homehome Home chatchat Notifications


An AI capable of 'thermal attacks' just proved that no password is safe

Scientists created an AI password thief to show that we need better safety measures than passwords and PIN.

Rupendra Brahambhatt
October 13, 2022 @ 5:17 pm

share Share

Every time you enter an input on your keyboard or mobile screen, your fingers leave heat signatures. This is a normal physical phenomenon that happens because your body is hotter than the device and it transfers a small amount of heat whenever you press a button or a screen. The problem is that this heat can be detected — and it can be used to crack passwords.

Researchers at the University of Glasgow have developed an AI-driven system called ThermoSecure that shows that a person’s heat signatures can be used by thermal attackers to steal sensitive information such as passwords or PIN codes.

A PIN-protected iPhone. Image credits: Yura Fresh/Unsplash

In a thermal attack, the attacker uses a thermal camera to record a thermal image of the surface of a phone’s touchscreen, a keyboard, or a keypad after the user inputs a password or PIN. The thermal camera will reveal heat traces that indicate which keys the victim has used to enter the PIN or password. Explaining the process, one of the authors and associate professor at the University of Glasgow, Dr. Mohamed Khamis told ZME Science:

“The heat traces of the most recently touched key will be the warmest because heat traces typically decay over time – this phenomenon allows the attacker to determine the order of entry. An attacker can perform such an attack by visually inspecting the thermal image. However, an AI-driven approach like ThermoSecure could allow the attacker to determine the input long after it has been provided and with very high accuracy.” 

Anyone with an AI-enabled thermal camera can crack your password

ThermoSecure is essentially an AI-driven system that analyses thermal images of aesthetic keyboards and infers the user input on that keyboard. It uses machine learning to determine the pressed keys and to estimate the order in which the keys were pressed. The researchers claim that by using ThermoSecure, even a non-expert person can figure out the password of a user within 30 to 60 seconds of it being entered or typed on a device.

Dr. Khamis and his colleagues performed some interesting experiments with ThermoSecure to demonstrate the capabilities of AI-based thermal attacking systems. They captured about 1,500  thermal images of a keyboard from multiple angles and developed a machine-learning-based model to examine the images.

After the thermal camera shows what keys were pressed, the AI model then uses a probability-based approach on the QWERTY keyboard and guesses the key combinations (passwords) that were previously typed on it.  

Dr. Khamis showing the heat signatures on a keyboard. Image credits: University of Glasgow

The researchers tested ThermoSecure for thermal images taken on different time durations i.e. within 20 seconds, 30 seconds, and 60 seconds after entries were made on the keyboard. The system was able to figure out 62% and 76% of the passwords entered within 60 seconds and 30 seconds respectively. For images that fell in the 20-second category, it was able to retrieve passwords with a staggering 86% accuracy (67% accuracy for passwords consisting of 16 digits). 

The researchers wrote in the paper, “Our first study shows that ThermoSecure successfully attacks 6-symbol, 8-symbol, 12-symbol, and 16-symbol passwords with an average accuracy of 92%, 80%, 71%, and 55% respectively, and even higher accuracy when thermal images are taken within 30 seconds.”  

They also observed that the typing behavior of users also plays an important role in deciding how vulnerable they are to thermal attacks. For instance, during the study, the researchers found that the success rate of thermal attacks that take place within 30 seconds of input is only 83% for fast typists. Whereas for slow or hunt and peck typists, it is 92%. 

There is an urgent need for better security measures

Today, thermal cameras are more affordable and accessible than ever. Some years back it would have cost several thousand to purchase a thermal camera but now you can get a smartphone add-on thermal camera for under $200. Plus, there are numerous resources available on the internet using which a person can learn how machine learning works. Basically, the more technology becomes affordable, the more attacks like this one are becoming more plausible. 

Image credits: Rahul Pandit/Pexels

Researchers are understandably concerned that anyone with the right knowledge and tools but the wrong intentions can also develop a password-stealing technology like ThermoSecure. The experiments conducted by the researchers strongly highlight the need for technologies safer than PINs and passwords. It also sheds light on the importance of cybersecurity research because only if we already know what the attackers are going to do next, we could stay ahead of them.  

For instance, after analyzing the dangers of AI-thermal attacks using ThermoSecure, Dr. Khamis and his team also developed a countermeasure system that is capable of detecting keyboards, keypads, and touchscreens in the view of the thermal camera, and obfuscates them, creating an extra layer of security. This prevents the users of thermal cameras from using them to perform thermal attacks, similar to how printers prevent their users from printing money.

“We want to spread further awareness about the solutions we are developing and try to convince thermal camera manufacturers to integrate software to prevent the misuse of their technology. We will continue to develop countermeasures (but) we also need support from policymakers and the cooperation of thermal camera manufacturers if we want preventative measures deployed into every thermal camera sold in the UK,” said Dr. Khamis.

The study is published in the journal ACM Transactions on Privacy and Security.

share Share

A Simple Heat Hack Could Revolutionize How We Produce Yogurt

In principle, the method could be deployed tomorrow, researchers say.

Scientists Create a ‘Smart Sponge’ That Knows When to Heal and When to Fight Inflammation

This hydrogel could help millions of people lead a better life.

The Race to the Bottom: Japan Is Set to Start Testing Deep-Sea Mining

There's a big hidden cost to this practice.

Japan Just Smashed the Internet Speed World Record and It's Much Faster Than You Think

Researchers transmitted 127,500 GB every second — over the distance from Chicago to Dallas.

Can You Tell Which Knot Is Strongest? Most People Fail This Surprisingly Tough Challenge

Knots are a test of physical intuition and most of us are failing hard.

Scientists Call for a Global Pause on Creating “Mirror Life” Before It’s Too Late: “The threat we’re talking about is unprecedented”

Creating synthetic lifeforms is almost here, and the consequences could be devastating.

For the First Time Ever We Can See Planets Starting to Form Around a Star

JWST and ALMA peered through a natural opening in the star’s surrounding cloud to catch the action up close.

Low testosterone isn't killing your libido. Sugar is

Small increases in blood sugar can affect sperm and sex, even without diabetes

There might be an anti-aging secret hiding in magic mushrooms

Psilocybin extends cell life, and preserves aging DNA structures.

Not Just Hunters: Wooden Tools Unearth the Sophisticated, Plant-Eating World of Early Humans

What if the Stone Age wasn't really about stone?