A press release from the University of Glasgow reveals that your password can be guessed in mere seconds, based on the traces of heat left from your fingertips.
Researchers from the University of Glasgow wanted to warn people about the dangers of so-called ‘thermal attacks’, which are now much easier to implement by bad actors thanks to the falling prices of thermal cameras and rising popularity of machine learning systems.
To illustrate the dangers, they developed the ThermoSecure system, which uses a regular thermal camera and AI to guess passwords in seconds.
“Thermal attacks can occur after users type their passcode on a computer keyboard, smartphone screen or ATM keypad before leaving the device unguarded. A passerby equipped with a thermal camera can take a picture that reveals the heat signature of where their fingers have touched the device,” they say.
Because more recent touches have a higher temperature, the areas you last touched your phone or a PIN pad will be much brighter. By taking a picture, researchers knew which letters or numbers were pressed, and which were more recent. By adding AI to the mix, the researchers could start guessing different combinations of those letters until they cracked passwords.
According to them, Dr Mohammed Khamis, the lead developer of ThermoSecure, had “already demonstrated that non-experts can successfully guess passwords simply by looking carefully at thermal images taken between 30 and 60 seconds after surfaces were touched.”
Now, thanks to machine learning, they could do it much faster.
Through their studies, they found that ThermoSecure was capable of revealing 86% of passwords when thermal images are taken within 20 seconds, and 76% when within 30 seconds, dropping to 62% after 60 seconds of entry.
Even longer passwords, of 16 characters, were guessed correctly in 67% of cases.
“Access to thermal imaging cameras is more affordable than ever – they can be found for less than £200 – and machine learning is becoming increasingly accessible too. That makes it very likely that people around the world are developing systems along similar lines to ThermoSecure in order to steal passwords,” warned Dr Khamis.