Researchers from the University of Glasgow have developed the ThermoSecure AI system, which analyzes heat traces on keyboards from fingertips and guesses passwords. Techxplore reports.
Within 30–60 seconds after interacting with the keys, traces of heat remain that can be captured by an inexpensive thermal camera. The brighter the region in the image, the more recently it was touched.
By measuring the intensity of warm traces, one can determine the specific letters, digits, or symbols that make up a password, and also determine their order. With this information, attackers could guess the correct combination.
Lead researcher Mohamed Hamis said that in previous work, non-specialists successfully guessed passwords by closely examining thermal images. Now the researcher and his team have employed machine learning to improve the attack’s accuracy.
To this end, they collected 1,500 thermal images of recently used QWERTY keyboards from different angles. They trained the algorithm to read the images and make informed guesses about passwords from signature cues, using a probabilistic model.
In two user studies, they found that ThermoSecure can reveal 86% and 76% of passwords if the thermal image was captured within 20 and 30 seconds respectively. One minute after interacting with the keyboard, the algorithm’s accuracy dropped to 62%.
They also found that within 20 seconds ThermoSecure can successfully guess even long passwords of 16 characters in 67% of cases. As the access codes shorten, recognition accuracy increased: 12-character — up to 82%, 8-character — up to 93%, and 6-character — up to 100%.
Researchers also studied additional variables that facilitate password guessing for ThermoSecure. One of them was typing style.
They found that the algorithm performs worse when users type blind. Less-experienced typists typically keep their fingers on the keys longer, causing the heat to linger longer.
The material of the keyboard also affects the success of recognition, the experts say.
According to Hamis, the availability of thermal cameras and machine-learning models will enable anyone to replicate such an attack.
It is important that cybersecurity research keep pace with these developments to find new ways to reduce the risk of breaches,
In addition, the team is developing AI-based countermeasures to help address this problem, Hamis added.
The researchers recommended users set long passwords and enable additional authentication methods such as fingerprints or facial recognition.
Earlier in October 2021, researchers taught AI to read the PIN code entered at an ATM by video.
Subscribe to ForkLog AI in Telegram: ForkLog AI — all the news from the AI world!