Researchers at the University of Glasgow have published a paper that highlights their so-called ThermoSecure implementation for discovering passwords and PINs. The name ThermoSecure provides a clue to the underlying methodology, as the researchers are using a mix of thermal imaging technology and AI to reveal passwords from input devices like keyboards, touchpads, and even touch screens.
Before looking at the underlying techniques and technology, it's worth highlighting how impressive ThermoSecure is for uncovering password inputs. During tests, the research paper states: "ThermoSecure successfully attacks 6-symbol, 8-symbol, 12-symbol, and 16-symbol passwords with an average accuracy of 92%, 80%, 71%, and 55% respectively." Moreover, these results were from relatively ‘cold’ evidence, and the paper adds that "even higher accuracy [is achieved] when thermal images are taken within 30 seconds."
How does ThermoSecure work? The system needs a thermal camera, which is becoming a much more affordable item in recent years. A usable device may only cost $150, according to the research paper. On the AI software side of things, the system uses an object detection technique based on Mask RCNN that basically maps the (thermal) image to keys. Across three phases, variables like keyboard localization are considered, then key entry and multi-press detection is undertaken, then the order of the key presses is determined by algorithms. Overall it appears to work pretty well, as the results suggest.
Hunt-and-Peck Typists Become the Hunted
With the above thermal attack looking quite viable option for hackers to spy passwords, PINs, and so on, what can be done to mitigate the ThermoSecure threat? We've gathered the main factors that can impact the success of a thermal attack.
Input factors: Users can be more secure by using longer passwords and typing faster. "Users who are hunt-and-peck typists are particularly vulnerable to thermal attacks," note the researchers.
Interface factors: The thermodynamic properties of the input device material is important. If a hacker can image the input device in under 30 seconds, it helps a lot. Keyboard enthusiasts will also probably be interested to know that ABS keycaps retained touch heat signatures much longer than PBT keycaps.
Erase activity: The heat emitted from backlit keyboards helps disguise the heat traces from the human interaction with the keyboard. A cautious person could sometimes touch keys without actuating them and not leave the input area for at least a minute after they input the username / password.
Go passwordless: Even the best passwords are embarrassingly insecure compared to alternative authentication methods such as biometrics.
In summary, the accuracy of these thermal attacks is surprisingly high, even some time after the user has moved away from the keyboard / keypad. It is worrying but no more so than the other surveillance / skimming techniques that are already widespread. The best solution to these kinds of password and PIN guessing methods appears to be the move to biometrics, and / or two or more factor authentication. Preventing unauthorized access to your device in the first place (i.e. not leaving your laptop or phone unattended), especially not right after typing in your PIN/password, will also help thwart attackers.