New “thermal attacks” can crack device passwords in seconds

Machine learning and cheap thermal cameras can be used by criminals to spot heat signals and guess device passwords in less than a minute, say researchers

Security experts have developed a system that can crack passwords in seconds by tracking traces of heat left by fingers on keyboards and screens.

Researchers from the University of Glasgow developed ThermoSecure to illustrate how readily available and inexpensive thermal imaging cameras, combined with the increased availability of machine learning, have created new risks in the shape of so-called “thermal attacks”.

Thermal attacks can occur after users type their passcode on a computer keyboard, smartphone screen or ATM keypad and then leave the device unguarded, say researchers. A passerby with a thermal camera could see the heat signature indicating where fingers have touched the device.

By measuring the relative intensity of the warmer areas, it is possible to determine the specific letters, numbers or symbols that make up the password, explain researchers. Attackers can then try different combinations to crack the passwords.

The team’s paper, ThermoSecure: Investigating the Effectiveness of AI-driven Thermal Attacks on Commonly Used Computer Keyboards, was published in ACM Transactions on Privacy and Security

AI models take 20 seconds to guess 86% of passwords

In a paper published in the journal ACM Transactions on Privacy and Security, project leader Dr Mohamed Khamis and fellow team members Norah Alotaibi and Dr John Williamson explain how they took 1,500 thermal photos of recently-used QWERTY keyboards from different angles and then trained an artificial intelligence model to read the images and guess the passwords based on heat signature clues.

They found ThermoSecure could reveal 86 per cent of passwords when thermal images are taken within 20 seconds, and 76 per cent when taken within 30 seconds, dropping to 62 per cent after 60 seconds.

“Access to thermal imaging cameras is more affordable than ever – they can be found for less than £200 – and machine learning is becoming increasingly accessible too,” says Dr Khamis, of the University of Glasgow’s School of Computing Science. “That makes it very likely that people around the world are developing systems along similar lines to ThermoSecure in order to steal passwords. It’s important that computer security research keeps pace with these developments to find new ways to mitigate risk, and we will continue to develop our technology to try to stay one step ahead of attackers.”

The team says policymakers will be compelled to take action, with one possible measure being the introduction of regulations linked to the sale of thermal cameras and the security included in corresponding software.

Fingerprints and faces can help in the fight against fraud

The ThermoSecure team also offers suggestions for computer and smartphone users to help protect against thermal attacks.“Longer passwords are more difficult for ThermoSecure to guess accurately, so we would advise using long passphrases wherever possible,” says Dr Khamis. “Longer passphrases take longer to type, which also makes it more difficult to get an accurate reading on a thermal camera, particularly if the user is a touch typist.”

Users can also help secure devices using alternative authentication methods, including fingerprint or facial recognition. “In my team, we have previously proposed authentication schemes that rely on eye movements for password entry,” explains Dr Khamis. “Gaze-based authentication is resistant to thermal attacks by design.”

The research was supported by funding from the Royal Society of Edinburgh, the Engineering and Physical Sciences Research Council (EPSRC), and the PETRAS National Centre of Excellence for IoT Systems Cybersecurity which is also funded by the EPSRC, as well as by a studentship sponsored by Taif University and the Royal Embassy of Saudi Arabia Cultural Bureau in London.

Share

Featured Articles

ICYMI: Top 10 DevSecOps tools and cut-price animal robots

A week is a long time in tech, so here are some of Technology Magazine’s most popular articles which have been starting conversations around the world

Altered Egos: Digital twins hold up a mirror for machines

Digital doppelgangers can help the heaviest of industries save time and money with technology that twins real-world hardware with virtual counterparts

Blockchain technology puts paid to US energy data attacks

Researchers in the United States are employing blockchain technology to increase electric grid resilience and eliminate threats including data manipulation

Cybersecurity response costs up in light of new cloud risks

Cloud & Cybersecurity

Multi-million 6G investment to build digital infrastructure

Cloud & Cybersecurity

Outdated cybersecurity tech “betrays the trust of consumers”

Cloud & Cybersecurity