security threat

Unsettling Security Threat Revealed as AI “Thermal Attack” Guesses Passwords in Seconds

A new potential security threat has been revealed by researchers at the University of Glasgow, who recently developed a system that they say can hack devices within seconds with the help of thermal imaging systems that detect traces of heat left by a user’s fingertips.

The Glasgow research team says the technology, which they call ThermoSecure, demonstrates how the affordability of thermal imaging cameras, when paired with accessibility to machine learning, could spell trouble in the future, and may lead to a rise in what they call “thermal attacks.”

When users enter their passwords on a device, faint amounts of heat remain on the surface where their fingertips made contact. According to the Glasgow researchers, anyone armed with at thermal camera would be able to collect information that could potentially be used to help them decipher the combination of characters required to gain access.

Dr. Mohamed Khamis, lead developer of ThermoSecure, says that in the past he has already shown the ways even someone without significant training can observe thermal images of a device after a user has accessed it, and in many instances correctly guess their password.

Now, the Glasgow team has published their latest research on such potential threats in the journal ACM Transactions on Privacy and Security.

security threat
Above: Researchers Norah Alotaibi, Mohamed Khamis, and John Williamson (Credit: University of Glasgow).

In their paper, Khamis, along with researchers Norah Alotaibi and John Williamson, Ph.D., report that they successfully trained an A.I. algorithm to “read” thermal images in order to help increase its overall success rate at guessing user’s passwords from the heat signatures left by their fingerprints.

The results of a pair of studies showed that ThermoSecure was able to guess 86% of passwords if the thermal imagery was obtained within 20 seconds of a user entering their password. Within this period, the system was also more successful at guessing longer passwords.

Within 30 seconds of thermal images being taken, the percentage of correctly guessed passwords dropped to 76%, then down to 62% after one minute.

However, with shorter passwords, the algorithm’s success rate rose overall; with images captured within 20 seconds of a user accessing their device, passwords with six symbols or less were successfully hacked up to 100% of the time.

For Khamis, developing technologies that hackers may attempt to use is one of the strongest methods of combatting potential identity theft. Although some have raised concerns about bringing public attention to security “blind spots” that might potentially be exploited, others maintain that having awareness about such vulnerabilities out in the open is a better defense in the long run.

“They say you need to think like a thief to catch a thief,” Khamis said in a statement. “We developed ThermoSecure by thinking carefully about how malicious actors might exploit thermal images to break into computers and smartphones.”

Citing the growing affordability of thermal imaging systems, Khamis says that users should consider taking precautions that include using longer passwords. Backlit keyboards that use PBT plastics are also potentially more secure due to the heat they produce, which also could help to mask thermal signatures left by a user.

Fundamentally, Khamis says that researchers must constantly consider how newly accessible technologies might be exploited for theft purposes.

“It’s important that computer security research keeps pace with these developments to find new ways to mitigate risk,” Khamis says, “and we will continue to develop our technology to try to stay one step ahead of attackers.”

Micah Hanks is Editor-in-Chief and Co-Founder of The Debrief. Follow his work at micahhanks.com and on Twitter: @MicahHanks