A password may not be enough to protect a device from hackers. A new study has revealed how criminals can use thermal cameras to retrace the password an individual has typed into a smartphone, computer keyboard, or even an ATM.
Researchers from the University of Glasgow discovered that heat-detecting cameras are able to crack passwords within a matter of minutes after they have been entered. They published their findings in the journal ACM Transactions on Privacy and Security last month.
In the study computer scientists created an artificial intelligence system (AI), called ThermoSecure, that can track down passwords typed recently from heat. The thermal camera’s images of keyboards and screens can be analyzed by AI to correctly guess computer passwords in seconds.
New research from @GlasgowCS, led by @MKhamisHCI, shows how thermal camera images of keyboards and screens can be analysed by AI to correctly guess computer passwords in seconds.
Read more https://t.co/5NywPqSZt7 pic.twitter.com/Olourew3zf
— University of Glasgow (@UofGlasgow) October 10, 2022
Some 86 percent of passwords were cracked when thermal images were taken within 20 seconds of typing in the secret code and put through their ThermoSecure system, and 76 percent when within 30 seconds. Success dropped to 62 percent after 60 seconds of entry.
The scientists also found that within 20 seconds the system was capable of successfully attacking even long passwords of 16 characters, with a rate of up to 67 percent correct attempts. As password lengths got shorter, the success rate increased. Twelve-symbol passwords were guessed up to 82 percent of the time, eight-symbol passwords up to 93 percent of the time, and six-symbol passwords were successful in 100 percent of attempts.
With thermal imaging cameras costing less than $220 and AI becoming increasingly accessible, the researchers warned that criminals would likely exploit exploiting thermal images to break into computers and smartphones.
“Access to thermal-imaging cameras is more affordable than ever — they can be found for less than PS200 ($220) — and machine learning is becoming increasingly accessible, too. That makes it very likely that people around the world are developing systems along similar lines to ThermoSecure in order to steal passwords,” explains Dr Mohamed Khamis who led the study with Norah Alotaibi and John Williamson.
Thermal Attacks
Thermal attacks can happen after an individual types out their password or passcode on their computer keyboard, smartphone screen or after keying in their pin at a cash point.
A thief could then use a thermal camera to take a picture and record the heat signature of where the individual touched the device. The heat-detecting cameras capture images that show areas brighter the older they have been touched.
The warmer an area, the earlier it has been touched. This allows criminals to identify the order keys might have been used in to break the password.
By measuring the intensity of warmer regions, researchers were able to identify the letters and symbols in a password, and the order they were used.
“It is important that computer security research keep pace with new developments in order to reduce risk. We will continue to improve our technology to remain one step ahead attackers,” says Khamis.
Dr Khamis recommends longer passwords whenever possible. He also suggests that those with more complex characters be avoided. The material used to make keyboards can have an impact on their heat absorption. Some plastics retain heat better than others.
” Backlit keyboards produce heat which makes accurate thermal readings difficult. A backlit keyboard made with PBT plastics may be more secure. “Finally, users can help make their devices and keyboards more secure by adopting alternative authentication methods, like fingerprint or facial recognition, which mitigate many of the risks of thermal attack.”
Image credits: Header photo licensed via Depositphotos.
