By imaging heat signatures left by user's fingers on device, system can discern order of keys pressed to form password
Researchers at the University of Glasgow have developed a new technique called ThermoSecure that uses thermal cameras and AI to guess passwords entered on keyboards or phone screens with high accuracy.
By imaging the heat signatures left by a user's fingers on the device, the system can discern the order of the keys pressed to form a password.
Thieves have recently been stealing or watching users enter
their passwords in public places to access their devices, making password
guessing a straightforward way to bypass all security measures. ThermoSecure
widens the window for thieves to steal passwords since they no longer need
to remember the password or record the victim entering it.
The
success rate of ThermoSecure varies depending on several factors, including
password length, materials, and timing.
The technique's accuracy
is highest within the first 20 seconds of the password being entered, with a
success rate of 86%. It drops to 76% after 30 seconds and 62% after a
minute. Longer passwords decrease the system's effectiveness, with a
16-character password having a success rate of 67%.
Meanwhile, the success rate increases to 82% for a 12-character
password, 93% for an eight-character password, and 100% for a six-character
password.
ThermoSecure's effectiveness on keyboards depends on
factors such as typing style and materials. With a 30-second-old heat
signature image, the system can guess a touch typist's password 80% of the
time and a hunt-and-peck user's password in 92% of cases.
However, keyboards made of PBT plastics reduce the success rate
to 14%, while ABS plastics cut it to around 50%. Backlit keyboards are more
secure since they generate more heat, hiding thermal fingerprints.
Thermal cameras are easily available to thieves, making
ThermoSecure a potential threat to device security.
Although
there is no evidence of the technology being used widely, users are advised
to avoid entering passwords in public places and use biometric
authentication methods whenever possible. The research demonstrates the need
for stronger security measures to protect against password guessing and
unauthorised access to devices.
