homehome Home chatchat Notifications


An AI capable of 'thermal attacks' just proved that no password is safe

Scientists created an AI password thief to show that we need better safety measures than passwords and PIN.

Rupendra Brahambhatt
October 13, 2022 @ 5:17 pm

share Share

Every time you enter an input on your keyboard or mobile screen, your fingers leave heat signatures. This is a normal physical phenomenon that happens because your body is hotter than the device and it transfers a small amount of heat whenever you press a button or a screen. The problem is that this heat can be detected — and it can be used to crack passwords.

Researchers at the University of Glasgow have developed an AI-driven system called ThermoSecure that shows that a person’s heat signatures can be used by thermal attackers to steal sensitive information such as passwords or PIN codes.

A PIN-protected iPhone. Image credits: Yura Fresh/Unsplash

In a thermal attack, the attacker uses a thermal camera to record a thermal image of the surface of a phone’s touchscreen, a keyboard, or a keypad after the user inputs a password or PIN. The thermal camera will reveal heat traces that indicate which keys the victim has used to enter the PIN or password. Explaining the process, one of the authors and associate professor at the University of Glasgow, Dr. Mohamed Khamis told ZME Science:

“The heat traces of the most recently touched key will be the warmest because heat traces typically decay over time – this phenomenon allows the attacker to determine the order of entry. An attacker can perform such an attack by visually inspecting the thermal image. However, an AI-driven approach like ThermoSecure could allow the attacker to determine the input long after it has been provided and with very high accuracy.” 

Anyone with an AI-enabled thermal camera can crack your password

ThermoSecure is essentially an AI-driven system that analyses thermal images of aesthetic keyboards and infers the user input on that keyboard. It uses machine learning to determine the pressed keys and to estimate the order in which the keys were pressed. The researchers claim that by using ThermoSecure, even a non-expert person can figure out the password of a user within 30 to 60 seconds of it being entered or typed on a device.

Dr. Khamis and his colleagues performed some interesting experiments with ThermoSecure to demonstrate the capabilities of AI-based thermal attacking systems. They captured about 1,500  thermal images of a keyboard from multiple angles and developed a machine-learning-based model to examine the images.

After the thermal camera shows what keys were pressed, the AI model then uses a probability-based approach on the QWERTY keyboard and guesses the key combinations (passwords) that were previously typed on it.  

Dr. Khamis showing the heat signatures on a keyboard. Image credits: University of Glasgow

The researchers tested ThermoSecure for thermal images taken on different time durations i.e. within 20 seconds, 30 seconds, and 60 seconds after entries were made on the keyboard. The system was able to figure out 62% and 76% of the passwords entered within 60 seconds and 30 seconds respectively. For images that fell in the 20-second category, it was able to retrieve passwords with a staggering 86% accuracy (67% accuracy for passwords consisting of 16 digits). 

The researchers wrote in the paper, “Our first study shows that ThermoSecure successfully attacks 6-symbol, 8-symbol, 12-symbol, and 16-symbol passwords with an average accuracy of 92%, 80%, 71%, and 55% respectively, and even higher accuracy when thermal images are taken within 30 seconds.”  

They also observed that the typing behavior of users also plays an important role in deciding how vulnerable they are to thermal attacks. For instance, during the study, the researchers found that the success rate of thermal attacks that take place within 30 seconds of input is only 83% for fast typists. Whereas for slow or hunt and peck typists, it is 92%. 

There is an urgent need for better security measures

Today, thermal cameras are more affordable and accessible than ever. Some years back it would have cost several thousand to purchase a thermal camera but now you can get a smartphone add-on thermal camera for under $200. Plus, there are numerous resources available on the internet using which a person can learn how machine learning works. Basically, the more technology becomes affordable, the more attacks like this one are becoming more plausible. 

Image credits: Rahul Pandit/Pexels

Researchers are understandably concerned that anyone with the right knowledge and tools but the wrong intentions can also develop a password-stealing technology like ThermoSecure. The experiments conducted by the researchers strongly highlight the need for technologies safer than PINs and passwords. It also sheds light on the importance of cybersecurity research because only if we already know what the attackers are going to do next, we could stay ahead of them.  

For instance, after analyzing the dangers of AI-thermal attacks using ThermoSecure, Dr. Khamis and his team also developed a countermeasure system that is capable of detecting keyboards, keypads, and touchscreens in the view of the thermal camera, and obfuscates them, creating an extra layer of security. This prevents the users of thermal cameras from using them to perform thermal attacks, similar to how printers prevent their users from printing money.

“We want to spread further awareness about the solutions we are developing and try to convince thermal camera manufacturers to integrate software to prevent the misuse of their technology. We will continue to develop countermeasures (but) we also need support from policymakers and the cooperation of thermal camera manufacturers if we want preventative measures deployed into every thermal camera sold in the UK,” said Dr. Khamis.

The study is published in the journal ACM Transactions on Privacy and Security.

share Share

This 5,500-year-old Kish tablet is the oldest written document

Beer, goats, and grains: here's what the oldest document reveals.

A Huge, Lazy Black Hole Is Redefining the Early Universe

Astronomers using the James Webb Space Telescope have discovered a massive, dormant black hole from just 800 million years after the Big Bang.

Did Columbus Bring Syphilis to Europe? Ancient DNA Suggests So

A new study pinpoints the origin of the STD to South America.

The Magnetic North Pole Has Shifted Again. Here’s Why It Matters

The magnetic North pole is now closer to Siberia than it is to Canada, and scientists aren't sure why.

For better or worse, machine learning is shaping biology research

Machine learning tools can increase the pace of biology research and open the door to new research questions, but the benefits don’t come without risks.

This Babylonian Student's 4,000-Year-Old Math Blunder Is Still Relatable Today

More than memorializing a math mistake, stone tablets show just how advanced the Babylonians were in their time.

Sixty Years Ago, We Nearly Wiped Out Bed Bugs. Then, They Started Changing

Driven to the brink of extinction, bed bugs adapted—and now pesticides are almost useless against them.

LG’s $60,000 Transparent TV Is So Luxe It’s Practically Invisible

This TV screen vanishes at the push of a button.

Couple Finds Giant Teeth in Backyard Belonging to 13,000-year-old Mastodon

A New York couple stumble upon an ancient mastodon fossil beneath their lawn.

Worms and Dogs Thrive in Chernobyl’s Radioactive Zone — and Scientists are Intrigued

In the Chernobyl Exclusion Zone, worms show no genetic damage despite living in highly radioactive soil, and free-ranging dogs persist despite contamination.