Researchers Crack Passwords With Thermal Images

Researchers Crack Passwords With Thermal Images

They evaluate the thermal images with artificial intelligence. This allows passwords to be cracked with a high degree of reliability within seconds. The method works with keyboards and screens and also with ATMs.

Security researchers have developed a system that uses artificial intelligence and thermal images to guess passwords for computers and smartphones. This is done by evaluating the heat signatures that fingertips leave behind when they are typed on keyboards and screens. The process itself is said to take only a few seconds.

The researchers from the School of Computing Science at the University of Glasgow call their method ThermoSecure. They also want to use it to demonstrate how falling prices for technologies such as thermal imaging cameras and easy access to machine learning and artificial intelligence are creating new opportunities for attacks.

On thermal images, areas with higher temperatures appear brighter. So a thermal image of a keyboard, a screen and even the input field of an ATM can reveal which characters were last entered. What is new above all is the link with artificial intelligence, which now makes it possible to crack passwords much faster than if a human were to evaluate such a thermal image.

However, the success rate of ThermoSecure attacks is heavily dependent on how quickly a thermal image is captured after input. After 20 seconds, the researchers were able to reveal about 86 percent of the passwords. Within 30 seconds, the success rate dropped to 76 percent. After 60 seconds, the method was still able to guess around 62 percent of the passwords.

Another factor influencing the success rate is the length of the password. With eight characters, the researchers were successful in 93 percent of the cases. Twelve characters reduced the success rate to 82 percent. For passwords with 16 characters, ThermoSecure still achieved 66 percent. Of particular concern for ATMs is the fact that with six characters or less, the success rate was 100 percent.

“Thermal imaging cameras are now more affordable than ever – they can be had for less than £200 – and machine learning is also becoming more accessible. This makes it very likely that people around the world will develop systems similar to ThermoSecure to steal passwords,” said Dr. Mohamed Khamis, a lecturer in computer science at the University of Glasgow, who led the development of ThermoSecure.

But Khamis also cited an easy-to-implement option to protect against such attacks. “Longer passphrases require lengthier typing, which also makes it harder to get an accurate reading on a thermal imaging camera, especially if the user is typing with one finger.” Biometric authentication also offers additional protection, he said.