PETRAS academics from the PT.HEAT project have recently developed the ThermoSecure system that can guess computer and smartphone passwords by analysing traces of heat left on keyboards and screens.This development, led by Dr Mohamed Khamis, University of Glasgow, demonstrates how falling prices of thermal imaging cameras and increasing access to machine learning are causing new cyber threats for ‘thermal attacks.’
The research team’s paper is titled ‘ThermoSecure: Investigating the effectiveness of AI-driven thermal attacks on commonly used computer keyboards’, and is published in ACM Transactions on Privacy and Security. In the paper, Dr Khamis and the authoring team, Ms Norah Alotaibi and Dr John Williamson, address the need to determine the effectiveness of thermal attacks based on the methods employed by the attackers and the users’ behaviour and input properties.
Dr Khamis said: “They say you need to think like a thief to catch a thief. We developed ThermoSecure by thinking carefully about how malicious actors might exploit thermal images to break into computers and smartphones.”
“Access to thermal imaging cameras is more affordable than ever – they can be found for less than £200 – and machine learning is becoming increasingly accessible too. That makes it very likely that people around the world are developing systems along similar lines to ThermoSecure in order to steal passwords. It’s important that computer security research keeps pace with these developments to find new ways to mitigate risk, and we will continue to develop our technology to try to stay one step ahead of attackers.
”We’re also keen to highlight to policymakers the risks that these kind of thermal attacks pose for computer security. One potential risk-reduction pathway could be to make it illegal to sell thermal cameras without some kind of enhanced security included in their software. We are currently developing an AI-driven countermeasure system that could help address this issue.”
Thermal attacks can occur after a user has typed their passcode on a computer keyboard, smartphone screen or ATM keypad and left the device unguarded. An attacker can use a thermal camera to take a picture that reveals the “heat traces” and demonstrates where the user’s fingers have touched the device.
With the implementation of ThermoSecure, the team found that the system can reveal 86% of passwords within 20 seconds and 76% of them in 30 seconds, while there is a significant decrease in accuracy to 62% after 60 seconds have passed. According to the paper, users are more likely to avoid thermal attacks if they create longer passwords, type fast and use PBT keyboards instead of ABS ones.
Read the paper here.