1. Thermal imaging shows the thermal trace left by the fingertips on the keyboard. Researchers say that the password can be cracked by using the thermal trace (Source: Glasgow University)
Computer security researchers say that they have developed a system based on artificial intelligence, which can guess the passwords of computers and smart phones in just a few seconds by checking the characteristics of heat left by fingertips on the keyboard and screen when inputting data.
Researchers at the School of Computational Science at the University of Glasgow in the UK have developed this system called ThermoSecure to show how the falling price of thermal imaging cameras and the increasing popularity of machine learning and artificial intelligence algorithms create new opportunities for what they describe as thermal attacks.
By looking at the computer keyboard, smartphone screen or ATM keyboard with a thermal imaging camera, a photo can be taken to show the thermal characteristics of the recent finger touching the device.
The brighter the area appearing in thermal imaging, the closer it is to being touched by people-this means that the image can be used to crack passwords or PIN codes by analyzing the location and time of touching the keyboard or screen.
Early research on heat attacks in Glasgow University showed that people without professional knowledge can guess passwords just by looking at heat images. Now, with artificial intelligence, professional attackers can crack passwords more quickly.
If ThermoSecure is used to analyze images with artificial intelligence, 86% of passwords can be revealed if thermal images are taken within 20 seconds. If the thermal image is taken within 30 seconds, 76% of the passwords can be revealed. If the thermal image is taken after 60 seconds, 62% passwords can still be revealed.
The longer the password, the more difficult it will be to leak, but in most cases it can still be proved to be leaked. ThermoSecure can crack two thirds of passwords with 16 characters; The shorter the password, the higher the success rate of the system-82% for the 12-character password and 93% for the 8-character password.
100% of passwords consisting of 6 characters or less are successfully cracked, which may be used to protect ATM PIN codes of smart phones or shorter passwords are particularly vulnerable to attacks.
Malicious attackers looking for potential victims can take hot images of keyboards, smart phones or ATMs and use them to guess the passwords as long as they use this clever technology. In some cases, they need physical access devices themselves, but the target of attack may be left unattended by the computer.
It is also possible that the attacker already knows the user name of the online account of the target, or they may use the hot attack to find the user name.
This paper on ThermoSecure was written by Dr. Mohamed Kham, Dr. John Williamson and Norah Alotaibi of Glasgow University and has been published. They hope that the paper will show the world the potential risks of thermal imaging attacks, because the technologies used to support such attacks have become cheaper and more popular.
Dr Mohamed Khamis, who led the development of ThermoSecure, is a senior lecturer in the Department of Computer Science at Glasgow University. He said that it is more convenient than ever to use thermal imaging cameras. Their price is less than 200 pounds, and machine learning is becoming more and more popular. This makes it possible for people all over the world to develop systems along the lines of ThermoSeucre in order to steal passwords.
He said: "Computer security research should keep pace with these development trends in order to find new ways to reduce risks; We will continue to develop our technology and try to be one step ahead of the attackers, which is very important. "
However, although the research shows some advanced technologies that can be used to crack passwords, it is relatively simple for users to protect their accounts by using stronger passwords.
Dr. Khamis said that longer passphrases take longer to enter, which also makes it more difficult to get accurate readings on thermal imaging cameras, especially if users are blind. He also said that the verification mechanism using biometric identification has also increased protection.
Users can adopt alternative authentication methods (such as fingerprint or face recognition), which can eliminate many risks of hot attacks, thus helping to improve the security of their devices and keyboards.
And reference source: https://www.zdnet.com/article/this-thermal-attack-can-read-your-password-from-the-heat-your-fingertips-leave-behind/
