Digital Economy Blog – Thermal images to steal passwords

During cyberattacks, hackers can often break into a system due to human error. Thus, for example, for a phishing, the attacker can integrate the system when a person clicks on a fraudulent link in an email.

However, a new method of attack would be possible without anyone committing a fault, but only because of the body. This was revealed by a study conducted by researchers at the University of Glasgow in England, published on September 26, 2022. This research highlights the possibility for hackers to recover passwords using thermal imaging.

For this, the research team has created a system called Thermosecure. The objective of the experiment is to demonstrate that with very accessible thermal cameras, since easily found on the Internet and with a very affordable price (regarding 250 euros), coupled with artificial intelligence, often free of access, an attacker can identify a password and break into a system.
Researchers have called this type of attack “thermal attacks”.

The convincing results of Thermosecure

The operation of Thermosecure is relatively simple. When we use certain keys on our keyboard, the images of the thermal camera will highlight brighter areas which represent the heat left by our fingers following our passage, especially when we type our password. Then, the artificial intelligence will take care of trying all the possible combinations from the keys detected by the thermal camera.

The results of this study are edifying. Indeed, thermal cameras would allow passwords to be deciphered up to a minute following being typed. Thus, 86% of passwords were cracked when images were captured within 20 seconds of entering the password. This figure then increases to 76% when images are captured 30 seconds following password entry, then drops to 62% when images are captured 60 seconds following password entry.

The research does not stop there since the researchers have tried to complicate the experimentation with more sophisticated passwords. With a 16-character password, the system is 67% able to detect the password when the images are taken within 20 seconds following entering the password.

Conversely, when passwords are shorter, the success rate increases. In fact, if the passwords of twelve symbols have been deciphered in 82% of the cases, we go to 93% when the password has only 8 symbols. The success rate of 100% was also achieved for passwords with 6 symbols.

This once more highlights the importance of using long and complex passwords. Indeed, even without the aid of thermal cameras, it is always recommended to use so-called strong passwords with a large number of characters and with an elaborate combination.

Previous experiences already revealing

This type of research is not innovative in itself. Indeed, previous researchers have already demonstrated that humans can guess a password by analyzing thermal images. It was in 2011, at the University of San Diego that the first experiment in this area was carried out on distributors to recover bank card codes. During this experiment, there was a 50% chance of recovering the secret code if the analysis was carried out within 30 seconds of entering it.
In 2017, a similar study was conducted in an attempt to collect passwords from smartphones: 78% of the codes might be found when the image was captured 30 seconds following swiping the device.

Nevertheless, the contribution of Thermosecure lies in the use of artificial intelligence to detect passwords. According to the researchers, this is the only way to really measure the threat posed by this type of attack.

Factors can increase the risk of thermal attacks

Certain factors can increase the risk of this type of attack. Indeed, users who are less familiar with computers generally leave their fingers on the keys longer, thus creating a thermal signature which also lasts longer than that of a seasoned user in this area.

Dexterity on a keyboard is not the only thing that comes into play, the type of keyboard is also important. The material the keyboard is made of can play a role in heat signature detection. This is because some plastics are more likely to retain finger heat than others.

Dr. Mohamed Kamis, who leads the development of Thermosecure, also clarified that: “Backlit keyboards also produce more heat, which makes accurate thermal readings more difficult, so a backlit keyboard with plastics PBT may be inherently safer”.

He also points out that: “Users can help make their devices and keyboards more secure by adopting alternative authentication methods, such as fingerprints or facial recognition, which mitigate many thermal attack risks. “.

Thermal attacks: a real threat?

Dr Khamis says: “We developed ThermoSecure with careful consideration of how malicious actors might exploit thermal images to break into computers and smartphones. “. Thus, according to him, the threat is real and might not stop growing.

The fact that thermal imaging cameras can be found easily and inexpensively online contributes to the increase in concern regarding this type of attack. For example, it will take around 250 euros to obtain a thermal camera capable of capturing the thermal signatures left by our fingers when we tap on our keyboards. The concern is increased tenfold because artificial intelligence has also become widely accessible. Indeed, according to Dr. Khamis, because of this new accessibility, it is “very likely that people around the world will develop systems similar to ThermoSecure in order to steal passwords”.

However, for some the risk of this type of attack is not really realistic for business computers because it requires the attacker to be nearby to capture the images. However, this kind of attack should not be taken lightly. On the one hand, it is not excluded that a company has malicious people among its employees, and on the other hand, an attack using thermal imaging might prove to be a real danger for ATMs. Indeed, as revealed by the first study on the subject, this type of vending machine was already vulnerable with thermal imaging and human intelligence. The threat is therefore heightened when imagery is coupled with artificial intelligence.

Sources:


Leave a Replay