Password Protection: Tips to Avoid « Thermal Attacks »

Computer security experts in Scotland have developed a system that uses thermal imaging and artificial intelligence to guess computer and smartphone passwords in seconds.

« They say you have to think like a thief to catch a thief, » Mohamed Khamis, an associate professor of computer science at the University of Glasgow, said in a press release. « We developed ThermoSecure by carefully considering how malicious actors could exploit thermal images to break into computers and smartphones. »

The research findings have been published in a new study in the peer-reviewed journal ACM Transactions on Privacy and Security.

ThermoSecure basically works by analyzing the heat traces left by your fingers when typing your password on a keyboard or mobile device. Since brighter areas on a heat-sensing thermal image show locations that have been touched more recently, it is then possible to discern the order in which specific letters, numbers, and symbols were used. To do this, Khamis and his team used machine learning and 1,500 thermal images of recently used QWERTY keyboards to train an artificial intelligence model to read heat signatures and then make informed decisions about potential passwords.

The system was able to reveal 86% of passwords when a thermal image was taken within 20 seconds of entry. Within 30 seconds the success rate dropped to 76%, while after 60 seconds it dropped to 62%.

The team found that longer passwords offered better protection. In 20 seconds, ThermoSecure was only able to crack 67% of 16-character passwords, but its success rate jumped to 82% for 12-symbol passwords, 93% for eight-symbol passwords, and 100% for the six symbols.

The striking style also had an impact. Slow-seeking « hunt and peck » keyboard users tended to linger longer on the keys, creating longer lasting heat signatures than fast « touch typists ». After 30 seconds, ThermoSecure could guess the passwords of the first groups with 92% accuracy, compared to 80% for the fastest group.

The heat absorption properties of different keyboard materials even played a role. ThermoSecure could guess passwords from keys made with ABS plastics 52% of the time, but only 14% of the time when made with PBT plastics, which are less common.

With thermal cameras becoming more affordable and machine learning becoming more accessible, the team behind ThermoSecure suggests that the types of « thermal attacks » conducted for their study may become increasingly common. In addition to suggesting alternative digital authentication methods like fingerprints or facial recognition, they offer several tips for protecting your passwords.

“Longer passwords are more difficult for ThermoSecure to guess accurately, so we recommend using long passwords whenever possible,” Khamis explained. « Backlit keyboards also produce more heat, which makes accurate thermal readings more difficult, so a backlit keyboard with PBT plastics might be inherently safer. »