Thermal attacks can crack users’ passwords in mere seconds by analyzing the traces of heat their fingertips leave on keyboards and screens.
Traces of fingerprints left on commonly used surfaces such as smartphone screens, computer keyboards, or ATM pads can become targets of thermal attacks that use heat-sensitive cameras to read them.
Security experts warned that threat actors could analyze the intensity of heat traces across recently touched surfaces, such as smartphone screens or ATM pads, and reconstruct passwords within moments.
In a new study, they devised a set of recommendations to mitigate a potentially disastrous security risk resulting from greater accessibility of thermal imaging cameras and machine learning software.
Researchers from the Universities of Glasgow and Lancaster in the UK and Ruhr-University Bochum in Germany have identified 15 approaches described in earlier research that could reduce the risk of thermal attacks.
These included wearing gloves or rubber thimbles to reduce the transfer of heat from users’ hands or changing the temperature of hands by touching something cold before typing.
Alternatively, users could blow on a surface or press their hands onto it once they finish typing.
Other solutions focused on hardware and software, with manufacturers urged to consider placing a heating element behind surfaces that could erase finger heat or using material that dissipates heat more rapidly.
The study said that the security of public surfaces could also be increased by introducing a physical shield that covers keys until the heat has dissipated. Eye-tracking and biometric security were mentioned as other possible solutions.
Researchers also carried out an online survey, which showed respondents “intuitively” suggest strategies that were not in the literature, like waiting to use an ATM until their surroundings seemed safest, according to lead author Dr. Mohamed Khamis.
“We also saw that they considered issues like hygiene, which made the strategy of breathing on devices to mask heat traces very unpopular,” Khamis said.
Privacy was another issue, making the use of biometrics, such as face or fingerprint recognition, a less attractive option, but users were keen on familiar strategies like two-factor authentication.
“Users told us that they considered themselves at least partially responsible for their own security, so we advise that they pay close attention to their surroundings when entering sensitive data in public to make sure no one is watching or use a secure facility such as a bank,” corresponding author Prof. Karola Marky said.
She added: “Where that’s not possible, we suggest resting palms on devices to obscure traces of heat or wearing gloves or finger protection if they can.”
Last year, a study led by Dr. Khamis demonstrated the ease of using thermal images to crack passwords.
An AI-driven system developed by his team, ThermoSecure, could reveal 86% of passwords when thermal images were taken within 20 seconds and 76% when within 30 seconds.
Within 20 seconds, the system cracked longer passwords with a 67% success rate and guessed shorter passwords up to 82% of the time. The success rate of breaking shorter, six-symbol passwords was up to 100%.
More from Cybernews:
Subscribe to our newsletter