Why the heat from your fingertips could make you vulnerable to hackers
3 min readCriminals will start using heat-detecting cameras to crack passwords and ATM pins, cyber security experts have warned.
Heat from people’s fingertips can be detected on recently used keyboards and, using AI, hackers could potentially work out what buttons have recently been pressed.
Researchers at Glasgow University created a tool called ThermoSecure using thermal images, which was able to accurately guess passwords up to a minute after people typed them out.
The researchers found that people who type slowly are more susceptible to the scam, as they typically pressed each button for longer.
Some 86 per cent of passwords were cracked by the system when thermal images were taken within 20 seconds of typing and put through the system. A total of 76 per cent of passwords were identified when checked within 30 seconds.
Success dropped to 62 per cent after 60 seconds of entry.
The researchers also found that within 20 seconds, the system was capable of successfully hacking even long passwords of 16 characters, with a success rate of around 67 per cent.
As passwords grew shorter, success rates increased.
Twelve-symbol passwords were guessed up to 82 per cent of the time, eight-symbol passwords up to 93 per cent of the time, and six-symbol passwords were successful in 100 per cent of attempts.
‘Think like a thief to catch a thief’
Mohamed Khamis, from Glasgow University’s School of Computing Science, said: “They say you need to think like a thief to catch a thief.
“We developed ThermoSecure by thinking carefully about how malicious actors might exploit thermal images to break into computers and smartphones.”
Dr Khamis, who led the development of the technology, said that with thermal imaging cameras now more affordable than ever, it is “very likely that people around the world are developing similar systems in order to steal passwords”.
Dr Khamis said that due to the “novel” nature of the threat, the technology could be being used by criminals on unsuspecting members of the public already.
He added: “It might as well be prevalent but no one is reporting it because no one realises it is happening. “
In the images captured by the heat-detecting cameras, areas appeared brighter the more recently they were touched.
Thermal attacks can occur after users type their password on a keyboard, smartphone screen or keypad.
The type of material keyboards are made from can affect their ability to absorb heat, with some plastics much more likely to retain a heat pattern than others, the researchers found.
Use longer passwords to thwart hackers
Dr Khamis said longer passwords should be used wherever possible to disrupt potential attacks.
“Backlit keyboards also produce more heat, making accurate thermal readings more challenging, so a backlit keyboard with PBT plastics could be inherently more secure,” he said.
“Finally, users can help make their devices and keyboards more secure by adopting alternative authentication methods, like fingerprint or facial recognition, which mitigate many of the risks of thermal attack.”
The findings were published in the journal ACM Transactions on Privacy.