Computer security experts have developed a system capable of guessing computer and smartphone users’ passwords by analysing the traces of heat their fingertips leave on keyboards and screens.
?
Researchers from the University of Glasgow developed the system, called ThermoSecure, to demonstrate how falling prices of thermal imaging cameras and rising access to machine learning are creating new risks for ‘thermal attacks’.
?
Thermal attacks can occur after users type their passcode on a computer keyboard, smartphone screen or ATM keypad before leaving the device unguarded. A passer-by equipped with a thermal camera can take a picture that reveals the heat signature of where their fingers have touched the device. By measuring the relative intensity of the warmer areas, it is possible to determine the specific letters, numbers or symbols that make up the password and estimate the order in which they were used.
Research by from University of Glasgow’s , who led the development of ThermoSecure, demonstrated that non-experts can successfully guess passwords simply by looking carefully at thermal images taken between 30 and 60 seconds after surfaces were touched.
?
Through user studies, it was found that ThermoSecure was capable of revealing 86% of passwords when thermal images are taken within 20 seconds, and 76% within 30 seconds, dropping to 62% after 60 seconds of entry. Within 20 seconds, ThermoSecure was capable of successfully attacking even long passwords of 16 characters, with a rate of up to 67% correct attempts. As passwords grew shorter, success rates increased – 12-symbol passwords were guessed up to 82% of the time, eight-symbol passwords up to 93% and six-symbol passwords were successful in up to 100% of attempts.
?
“They say you need to think like a thief to catch a thief. We developed ThermoSecure by thinking carefully about how malicious actors might exploit thermal images to break into computers and smartphones”, explains Dr Khamis. “Access to thermal imaging cameras is more affordable than ever – they can be found for less than ?200 – and machine learning is becoming increasingly accessible too.
“We’re also keen to highlight to policymakers the risks that these kinds of thermal attacks pose for computer security. One potential risk-reduction pathway could be to make it illegal to sell thermal cameras without enhanced security included in their software. We are currently developing an AI-driven countermeasure system that could help address this issue.”
?
The researchers also looked at additional variables which made it easier for ThermoSecure to guess passwords. One was the typing style of the keyboard users. ‘Hunt-and-peck’ keyboard users who type slowly tend to leave their fingers on the keys for longer, creating heat signatures last longer than faster touch-typists.
?
Images taken within 30 seconds of the keyboard being touched allowed ThermoSecure to successfully guess hunt-and-peck typists’ passwords 92% of the time, but only 80% of the time for touch-typists.
?
Secondly, the type of material keyboards are made from can affect their ability to absorb heat, with implications for the effectiveness of thermal attacks. ThermoSecure could successfully guess passwords from the heat retained on keycaps made from ABS plastics around half of the time, but only 14% of the time on keys manufactured from PBT plastics.
?
Dr Khamis added: “Longer passwords are more difficult for ThermoSecure to guess accurately, so we would advise using long passphrases wherever possible. Longer passphrases take longer to type and make it more difficult to get an accurate reading on a thermal camera, particularly if the user is a touch typist.
“Finally, users can help make their devices and keyboards more secure by adopting alternative authentication methods, like fingerprint or facial recognition, which mitigate the risks of thermal attack. We have previously proposed authentication schemes that rely on eye movements for password entry; gaze-based authentication is resistant to thermal attacks by design.”
?
The paper, ‘’, published in?ACM Transactions on Privacy and Security.
The research was funded by the Royal Society of Edinburgh, the Engineering and Physical Sciences Research Council, and the PETRAS National Centre of Excellence for IoT Systems Cybersecurity, as well as by a studentship sponsored by Taif University and the Royal Embassy of Saudi Arabia Cultural Bureau in London.