Quantcast
ZME Science
  • News
  • Environment
  • Health
  • Future
  • Space
  • Features
  • ZME & more
    • About
    • The Team
    • Advertise
    • Contribute
    • Our stance on climate change
    • Privacy Policy
    • Contact
No Result
View All Result
ZME Science

No Result
View All Result
ZME Science
Home Future

An AI capable of ‘thermal attacks’ just proved that no password is safe

Scientists created an AI password thief to show that we need better safety measures than passwords and PIN.

by Rupendra Brahambhatt
October 13, 2022
in Future, News, Physics, Research, Tech, Technology
Share on FacebookShare on TwitterSubmit to Reddit

Every time you enter an input on your keyboard or mobile screen, your fingers leave heat signatures. This is a normal physical phenomenon that happens because your body is hotter than the device and it transfers a small amount of heat whenever you press a button or a screen. The problem is that this heat can be detected — and it can be used to crack passwords.

Researchers at the University of Glasgow have developed an AI-driven system called ThermoSecure that shows that a person’s heat signatures can be used by thermal attackers to steal sensitive information such as passwords or PIN codes.

A PIN-protected iPhone. Image credits: Yura Fresh/Unsplash

In a thermal attack, the attacker uses a thermal camera to record a thermal image of the surface of a phone’s touchscreen, a keyboard, or a keypad after the user inputs a password or PIN. The thermal camera will reveal heat traces that indicate which keys the victim has used to enter the PIN or password. Explaining the process, one of the authors and associate professor at the University of Glasgow, Dr. Mohamed Khamis told ZME Science:

“The heat traces of the most recently touched key will be the warmest because heat traces typically decay over time – this phenomenon allows the attacker to determine the order of entry. An attacker can perform such an attack by visually inspecting the thermal image. However, an AI-driven approach like ThermoSecure could allow the attacker to determine the input long after it has been provided and with very high accuracy.” 

Anyone with an AI-enabled thermal camera can crack your password

ThermoSecure is essentially an AI-driven system that analyses thermal images of keyboards and infers the user input on that keyboard. It uses machine learning to determine the pressed keys and to estimate the order in which the keys were pressed. The researchers claim that by using ThermoSecure, even a non-expert person can figure out the password of a user within 30 to 60 seconds of it being entered or typed on a device.

ALSO READ:  Scientists publish NASA “wish list” that includes a trip to Uranus

Dr. Khamis and his colleagues performed some interesting experiments with ThermoSecure to demonstrate the capabilities of AI-based thermal attacking systems. They captured about 1,500  thermal images of a keyboard from multiple angles and developed a machine-learning-based model to examine the images.

After the thermal camera shows what keys were pressed, the AI model then uses a probability-based approach on the QWERTY keyboard and guesses the key combinations (passwords) that were previously typed on it.  

Dr. Khamis showing the heat signatures on a keyboard. Image credits: University of Glasgow

The researchers tested ThermoSecure for thermal images taken on different time durations i.e. within 20 seconds, 30 seconds, and 60 seconds after entries were made on the keyboard. The system was able to figure out 62% and 76% of the passwords entered within 60 seconds and 30 seconds respectively. For images that fell in the 20-second category, it was able to retrieve passwords with a staggering 86% accuracy (67% accuracy for passwords consisting of 16 digits). 

The researchers wrote in the paper, “Our first study shows that ThermoSecure successfully attacks 6-symbol, 8-symbol, 12-symbol, and 16-symbol passwords with an average accuracy of 92%, 80%, 71%, and 55% respectively, and even higher accuracy when thermal images are taken within 30 seconds.”  

They also observed that the typing behavior of users also plays an important role in deciding how vulnerable they are to thermal attacks. For instance, during the study, the researchers found that the success rate of thermal attacks that take place within 30 seconds of input is only 83% for fast typists. Whereas for slow or hunt and peck typists, it is 92%. 

ALSO READ:  Bad Physics in Movies: When Hollywood gets science wrong

There is an urgent need for better security measures

Today, thermal cameras are more affordable and accessible than ever. Some years back it would have cost several thousand to purchase a thermal camera but now you can get a smartphone add-on thermal camera for under $200. Plus, there are numerous resources available on the internet using which a person can learn how machine learning works. Basically, the more technology becomes affordable, the more attacks like this one are becoming more plausible. 

Image credits: Rahul Pandit/Pexels

Researchers are understandably concerned that anyone with the right knowledge and tools but the wrong intentions can also develop a password-stealing technology like ThermoSecure. The experiments conducted by the researchers strongly highlight the need for technologies safer than PINs and passwords. It also sheds light on the importance of cybersecurity research because only if we already know what the attackers are going to do next, we could stay ahead of them.  

For instance, after analyzing the dangers of AI-thermal attacks using ThermoSecure, Dr. Khamis and his team also developed a countermeasure system that is capable of detecting keyboards, keypads, and touchscreens in the view of the thermal camera, and obfuscates them, creating an extra layer of security. This prevents the users of thermal cameras from using them to perform thermal attacks, similar to how printers prevent their users from printing money.

“We want to spread further awareness about the solutions we are developing and try to convince thermal camera manufacturers to integrate software to prevent the misuse of their technology. We will continue to develop countermeasures (but) we also need support from policymakers and the cooperation of thermal camera manufacturers if we want preventative measures deployed into every thermal camera sold in the UK,” said Dr. Khamis.

The study is published in the journal ACM Transactions on Privacy and Security.

Tags: AI thermal attackCybersecuritythermal camerathermal imaging

ShareTweetShare
ADVERTISEMENT
ADVERTISEMENT
  • News
  • Environment
  • Health
  • Future
  • Space
  • Features
  • ZME & more

© 2007-2021 ZME Science - Not exactly rocket science. All Rights Reserved.

No Result
View All Result
  • News
  • Environment
  • Health
  • Future
  • Space
  • Features
  • ZME & more
    • About
    • The Team
    • Advertise
    • Contribute
    • Our stance on climate change
    • Privacy Policy
    • Contact

© 2007-2021 ZME Science - Not exactly rocket science. All Rights Reserved.

Don’t you want to get smarter every day?

YES, sign me up!

Over 35,000 subscribers can’t be wrong. Don’t worry, we never spam. By signing up you agree to our privacy policy.