Every time you enter an input on your keyboard or mobile screen, your fingers leave heat signatures. This is a normal physical phenomenon that happens because your body is hotter than the device and it transfers a small amount of heat whenever you press a button or a screen. The problem is that this heat can be detected — and it can be used to crack passwords.

Researchers at the University of Glasgow have developed an AI-driven system called ThermoSecure that shows that a person’s heat signatures can be used by thermal attackers to steal sensitive information such as passwords or PIN codes.

In a thermal attack, the attacker uses a thermal camera to record a thermal image of the surface of a phone’s touchscreen, a keyboard, or a keypad after the user inputs a password or PIN. The thermal camera will reveal heat traces that indicate which keys the victim has used to enter the PIN or password. Explaining the process, one of the authors and associate professor at the University of Glasgow, Dr. Mohamed Khamis told ZME Science:

“The heat traces of the most recently touched key will be the warmest because heat traces typically decay over time – this phenomenon allows the attacker to determine the order of entry. An attacker can perform such an attack by visually inspecting the thermal image. However, an AI-driven approach like ThermoSecure could allow the attacker to determine the input long after it has been provided and with very high accuracy.” 

Anyone with an AI-enabled thermal camera can crack your password

ThermoSecure is essentially an AI-driven system that analyses thermal images of aesthetic keyboards and infers the user input on that keyboard. It uses machine learning to determine the pressed keys and to estimate the order in which the keys were pressed. The researchers claim that by using ThermoSecure, even a non-expert person can figure out the password of a user within 30 to 60 seconds of it being entered or typed on a device.

Dr. Khamis and his colleagues performed some interesting experiments with ThermoSecure to demonstrate the capabilities of AI-based thermal attacking systems. They captured about 1,500  thermal images of a keyboard from multiple angles and developed a machine-learning-based model to examine the images.

After the thermal camera shows what keys were pressed, the AI model then uses a probability-based approach on the QWERTY keyboard and guesses the key combinations (passwords) that were previously typed on it.  

The researchers tested ThermoSecure for thermal images taken on different time durations i.e. within 20 seconds, 30 seconds, and 60 seconds after entries were made on the keyboard. The system was able to figure out 62% and 76% of the passwords entered within 60 seconds and 30 seconds respectively. For images that fell in the 20-second category, it was able to retrieve passwords with a staggering 86% accuracy (67% accuracy for passwords consisting of 16 digits). 

The researchers wrote in the paper, “Our first study shows that ThermoSecure successfully attacks 6-symbol, 8-symbol, 12-symbol, and 16-symbol passwords with an average accuracy of 92%, 80%, 71%, and 55% respectively, and even higher accuracy when thermal images are taken within 30 seconds.”  

They also observed that the typing behavior of users also plays an important role in deciding how vulnerable they are to thermal attacks. For instance, during the study, the researchers found that the success rate of thermal attacks that take place within 30 seconds of input is only 83% for fast typists. Whereas for slow or hunt and peck typists, it is 92%. 

There is an urgent need for better security measures

Today, thermal cameras are more affordable and accessible than ever. Some years back it would have cost several thousand to purchase a thermal camera but now you can get a smartphone add-on thermal camera for under $200. Plus, there are numerous resources available on the internet using which a person can learn how machine learning works. Basically, the more technology becomes affordable, the more attacks like this one are becoming more plausible. 

Researchers are understandably concerned that anyone with the right knowledge and tools but the wrong intentions can also develop a password-stealing technology like ThermoSecure. The experiments conducted by the researchers strongly highlight the need for technologies safer than PINs and passwords. It also sheds light on the importance of cybersecurity research because only if we already know what the attackers are going to do next, we could stay ahead of them.  

For instance, after analyzing the dangers of AI-thermal attacks using ThermoSecure, Dr. Khamis and his team also developed a countermeasure system that is capable of detecting keyboards, keypads, and touchscreens in the view of the thermal camera, and obfuscates them, creating an extra layer of security. This prevents the users of thermal cameras from using them to perform thermal attacks, similar to how printers prevent their users from printing money.

“We want to spread further awareness about the solutions we are developing and try to convince thermal camera manufacturers to integrate software to prevent the misuse of their technology. We will continue to develop countermeasures (but) we also need support from policymakers and the cooperation of thermal camera manufacturers if we want preventative measures deployed into every thermal camera sold in the UK,” said Dr. Khamis.

The study is published in the journal ACM Transactions on Privacy and Security.