This “thermal attack” can read your password from the heat your fingers leave behind

Computer security researchers say they’ve developed an AI-driven system that can guess computer and smartphone passwords in seconds by examining the heat signatures that fingertips leave on keyboards and screens when swiping. data entry.

Called ThermoSecure, researchers from the School of Computing Science at the University of Glasgow developed the system to show how the falling price of thermal imaging cameras and increasing access to machine learning and artificial intelligence (AI) algorithms create new opportunities for what they describe as thermal attacks.

By using a thermal camera to look at a computer keyboard, smartphone screen, or ATM keypad, it is possible to take a photo that reveals the recent heat signature of fingers touching the device.

The brighter the area appears on the thermal image, the more recently it has been touched, meaning the image can be used to crack a password or PIN by analyzing where the keyboard or screen was touched and when.

Previous research from the University of Glasgow into thermal attacks has suggested that humans without expertise can guess passwords by looking at thermal images, and now – by adding artificial intelligence – passwords could be cracked again faster by specialized attackers.

Also: Security Researcher Easily Caught My Passwords and More: How My Digital Fingerprints Left Me Surprisingly Overexposed

Using ThermoSecure to analyze images using AI, 86% of passwords were revealed when thermal images were taken within 20 seconds, 76% could be guessed using images within 30 seconds and 62% could be discovered after 60 seconds.

The longer the password, the more difficult it was to reveal, but it was still possible in the majority of cases. ThermoSecure could crack two-thirds of passwords up to 16 characters, and as passwords got shorter, the more successful the system was – 12-character passwords were guessed up to 82% of the time and eight-character passwords were guessed up to 93% of the time.

Passwords consisting of six characters or less were successfully cracked 100% of the time, which could make ATM PINs or shorter codes used to protect smartphones particularly vulnerable to attack.

Using this clever technique, a malicious attacker observing potential victims could take a thermal photo of a keyboard, smartphone, or ATM and use it to guess passwords. In some cases, they would also need to physically access the device themselves, but it’s also possible that the target leaves their computer unattended.

Also: The Scary Future of the Internet: How Tomorrow’s Technology Will Pose Even Greater Cybersecurity Threats

It’s also possible that an attacker already knows the username of their target’s online account – or that they could potentially use the thermal attack to find out as well.

The paper on ThermoSecure – authored by Dr Mohamed Kham, Dr John Williamson and Norah Alotaibi from the University of Glasgow – was published in the hope that it shows the potential risk posed by thermal imaging attacks as the technology used to power them is becoming cheaper and more widely available.

“Access to thermal imaging cameras is more affordable than ever – they can be found for less than £200 – and machine learning is also becoming increasingly accessible. This makes it very likely that people around the world will develop similar systems to ThermoSecure in order to steal passwords,” said Dr Mohamed Khamis, Reader in Computing at the University of Glasgow, who led the development of ThermoSecure.

“It’s important that computer security research keeps pace with these developments to find new ways to mitigate risk, and we will continue to develop our technology to try to stay one step ahead of attackers.” he added.

But while research demonstrates some advanced techniques that could be used to crack passwords, for users, protecting their accounts is possible by doing one relatively simple thing – using stronger passwords.

“Longer passphrases take longer to type, which also makes it more difficult to get an accurate reading on a thermal camera, especially if the user is a touch typist,” Dr. Khamis said. , who also suggested that biometric verification also adds protection.

“Users can help make their devices and keyboards more secure by adopting alternative authentication methods, like fingerprints or facial recognition, that mitigate many thermal attack risks.”

LEARN MORE ABOUT CYBERSECURITY