AI-driven ’thermal attack’ system reveals passwords in seconds

Computer security experts have developed a system capable of guessing computer and smartphone users' passwords in seconds by analysing the traces of heat their fingertips leave on keyboards and screens. Researchers from the University of Glasgow developed the system, called ThermoSecure, to demonstrate how falling prices of thermal imaging cameras and rising access to machine learning are creating new risks for 'thermal attacks.' Thermal attacks can occur after users type their passcode on a computer keyboard, smartphone screen or ATM keypad before leaving the device unguarded. A passerby equipped with a thermal camera can take a picture that reveals the heat signature of where their fingers have touched the device. The brighter an area appears in the thermal image, the more recently it was touched. By measuring the relative intensity of the warmer areas, it is possible to determine the specific letters, numbers or symbols that make up the password and estimate the order in which they were used. From there, attackers can try different combinations to crack users' passwords. Previous research by Dr Mohamed Khamis, who led the development of ThermoSecure, has already demonstrated that non-experts can successfully guess passwords simply by looking carefully at thermal images taken between 30 and 60 seconds after surfaces were touched.