University of Glasgow researchers highlight danger of AI ‘thermal attacks’ revealing passwords

Computer security experts from the University of Glasgow have developed a system capable of guessing computer and smartphone users’ passwords in seconds by analysing traces of heat left on keyboards and screens.  

The system, named ThermoSecure, was developed to demonstrate how the falling price of thermal imaging cameras and increased access to machine learning are creating a new potential cyber risk – thermal attacks.  

The researchers took 1,500 thermal images of recently used QWERTY keyboards from different angles. They trained an artificial intelligence model to effectively read the images and make informed guesses about the passwords from the heat signature clues using a probabilistic model.

Two user studies demonstrated ThermoSecure was capable of successfully attacking passwords of up to 16 characters at a 67 per cent success rate. Smaller passwords yielded higher success rates – 12-symbol passwords were guessed 82 per cent of the time, eight-symbol codes 93 per cent, and six digits were 100 per cent successful.

These types of attacks can occur after users type their password on a computer keyboard, smart device screen or ATM keypad before leaving the device unattended. An individual with a thermal camera can take a photo revealing the heat signature of where their fingers have touched.  

The brighter an area appears in the thermal image, the more recently it was touched. Measuring the relative intensity of the warmer areas makes it possible to determine specific letters, numbers, and symbols that comprise a password, as well as estimate the order.  

Previous research by Dr Mohammed Khamis, who led the development of ThermoSecure, has demonstrated non-experts were able to successfully guess passwords by carefully looking at thermal images taken within 30-60 seconds of the password being inputted.  

Khamis said: “This is the first comprehensive literature review of security measures against thermal attacks, and our survey showed some interesting results. Intuitively, users suggested some strategies that weren’t in the literature, like waiting to use an ATM until their surroundings seemed safest. They were also keen on strategies that were already familiar, like two-factor authentication, because they were aware of their effectiveness.

“We also saw that they considered issues like hygiene, which made the strategy of breathing on devices to mask heat traces very unpopular, and privacy, which some users considered when thinking about additional security measures like face or fingerprint recognition.”

Prof Karola Marky, who was a postdoctoral researcher in Khamis’ team, is the corresponding author of the paper, said: “Users told us that they considered themselves at least partially responsible for their own security, so we advise that they pay close attention to their surroundings when entering sensitive data in public to make sure no-one is watching, or use a secure facility such as a bank. Where that’s not possible, we suggest resting palms on devices to obscure traces of heat, or wearing gloves or finger protection if they can.

“We’d also advise using multi-factor authentication wherever users are able because it protects against a range of different attacks including thermal attacks, and safeguard all authentication factors as much as possible.”

Khamis added: “Our final recommendation is to the manufacturers of thermal cameras, who could stop attacks by integrating new software locks to prevent thermal cameras from taking pictures of surfaces like PIN pads on bank machines.  

“We’re continuing to explore potential approaches to mitigating the risk of thermal attacks. Although we still don’t know how widespread these attacks on personal information are at the moment, it’s important that computer security researchers keep pace with the risks that thermal cameras could pose to users’ personal information, particularly since they are now so cheap and widely available.

“Ultimately, our advice to the public would be to try to find one strategy that suits their own personal habits and behaviours and to remember to use it as often as possible in their lives. Any action they can take regularly to help guard against thermal attacks will make it harder for others to gain access to their personal data.”