Boffins of the University of Glasgow, Scotland, have developed a system that exhibits what they claim is a new type of cybersecurity threat: a “thermal attack.”
Declining prices for heat-sensing thermal imaging cameras and advances in machine learning have made it easier to guess passwords a subject might have typed on a keyboard within a minute of typing them, researchers say. Be realistic.
Dr. Mohamed Khamis led the development of ThermoSecure, a system that uses a thermal imaging camera to identify the last key touched by an individual to guess passwords and PINs entered on keyboards and ATM keypads.
and press release Presenting their findings, the experts described possible attack scenarios.
A photo of the keyboard by a passerby with an infrared camera reveals heat marks where a finger recently touched.
The brighter the area in the infrared image, the more recent it was touched. By measuring the relative strength of the warm areas, we can identify the specific letters, numbers, or symbols that make up the password, and deduce the order in which they were used. From there, the attacker can try different combinations to crack the user’s password.
To test the system, the researchers took 1,500 thermal photographs from different angles of a recently used QWERTY keyboard.
The team then “trained an artificial intelligence model to effectively read the image and use a probabilistic model to make an informed guess about the password from the heat signature cues.”
according to researchan impressive 86% of passwords were revealed correctly if the thermal image was taken within 20 seconds of input, 76% if the image was captured within 30 seconds of input, and 62% after 60 seconds. good results were obtained.
As you can imagine, the success rate improved with shorter passwords. The 12-symbol password was guessed 82% of the time, the 8-symbol password was guessed 93%, and the 6-symbol password was cracked in 100% attempts.
Researchers reported being able to tackle long passwords as long as 16 characters within 20 seconds with a 67% success rate.
And there’s bad news for “hunt-and-peck” type typists who are slow to find the right key to press and type their passwords. Researchers say non-touch typists tend to keep their fingers on the keys for too long, leaving a long-lasting heat trail.
Dr. Khamis believes it is “very likely” that criminals have developed systems similar to ThermoSecure to steal passwords.
“Access to thermal imaging cameras has never been more affordable. You can find them for less than £200. Machine learning is also becoming more accessible,” he said. .
- It’s generally better to use long passwords or passphrases that are harder to guess than short passwords, but you already know that, right?
- If you’re nervous, use a backlit keyboard. These produce more heat, making it harder to get accurate temperature readings.
- Similarly, there are also differences in the material of the keycaps. ABS keycaps (acrylonitrile butadiene styrene) retain heat longer than PBT (polybutylene terephthalate) keycaps.
- Make sure your account is protected by additional authentication methods (such as 2FA or biometrics), not just a single password.
- Watch out for people lurking nearby with infrared cameras.