Heat from fingertips can be used to crack passwords: Study

Dr. Mohamed Khamis demonstrating the thermal password attack | via University of Glasgow

Cybercriminals use various methods to hack passwords. Some leverage phishing, wherein they impersonate a trusted organisation and send fraudulent emails, texts, or calls to to steal login credentials. Others turn to brute force attacks, which involves using trial-and-error to guess a user"s password. But did you know that heat can also be used to crack passwords?

Cybersecurity experts in Scotland have developed a system that uses thermal imaging and artificial intelligence (AI) to instantly crack passwords (via CTV News). Called ThermoSecure, the system works by analyzing the traces of heat left by a person"s fingertips when they enter their password on a computer keyboard or mobile device. Because brighter areas on a heat-sensing image show areas that were touched more recently, this makes it possible to guess the order of used letters, numbers, and symbols.

To make this possible, associate professor at the University of Glasgow Dr. Mohamed Khamis and his team used machine learning and 1,500 thermal images of recently used keyboards to train an AI model to read heat signatures and study likely password combinations.

The study found that longer passwords were more secure, as ThermoSecure cracking 67% of 16-character passwords within 20 seconds. The system worked better with shorter passwords, as its success rate increased to 82%, 93%, and 100% for 12-, 8-, and 6-character passwords, respectively.

A user"s typing style also mattered, as "hunt-and-peck" keyboard users who lingered more on keys created longer-lasting heat signatures than "touch-typists" who typed faster. In the study"s tests, ThermoSecure was 92% successful in guessing the first group"s password, while it was only 80% successful with the latter.

What"s more, the study found that ThermoSecure was 52% successful in cracking passwords from keys made of ABS plastics. When it came to PBT plastic keys, however, the system was only 14% successful.

The team behind ThermoSecure warns that thermal imaging password attacks could become more common soon, given how thermal imaging cameras are becoming more affordable and machine learning is becoming more accessible. To mitigate the risk of these attacks, the team suggests using alternative authentication methods such as fingerprint or facial recognition. "Longer passwords are more difficult for ThermoSecure to guess accurately, so we would advise using long passphrases wherever possible," Dr. Khamis added.

Report a problem with article
Next Article

Amazon Prime Day deals: Seagate IronWolf, Toshiba 6TB, 8TB, 16TB CMR NAS hard drives

Previous Article

Intel 31.0.101.3490 Windows driver brings Arc A770 and A750 support, and more