Thermal attack: Researchers suggest ways to counter threat

Password guessing powered by AI

Mohamed Khamis, the assistant professor of computer science at the School of Computing Science at the University of Glasgow, had previously found that even non-experts can accurately determine passwords when shown thermal images of devices captured within 60 seconds of user access.

In a world that is seeing increasing deployment of artificial intelligence, Khamis and his team developed a computer system that could be deployed to determine passwords from thermal images.

Interesting Engineering reported last year how this AI-powered system could accurately guess 16-character-long passwords with 67 percent accuracy. As the password length decreased, the software accuracy increased to 100 percent.

The research team estimates that the occurrence of such attacks will only increase with the drop in the costs of thermal cameras.

Steps to take to reduce thermal attacks

Together with researchers at Lancaster University in the UK and Ruhr-University Bochum in Germany, the team has identified 15 different approaches to reduce the risk of thermal attacks.

The researchers suggested that manufacturers of devices such as ATM keypads and payment terminals can use a heating element that can erase traces of finger heat or use surfaces that allow rapid heat dissipation in their manufacturing process. Devices used in public spaces could also feature a physical shield that stays on till the heat is dissipated.

The team also recommends software-based solutions such as shuffling the layout of keys for each use or prompting users to increase awareness regarding thermal attacks to minimize risks. Additionally, multi-factor authentication can also help in reducing security breaches.

At the user level, the researchers recommended transferring heat from one's hands before using devices or using rubber gloves before keying in critical data to prevent its capture using thermal cameras. Pressing hands on the entire surface or breathing on the device can also help obscure heat signatures.

The team also conducted an online survey to determine which of these suggestions would work for users and seek user suggestions for improving security. "Intuitively, users suggested some strategies that weren’t in the literature, like waiting to use an ATM until their surroundings seemed safest," said Khamis in a press release. "They were also keen on strategies that were already familiar, like two-factor authentication, because they were aware of their effectiveness."

The team also had an essential recommendation for installing a software lock on thermal cameras by their manufacturers to avoid misusing them at places such as ATMs.

The researchers present their findings today at the USENIX Security Symposium in Anaheim, California.