Heat from your FINGERTIPS can be used to crack your password: Hackers can use thermal cameras to break into your smartphone up to a MINUTE after you enter your passcode
- Researchers developed an AI that can retrace passwords from thermal images
- 86% of passwords were cracked when thermal images were taken within 20s
- As passwords grew shorter, the team found that success rates increased
If you own a smartphone, you may think that a four-digit passcode is enough to protect your device from hackers.
But a new study has warned that the heat from your fingertips can be used to crack your password – up to a minute after you type it.
Researchers from the University of Glasgow have demonstrated how hackers can use thermal cameras to retrace the password you’ve typed into a smartphone, computer keyboard, or even an ATM.
Researchers from the University of Glasgow have demonstrated how hackers can use thermal cameras to retrace the password you’ve typed into a smartphone, computer keyboard, or even an ATM. Pictured: Mohamed Khamis, who led the development of a password cracking thermal camera
How can you guess a password from thermal images?
Thermal attacks can occur after users type their password on a keyboard, smartphone screen or keypad, before leaving the device unguarded.
A passer-by equipped with a thermal camera can take a picture that reveals the heat signature of where their fingers have touched the device, with the brighter an area appears the more recently it had been touched.
By measuring the relative intensity of the warmer areas, researchers found, it was possible to determine the specific letters, numbers of symbols that make up the password and estimate the order in which they were used.
In the study, the researchers developed an AI system called ThermoSecure that can retrace recently-typed passwords from thermal images.
Some 86 per cent of passwords were cracked when thermal images were taken within 20 seconds of typing in the secret code and put through their ThermoSecure system, and 76 per cent when within 30 seconds.
Success dropped to 62 per cent after 60 seconds of entry.
They also found within 20 seconds the system was capable of successfully attacking even long passwords of 16 characters, with a rate of up to 67 per cent correct attempts.
As passwords grew shorter, success rates increased.
Twelve-symbol passwords were guessed up to 82 per cent of the time, eight-symbol passwords up to 93 per cent of the time, and six-symbol passwords were successful in 100 per cent of attempts.
Mohamed Khamis, of the Scottish university’s School of Computing Science, said: ‘They say you need to think like a thief to catch a thief.
‘We developed ThermoSecure by thinking carefully about how malicious actors might exploit thermal images to break into computers and smartphones.’
In the images captured by the heat-detecting cameras, areas appear more bright the more recently they were touched.
Thermal attacks can occur after users type their password on a keyboard, smartphone screen or keypad, before leaving the device unguarded.
A passer-by equipped with a thermal camera can take a picture that reveals the heat signature of where their fingers have touched the device, with the brighter an area appears the more recently it had been touched.
By measuring the relative intensity of the warmer areas, researchers found, it was possible to determine the specific letters, numbers of symbols that make up the password and estimate the order in which they were used.
If you have a passcode protecting your smartphone, you may think that it’s safe from hackers. In images captured by heat-detecting cameras, areas appear more bright the more recently they were touched
Dr Khamis, who led the development of the technology with Norah Alotaibi and John Williamson, said with thermal imaging cameras more affordable than ever and machine learning becoming more accessible, it was ‘very likely that people around the world are developing systems along similar lines to ThermoSecure in order to steal passwords’.
‘It’s important that computer security research keeps pace with these developments to find new ways to mitigate risk, and we will continue to develop our technology to try to stay one step ahead of attackers,’ he said.
The researchers, who published their findings in the journal ACM Transactions on Privacy and Security, also found how a user types affects the heat signature left on the keyboard, and therefore how easy it was to crack passwords.
Thermal attacks can occur after users type their password on a keyboard, smartphone screen or keypad, before leaving the device unguarded
‘Hunt-and-peck’ keyboard users who type slowly tend to leave their fingers on the keys for longer, creating heat signatures which last longer than faster touch-typists.
Meanwhile, the type of material keyboards are made from can affect their ability to absorb heat, with some plastics much more likely to retain a heat pattern than others.
Dr Khamis said longer passwords should be used wherever possible, with those more difficult to guess accurately.
‘Backlit keyboards also produce more heat, making accurate thermal readings more challenging, so a backlit keyboard with PBT plastics could be inherently more secure,’ he said.
‘Finally, users can help make their devices and keyboards more secure by adopting alternative authentication methods, like fingerprint or facial recognition, which mitigate many of the risks of thermal attack.’
Tips to ensure your passwords are safe
1. Deploy a password manager
Password managers allow you to store all the passwords in end-to-end encrypted digital storage locked with a single keyword for the most convenience. Most password managers have additional features to check passwords’ strength and automatically generate unique passwords. For organizations, they can come in handy when sharing passwords with employees or managing their access.
2. Introduce cybersecurity training
Since simple human mistakes remain the leading cause of data breaches, it is worth investing in cybersecurity training sessions for employees. Starting from the basics might be a good idea given that people have different technology background levels.
3. Enable multi-factor authentication
Known as MFA, it serves as an extra layer of security. It is an authentication method that uses two or more mechanisms to validate the user’s identity – these can be separate apps, security keys, devices, or biometric data.
Source: NordPass
Source: Read Full Article