New “thermal attacks” can crack device passwords in seconds

Machine learning and cheap thermal cameras can be used by criminals to spot heat signals and guess device passwords in less than a minute, say researchers

Security experts have developed a system that can crack passwords in seconds by tracking traces of heat left by fingers on keyboards and screens.

Researchers from the University of Glasgow developed ThermoSecure to illustrate how readily available and inexpensive thermal imaging cameras, combined with the increased availability of machine learning, have created new risks in the shape of so-called “thermal attacks”.

Thermal attacks can occur after users type their passcode on a computer keyboard, smartphone screen or ATM keypad and then leave the device unguarded, say researchers. A passerby with a thermal camera could see the heat signature indicating where fingers have touched the device.

By measuring the relative intensity of the warmer areas, it is possible to determine the specific letters, numbers or symbols that make up the password, explain researchers. Attackers can then try different combinations to crack the passwords.

The team’s paper, ThermoSecure: Investigating the Effectiveness of AI-driven Thermal Attacks on Commonly Used Computer Keyboards, was published in ACM Transactions on Privacy and Security

AI models take 20 seconds to guess 86% of passwords

In a paper published in the journal ACM Transactions on Privacy and Security, project leader Dr Mohamed Khamis and fellow team members Norah Alotaibi and Dr John Williamson explain how they took 1,500 thermal photos of recently-used QWERTY keyboards from different angles and then trained an artificial intelligence model to read the images and guess the passwords based on heat signature clues.

They found ThermoSecure could reveal 86 per cent of passwords when thermal images are taken within 20 seconds, and 76 per cent when taken within 30 seconds, dropping to 62 per cent after 60 seconds.

“Access to thermal imaging cameras is more affordable than ever – they can be found for less than £200 – and machine learning is becoming increasingly accessible too,” says Dr Khamis, of the University of Glasgow’s School of Computing Science. “That makes it very likely that people around the world are developing systems along similar lines to ThermoSecure in order to steal passwords. It’s important that computer security research keeps pace with these developments to find new ways to mitigate risk, and we will continue to develop our technology to try to stay one step ahead of attackers.”

The team says policymakers will be compelled to take action, with one possible measure being the introduction of regulations linked to the sale of thermal cameras and the security included in corresponding software.

Fingerprints and faces can help in the fight against fraud

The ThermoSecure team also offers suggestions for computer and smartphone users to help protect against thermal attacks.“Longer passwords are more difficult for ThermoSecure to guess accurately, so we would advise using long passphrases wherever possible,” says Dr Khamis. “Longer passphrases take longer to type, which also makes it more difficult to get an accurate reading on a thermal camera, particularly if the user is a touch typist.”

Users can also help secure devices using alternative authentication methods, including fingerprint or facial recognition. “In my team, we have previously proposed authentication schemes that rely on eye movements for password entry,” explains Dr Khamis. “Gaze-based authentication is resistant to thermal attacks by design.”

The research was supported by funding from the Royal Society of Edinburgh, the Engineering and Physical Sciences Research Council (EPSRC), and the PETRAS National Centre of Excellence for IoT Systems Cybersecurity which is also funded by the EPSRC, as well as by a studentship sponsored by Taif University and the Royal Embassy of Saudi Arabia Cultural Bureau in London.


Featured Articles

Tech LIVE Virtual: Join us for today's virtual event

Event on 8th June will discuss some of the biggest topics that are impacting the global technology industry

The upcoming Tech Mahindra & Microsoft Cyber Security event

Join our exclusive roundtable with cybersecurity experts from Tech Mahindra and Microsoft. Gain insights, network, and stay ahead of evolving threats

IBM to build its first European quantum data centre

IBM Quantum announcements will allow European cloud region users to provision quantum systems and process data within the EU

Cisco delivers first app for hybrid work to Audi vehicles

Digital Transformation

How digital twins unlock enterprises’ sustainability efforts

Enterprise IT

Avast: Cybercriminals use common apps to lure victims

Cloud & Cybersecurity