High-tech cameras that can be bought for around $200 could be used in conjunction with artificial intelligence to steal passwords, by tracking keystrokes through body heat, according to research from the University of Glasgow.
Dr Mohamed Khamis, of the university’s computer science department, oversaw the development of ThermoSecure, an unusual type of pentesting system designed to demonstrate how heat-capture technology can be used to facilitate credential theft in what he calls a “thermal attack.”
Khamis and his team trained artificial intelligence to ‘read’ heat traces left by the fingertips of computer keyboard, smartphone, and ATM users, and found that ThermoSecure exposed 86% of passwords when thermal images were taken within 20 seconds of physical contact with a device, dropping only slightly to 76% at 30, and 62% after one minute.
Nor did longer passwords escape detection. Within 20 seconds, ThermoSecure successfully captured 16 characters roughly two-thirds of the time. Of course, as passwords grew shorter, success rates increased – 12-symbol codes were guessed up to 82% of the time, eight-symbol passwords cracked in 93% of cases, and six symbols never escaped being read.
Set a thief to catch a thief
“They say you need to think like a thief to catch a thief,” said Khamis. “We developed ThermoSecure by thinking carefully about how malicious actors might exploit thermal images to break into computers and smartphones.”
"Access to thermal-imaging cameras is more affordable than ever, and machine learning is increasingly accessible too."Mohamed Khamis, Professor of computer science at Glasgow university
He added: “Access to thermal-imaging cameras is more affordable than ever – they can be found for less than £200 [$220] – and machine learning is becoming increasingly accessible too. That makes it very likely that people around the world are developing systems along similar lines to ThermoSecure in order to steal passwords.”
The technology is potentially useful to cybercriminals because thermal-range cameras show an area that has recently been touched as being brighter than one that hasn’t. Thus, by using such cameras to measure the relative intensity of such literal hotspots, tech-savvy crooks could determine specific numbers, letters, or other symbols that were typed or touched.
They could then estimate the order in which they were entered, trying different combinations in an augmented brute-force attack until they found the correct one – a task that machine learning, a form of artificial intelligence (AI), could help them with.
Tighter regulations needed
Khamis urged governments to take action on his team’s findings, and make the credential-harvesting technology harder to come by.
“We’re keen to highlight to policymakers the risks that these kinds of thermal attacks pose to computer security,” he said. “One potential risk-reduction pathway could be to make it illegal to sell thermal cameras without some kind of enhanced security included in their software. We are currently developing an AI-driven countermeasure system that could help address this issue.”
There is a rather more onerous way one might defend oneself against a thermal attack – by learning to touch-type. Those with the secretarial skill who had their keystrokes tracked by a thermal-imaging camera within half a minute were only successfully cracked 80% of the time – but for the less dextrous ‘two-finger’ typists this rose to 92%.
More from Cybernews:
Subscribe to our newsletter