norah Alotaibi and Dr John Williamson explain how they took 1,500 thermal photos of recently-used QWERTY keyboards from different angles and then trained an artificial intelligence model to read the images and guess the passwords based on heat signature clues.

They found ThermoSecure could reveal 86 per cent of passwords when thermal images are taken within 20 seconds, and 76 per cent when taken within 30 seconds, dropping to 62 per cent after 60 seconds.

“Access to thermal imaging cameras is more affordable than ever – they can be found for less than £200 – and machine learning is becoming increasingly accessible too,” says Dr Khamis, of the University of Glasgow’s School of Computing Science. “That makes it very likely that people around the world are developing systems along similar lines to ThermoSecure in order to steal passwords. It’s important that computer security research keeps pace with these developments to find new ways to mitigate risk, and we will continue to develop our technology to try to stay one step ahead of attackers.”

The team says policymakers will be compelled to take action, with one possible measure being the introduction of regulations linked to the sale of thermal cameras and the security included in corresponding software.

Fingerprints and faces can help in the fight against fraud

The ThermoSecure team also offers suggestions for computer and smartphone users to help protect against thermal attacks.“Longer passwords are more difficult for ThermoSecure to guess accurately, so we would advise using long passphrases wherever possible,” says Dr Khamis. “Longer passphrases take longer to type, which also makes it more difficult to get an accurate reading on a thermal camera, particularly if the user is a touch typist.”

Users can also help secure devices using alternative authentication methods, including fingerprint or facial recognition. “In my team, we have previously proposed authentication schemes that rely on eye movements for password entry,” explains Dr Khamis. “Gaze-based authentication is resistant to thermal attacks by design.”

The research was supported by funding from the Royal Society of Edinburgh, the Engineering and Physical Sciences Research Council (EPSRC), and the PETRAS National Centre of Excellence for IoT Systems Cybersecurity which is also funded by the EPSRC, as well as by a studentship sponsored by Taif University and the Royal Embassy of Saudi Arabia Cultural Bureau in London.


Featured Articles

Gen AI Boom Drives Nvidia Value to Overtake Microsoft

Nvidia surpasses Microsoft to become the most valuable company, with its AI and chip developments tripling stock and prompting a US$3.3tn market cap

IBM & Wimbledon: AI Is Changing the Game for Sports

IBM and The All England Lawn Tennis Club have unveiled AI features for Wimbledon that will provide real-time analysis and expanded, personalised content

Zoom: Powering EMEA with a Partner-Led Focus

We examine how Zoom is moving towards greater digital transformation via its EMEA partnership channels, inspiring the next generation of collaboration

Schneider Electric: UK&I President Grows Her Europe Presence

Digital Transformation

DTW24 Ignite: AI to Power the Next Generation of Technology

Digital Transformation

SolarWinds: IT Professionals Worry about AI Integration Risk

AI & Machine Learning