Computer security experts in Scotland have developed a system that uses thermal imaging and artificial intelligence to guess computer and smartphone passwords in seconds.
"They say you need to think like a thief to catch a thief," , an associate professor of computing science at the University of Glasgow, said in a . "We developed ThermoSecure by thinking carefully about how malicious actors might exploit thermal images to break into computers and smartphones."
Results of the research were published in in the peer-reviewed journal ACM Transactions on Privacy and Security.
ThermoSecure essentially works by analyzing the traces of heat left by your fingertips when you enter your password on a keyboard or mobile device. Since brighter areas on a heat-sensing thermal image show places that were touched more recently, it is then possible to discern the order in which specific letters, numbers and symbols were used. To do so, Khamis and his team used machine learning and 1,500 thermal images of recently used QWERTY keyboards to train an artificial intelligence model to read heat signatures and then make informed decisions about potential passwords.
The system was able to reveal 86 per cent of passwords when a thermal image was taken within 20 seconds of typing. Within 30 seconds, the success rate fell to 76 per cent, while after 60 seconds it dropped to 62 per cent.
The team found that longer passwords offered more protection. Within 20 seconds, ThermoSecure could only crack 67 per cent of 16-character passwords, but its success rate climbed to 82 per cent for passwords with 12 symbols, 93 per cent for eight symbols and 100 per cent for six symbols.
Typing style had an impact as well. Slow-searching "hunt-and-peck" keyboard users tended to linger more on keys, creating longer-lasting heat signatures than speedy "touch-typists." After 30 seconds, ThermoSecure could guess the first groups' passwords with 92 per cent accuracy, versus 80 per cent for the faster group.
The heat-absorption properties of different keyboard materials even played a role. ThermoSecure could guess passwords from keys made with ABS plastics 52 per cent of the time, but only 14 per cent of the time when they were made with PBT plastics, which are .
With thermal imaging cameras becoming more affordable, and machine learning becoming more accessible, the team behind ThermoSecure suggests the types of 'thermal attacks" conducted for their study could become increasingly common. In addition to suggesting alternative digital authentication methods like fingerprint or facial recognition, they offer several tips for protecting your passwords.
"Longer passwords are more difficult for ThermoSecure to guess accurately, so we would advise usinglong passphrases wherever possible," Khamis explained."Backlit keyboards also produce more heat, making accurate thermal readings more challenging, so a backlit keyboard with PBT plastics could be inherently more secure."