Heat-sensing cameras can help crack passwords for up to a minute after typing them, the researchers found, as they warn criminals could develop similar systems to break into computers and smartphones.
Heat from people’s fingertips can be detected on recently used keyboards, and when the thermal images were combined using artificial intelligence, educated guesses about what the password might be were made. by a tool developed by researchers at the University of Glasgow.
Some 86% of passwords were cracked when thermal images were taken within 20 seconds of entering the passcode and transmitted to their ThermoSecure system, and 76% within 30 seconds. Success dropped to 62% after 60 seconds of entry.
They also found that within 20 seconds, the system was able to successfully attack even 16-character long passwords, with up to 67% correct attempts.
As passwords got shorter, success rates increased. Twelve-symbol passwords were guessed up to 82% of the time, eight-symbol passwords up to 93% of the time, and six-symbol passwords were successful 100% of attempts.
Mohamed Khamis, from the University of Scotland’s School of Computing Science, said: “They say you have to think like a thief to catch a thief.
“We developed ThermoSecure by carefully considering how malicious actors could exploit thermal images to break into computers and smartphones.”
In images captured by heat-sensing cameras, areas appear brighter the more recently they were touched.
Thermal attacks can occur after users type their password on a keyboard, smartphone screen, or numeric keypad, before leaving the device unattended.
A passer-by equipped with a thermal camera can take a photo that reveals the thermal signature of where their fingers have touched the device, the brighter an area appears, the more recently it has been touched.
By measuring the relative intensity of the hottest areas, the researchers found that it was possible to determine the specific letters, the number of symbols that made up the password, and to estimate the order in which they were used.
Dr Khamis, who led the development of the technology with Norah Alotaibi and John Williamson, said that with thermal imaging cameras more affordable than ever and machine learning becoming more accessible, it was “very likely that people in the around the world are developing systems similar to ThermoSecure to steal passwords.
“It’s important that computer security research keeps pace with these developments to find new ways to mitigate risk, and we will continue to develop our technology to try to stay one step ahead of attackers.” he declared.
The researchers, who published their findings in the journal ACM Transactions on Privacy and Security, also discovered how a user types affects the heat signature left on the keyboard, and therefore how easy it is to crack passwords.
“Chase and peck” keyboard users who type slowly tend to leave their fingers on the keys longer, creating heat signatures that last longer than faster typists.
Meanwhile, the type of material keyboards are made from can affect their ability to absorb heat, with some plastics much more likely to retain a heat pattern than others.
Dr Khamis said longer passwords should be used where possible, along with those that are harder to guess accurately.
“Backlit keyboards also produce more heat, which makes accurate thermal readings more difficult, so a backlit keyboard with PBT plastics might be inherently safer,” he said.
“Finally, users can help make their devices and keyboards more secure by adopting alternative authentication methods, such as fingerprints or facial recognition, which mitigate many thermal attack risks.”
#EXPLAINED #fingertip #heat #crack #passwords
