“Longer passwords are more difficult for ThermoSecure to guess accurately, so we recommend using long passphrases whenever possible”
Thermal attacks, which decipher people’s passwords by tracking the heat left by their fingertips on keyboards, could become more common, computer scientists warn.
Security experts have proven that computer and smartphone passwords can be cracked using this method in seconds after developing their own system called ThermoSecure.
With thermal imaging cameras costing less than £200 and machine learning becoming more affordable, Dr Mohamed Khamis of the University of Glasgow’s School of Computing Science warned that “it is very likely that people all over the world will be developing systems like the ThermoSecure v line with the aim of steal passwords”.
Dr Khamis, who led the development, added: “It is important that computer security research keeps up with these developments to find new ways to mitigate the risks, and we will continue to develop our technology to try to stay one step ahead of attackers. “
Thermal attacks can occur after an individual enters their password or passcode on a computer keyboard, smartphone screen, or after entering a PIN at checkout.
The thief could then use the thermal camera to take an image and record the heat signature of where the individual touched the device. The warmer the area, the more recently it has been touched, allowing thieves to determine the possible order in which the keys were used to try different combinations to crack the password.
According to a paper published in the journal ACM Transactions on Privacy and Security, Dr Khamis and his team went further to train an artificial intelligence model to read thermal images and guess the password.
Findings show that ThermoSecure detected 86 percent of passwords when thermal images were taken within 20 seconds of the person using the device, and 76 percent within 30 seconds.
The researchers also found that within 20 seconds, ThermoSecure can crack long 16-character passwords with a success rate of up to 67 percent. Shorter passwords were easier to guess accurately, cracking six-symbol passwords up to 100 percent of the time.
Dr Khamis said he wanted to alert policymakers to the risks of thermal attacks and computer security.
“One possible way to reduce the risk could be to ban the sale of thermal imaging cameras without some sort of enhanced security built into their software. We are currently developing an AI-driven countermeasure system that could help solve this problem.”
He said: “Longer passwords are more difficult for ThermoSecure to guess accurately, so we recommend using long passphrases whenever possible. Longer passphrases take longer to type, which also makes it more difficult to get an accurate reading on the thermal imager, especially if the user is a touch typist. Backlit keyboards also produce more heat, making it difficult to accurately measure temperature, so a backlit keyboard with PBT plastics could be inherently safer.
“Users can finally help increase the security of their devices and keyboards by adopting alternative authentication methods, such as fingerprint or facial recognition, which mitigate many of the risks of a thermal attack. In my team, we have previously designed authentication schemes that rely on eye movements for password input; look-based authentication is resistant to thermal attacks by design.”