Hackers now use thermal attacks to steal passwords in seconds

What is a thermal attack?

Whenever you access a keypad, keyboard, or smartphone screen to type in your password or passcode, the contact between your fingers and the surface leaves a small but detectable heat signature. When captured with a thermal imaging camera, this heat signature is visible up to 60 seconds after contact.

This would mean that although you might be guarding the keypad while entering your ATM passcode, seconds later, a thermal camera could still pick up the keys touched during the process. This is called a thermal attack.

The researchers found that recently touched keys appeared brighter in such images, and it was possible to determine the sequence of numbers, letters, or even symbols that make up a password.

Previous research conducted by the research team found that, given this information, even non-experts could accurately guess passwords from such images. The team used machine learning to see if password-guessing accuracy could be improved.

How machine learning can help crack passwords

The researchers used 1,500 images of QWERTY keyboards taken from different angles after they were used to type passwords. They then trained an artificial intelligence (AI) model to read these images and used a probabilistic model to guess the passwords from the thermal clues.

The researchers found that the system, called ThermoSecure, could guess 86 percent of the passwords accurately when the images were taken within 20 seconds of contact. As the image interval increased to 60 seconds, the accuracy decreased to 62 percent.

Among the images taken within 20 seconds, the system could also guess long passwords that used as many as 16-characters 67 percent of the time. As the passwords grew shorter, the accuracy increased, reaching 100 percent for passwords that were six characters long, the press release said.

"Access to thermal imaging cameras is more affordable than ever – they can be found for less than £200 (US$225) – and machine learning is becoming increasingly accessible too," said Khamis in the press release. "It’s important that computer security research keeps pace with these developments to find new ways to mitigate risk, and we will continue to develop our technology to try to stay one step ahead of attackers."

What can be done to avert this?

The research also provided insights into what mitigation strategies could be adopted to prevent a thermal attack. The researchers found that users who typed slower and left their fingers on the keyboard longer were more likely to see their passwords being guessed accurately than those who typed fast.

Also, the material that was used to make the keyboard also had an impact on the system's ability to guess passwords. Thermosecure could accurately guess passwords typed on keycaps made from ABS plastics about 50 percent of the time. However, the success rate dropped considerably to 14 percent when keycaps made from PBT plastics were used.

Apart from moving to sophisticated means of authentication, such as fingerprint and facial recognition, users could adopt long passphrases as passwords.

The research findings were published in the journal ACM Transactions on Privacy and Security.

Abstract

Thermal cameras can reveal heat traces on user interfaces, such as keyboards. This can be exploited maliciously to infer sensitive input, such as passwords. While previous work considered thermal attacks that rely on visual inspection of simple image processing techniques, we show that attackers can perform more effective AI-driven attacks. We demonstrate this by presenting the development of ThermoSecure, and its evaluation in two user studies (N=21, N=16) which reveal novel insights about thermal attacks. We detail the implementation of ThermoSecure and make a dataset of 1,500 thermal images of keyboards with heat traces resulting from input publicly available. Our first study shows that ThermoSecure successfully attacks 6-symbol, 8-symbol, 12-symbol, and 16-symbol passwords with an average accuracy of 92%, 80%, 71%, and 55% respectively, and even higher accuracy when thermal images are taken within 30 seconds. We found that typing behavior significantly impacts vulnerability to thermal attacks, where hunt-and-peck typists are more vulnerable than fast typists (92% vs 83% thermal attack success if performed within 30 seconds). The second study showed that the keycaps material has a statistically significant effect on the effectiveness of thermal attacks: ABS keycaps retain the thermal trace of users presses for a longer period of time, making them more vulnerable to thermal attacks, with a 52% average attack accuracy compared to 14% for keyboards with PBT keycaps. Finally, we discuss how systems can leverage our results to protect from thermal attacks, and present 7 mitigation approaches that are based on our results and previous work.