COMPUTER security experts have developed a system capable of guessing computer and smartphone passwords in seconds by analysing traces of heat their fingertips left on keyboards and screens.
University of Glasgow researchers developed the system, called ThermoSecure, to show how falling prices of thermal imaging cameras and rising access to machine learning are creating new risks for “thermal attacks”.
Thermal attacks can occur after users type their passcode on a computer keyboard, smartphone screen or ATM keypad before leaving the device unguarded. A passerby equipped with a thermal camera can take a picture that reveals the heat signature of where their fingers touched the device.
The brighter an area appears in the thermal image, the more recently it was touched.
By measuring the relative intensity of the warmer areas, it is possible to determine the specific letters, numbers or symbols that make up the password and estimate the order in which they were used. From there, attackers can try different combinations to crack users’ passwords.
Previous research by Dr Mohamed Khamis, who led the development of ThermoSecure, showed non-experts can guess passwords by looking carefully at thermal images taken between 30 and 60 seconds after surfaces were touched.
In a paper published in the journal ACM Transactions on Privacy and Security, Khamis (pictured) and the authoring team, Norah Alotaibi and Dr John Williamson, explain how they took 1500 thermal photos of recently-used QWERTY keyboards from different angles.
They then trained an artificial intelligence model to effectively read the images and make informed guesses about the passwords from the heat signature clues using a probabilistic model.
Through two user studies, they found ThermoSecure was capable of revealing 86% of passwords when thermal images are taken within 20 seconds, and 76% when within 30 seconds, dropping to 62% after 60 seconds of entry.
They also found that within 20 seconds, ThermoSecure was capable of successfully attacking even long passwords of 16 characters.
Khamis of the university’s School of Computing Science, said: “They say you need to think like a thief to catch a thief. We developed ThermoSecure by thinking carefully about how malicious actors might exploit thermal images to break into computers and smartphones.
“Access to thermal imaging cameras is more affordable than ever – they can be found for less than £200 – and machine learning is becoming increasingly accessible too. That makes it very likely people around the world are developing systems similar lines to ThermoSecure to steal passwords.”
Why are you making commenting on The National only available to subscribers?
We know there are thousands of National readers who want to debate, argue and go back and forth in the comments section of our stories. We’ve got the most informed readers in Scotland, asking each other the big questions about the future of our country.
Unfortunately, though, these important debates are being spoiled by a vocal minority of trolls who aren’t really interested in the issues, try to derail the conversations, register under fake names, and post vile abuse.
So that’s why we’ve decided to make the ability to comment only available to our paying subscribers. That way, all the trolls who post abuse on our website will have to pay if they want to join the debate – and risk a permanent ban from the account that they subscribe with.
The conversation will go back to what it should be about – people who care passionately about the issues, but disagree constructively on what we should do about them. Let’s get that debate started!
Callum Baird, Editor of The National
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules hereLast Updated:
Report this comment Cancel