A password may not be enough to protect a device from hackers. A new study has revealed how criminals can use thermal cameras to retrace the password an individual has typed into a smartphone, computer keyboard, or even an ATM.
Researchers from the University of Glasgow have shown how heat-detecting cameras can help crack passwords up to a minute after typing them. They published their findings in the journal ACM Transactions on Privacy and Security last month.
In the study, the computer scientists developed an artificial intelligence (AI) system called ThermoSecure that could retrace recently-typed passwords from the heat of a person’s fingertips. The thermal camera’s images of keyboards and screens can be analyzed by AI to correctly guess computer passwords in seconds.
— University of Glasgow (@UofGlasgow) October 10, 2022
Some 86 percent of passwords were cracked when thermal images were taken within 20 seconds of typing in the secret code and put through their ThermoSecure system, and 76 percent when within 30 seconds. Success dropped to 62 percent after 60 seconds of entry.
The scientists also found that within 20 seconds the system was capable of successfully attacking even long passwords of 16 characters, with a rate of up to 67 percent correct attempts.
As passwords grew shorter, success rates increased. Twelve-symbol passwords were guessed up to 82 percent of the time, eight-symbol passwords up to 93 percent of the time, and six-symbol passwords were successful in 100 percent of attempts.
With thermal imaging cameras costing less than $220 and AI becoming increasingly accessible, the researchers warned that criminals would likely exploit exploiting thermal images to break into computers and smartphones.
“Access to thermal–imaging cameras is more affordable than ever — they can be found for less than £200 ($220) — and machine learning is becoming increasingly accessible, too. That makes it very likely that people around the world are developing systems along similar lines to ThermoSecure in order to steal passwords,” explains Dr Mohamed Khamis who led the study with Norah Alotaibi and John Williamson.
Thermal attacks can happen after an individual types out their password or passcode on their computer keyboard, smartphone screen or after keying in their pin at a cash point.
A thief could then use a thermal camera to take a picture and record the heat signature of where the individual touched the device. In the images captured by the heat-detecting cameras, areas appear more bright the more recently they were touched.
The warmer the area is, the more recently it was touched, allowing criminals to determine the possible order in which keys were used to try different combinations to crack the password.
By measuring the relative intensity of the warmer areas, researchers found, it was possible to determine the specific letters and numbers of symbols that make up the password and estimate the order in which they were used.
“It’s important that computer security research keeps pace with these developments to find new ways to mitigate risk, and we will continue to develop our technology to try to stay one step ahead of attackers,” explains Khamis.
Dr Khamis says longer passwords should be used wherever possible, with those more difficult to guess accurately. Meanwhile, the type of material keyboards are made from can affect their ability to absorb heat, with some plastics much more likely to retain a heat pattern than others.
“Backlit keyboards also produce more heat, making accurate thermal readings more challenging, so a backlit keyboard with PBT plastics could be inherently more secure,” he adds. “Finally, users can help make their devices and keyboards more secure by adopting alternative authentication methods, like fingerprint or facial recognition, which mitigate many of the risks of thermal attack.”
Image credits: Header photo licensed via Depositphotos.