homehome Home chatchat Notifications


An AI capable of 'thermal attacks' just proved that no password is safe

Scientists created an AI password thief to show that we need better safety measures than passwords and PIN.

Rupendra Brahambhatt
October 13, 2022 @ 5:17 pm

share Share

Every time you enter an input on your keyboard or mobile screen, your fingers leave heat signatures. This is a normal physical phenomenon that happens because your body is hotter than the device and it transfers a small amount of heat whenever you press a button or a screen. The problem is that this heat can be detected — and it can be used to crack passwords.

Researchers at the University of Glasgow have developed an AI-driven system called ThermoSecure that shows that a person’s heat signatures can be used by thermal attackers to steal sensitive information such as passwords or PIN codes.

A PIN-protected iPhone. Image credits: Yura Fresh/Unsplash

In a thermal attack, the attacker uses a thermal camera to record a thermal image of the surface of a phone’s touchscreen, a keyboard, or a keypad after the user inputs a password or PIN. The thermal camera will reveal heat traces that indicate which keys the victim has used to enter the PIN or password. Explaining the process, one of the authors and associate professor at the University of Glasgow, Dr. Mohamed Khamis told ZME Science:

“The heat traces of the most recently touched key will be the warmest because heat traces typically decay over time – this phenomenon allows the attacker to determine the order of entry. An attacker can perform such an attack by visually inspecting the thermal image. However, an AI-driven approach like ThermoSecure could allow the attacker to determine the input long after it has been provided and with very high accuracy.” 

Anyone with an AI-enabled thermal camera can crack your password

ThermoSecure is essentially an AI-driven system that analyses thermal images of aesthetic keyboards and infers the user input on that keyboard. It uses machine learning to determine the pressed keys and to estimate the order in which the keys were pressed. The researchers claim that by using ThermoSecure, even a non-expert person can figure out the password of a user within 30 to 60 seconds of it being entered or typed on a device.

Dr. Khamis and his colleagues performed some interesting experiments with ThermoSecure to demonstrate the capabilities of AI-based thermal attacking systems. They captured about 1,500  thermal images of a keyboard from multiple angles and developed a machine-learning-based model to examine the images.

After the thermal camera shows what keys were pressed, the AI model then uses a probability-based approach on the QWERTY keyboard and guesses the key combinations (passwords) that were previously typed on it.  

Dr. Khamis showing the heat signatures on a keyboard. Image credits: University of Glasgow

The researchers tested ThermoSecure for thermal images taken on different time durations i.e. within 20 seconds, 30 seconds, and 60 seconds after entries were made on the keyboard. The system was able to figure out 62% and 76% of the passwords entered within 60 seconds and 30 seconds respectively. For images that fell in the 20-second category, it was able to retrieve passwords with a staggering 86% accuracy (67% accuracy for passwords consisting of 16 digits). 

The researchers wrote in the paper, “Our first study shows that ThermoSecure successfully attacks 6-symbol, 8-symbol, 12-symbol, and 16-symbol passwords with an average accuracy of 92%, 80%, 71%, and 55% respectively, and even higher accuracy when thermal images are taken within 30 seconds.”  

They also observed that the typing behavior of users also plays an important role in deciding how vulnerable they are to thermal attacks. For instance, during the study, the researchers found that the success rate of thermal attacks that take place within 30 seconds of input is only 83% for fast typists. Whereas for slow or hunt and peck typists, it is 92%. 

There is an urgent need for better security measures

Today, thermal cameras are more affordable and accessible than ever. Some years back it would have cost several thousand to purchase a thermal camera but now you can get a smartphone add-on thermal camera for under $200. Plus, there are numerous resources available on the internet using which a person can learn how machine learning works. Basically, the more technology becomes affordable, the more attacks like this one are becoming more plausible. 

Image credits: Rahul Pandit/Pexels

Researchers are understandably concerned that anyone with the right knowledge and tools but the wrong intentions can also develop a password-stealing technology like ThermoSecure. The experiments conducted by the researchers strongly highlight the need for technologies safer than PINs and passwords. It also sheds light on the importance of cybersecurity research because only if we already know what the attackers are going to do next, we could stay ahead of them.  

For instance, after analyzing the dangers of AI-thermal attacks using ThermoSecure, Dr. Khamis and his team also developed a countermeasure system that is capable of detecting keyboards, keypads, and touchscreens in the view of the thermal camera, and obfuscates them, creating an extra layer of security. This prevents the users of thermal cameras from using them to perform thermal attacks, similar to how printers prevent their users from printing money.

“We want to spread further awareness about the solutions we are developing and try to convince thermal camera manufacturers to integrate software to prevent the misuse of their technology. We will continue to develop countermeasures (but) we also need support from policymakers and the cooperation of thermal camera manufacturers if we want preventative measures deployed into every thermal camera sold in the UK,” said Dr. Khamis.

The study is published in the journal ACM Transactions on Privacy and Security.

share Share

Tennis May Add Nearly 10 Years to Your Life and Most People Are Ignoring It

Could a weekly match on the court be the secret to a longer, healthier life?

Humans Have Been Reshaping Earth with Fire for at Least 50,000 Years

Fossil charcoal reveals early humans’ growing impact on the carbon cycle before the Ice Age.

The Strangest Microbe Ever Found Straddles The Line Between Life and Non-Life

A newly discovered archaeon blurs the boundary between cells and viruses.

This $8750 Watch Was Designed for Space and Could Finally Replace Apollo-era Omega Watches

An audacious new timepiece dares to outshine Omega’s legacy in space

The Brain May Make New Neurons in Adulthood and Even Old Age

Researchers identify the birthplace of new brain cells well into late adulthood.

Your gut has a secret weapon against 'forever chemicals': microbes

Our bodies have some surprising allies sometimes.

High IQ People Are Strikingly Better at Forecasting the Future

New study shows intelligence shapes our ability to forecast life events accurately.

Newborns Feel Pain Long Before They Can Understand It

Tiny brains register pain early, but lack the networks to interpret or respond to it

Cheese Before Bed Might Actually Be Giving You Nightmares

Eating dairy or sweets late at night may fuel disturbing dreams, new study finds.

Scientists Ranked the Most Hydrating Drinks and Water Didn't Win

Milk is more hydrating than water. Here's why.