Researchers from the University of Glasgow claim to have created a system through which heat-sensing technology could be used – with high success levels – to decipher passwords from keyboards and screens

Computer security experts from the University of Glasgow claim to have developed a system capable of guessing computer and smartphone users’ passwords in seconds by analysing traces of heat left on keyboards and screens.

The system, named ThermoSecure, was developed to demonstrate how the falling price of thermal imaging cameras and increased access to machine learning are creating a new potential cyber risk: thermal attacks.

The researchers took 1,500 thermal images of recently used QWERTY keyboards from different angles. They trained an artificial intelligence model to effectively read the images and make informed guesses about the passwords from the heat signature clues using a probabilistic model.

Related content

• Officers pose as attackers for hire as NCA doubles number of ‘major cyber disruptions’ in FY23
• Data offered for sale after ransomware attack on Scottish university
• Report cites progress all round on National Cyber Strategy

Two user studies demonstrated ThermoSecure was capable of successfully attacking via the use of passwords of up to 16 characters at a 67% success rate. Smaller passwords yielded higher success rates: 12-character codes were guessed 82% of the time, while the success rate was 93% for eight-symbol paswords – and 100% for six digits.

Attacks can reportedly occur after users type their password on a computer keyboard, smart device screen or ATM keypad before leaving the device unattended. An individual with a thermal camera can take a photo revealing the heat signature of where their fingers have touched.

The brighter an area appears in the thermal image, the more recently it was touched. Measuring the relative intensity of the warmer areas makes it possible to determine specific letters, numbers, and symbols that comprise a password, as well as estimate the order.

Previous research by Dr Mohammed Khamis, who led the development of ThermoSecure, has demonstrated non-experts were able to successfully guess passwords by carefully looking at thermal images taken within 30-60 seconds of the password being inputted.

Khamis said: “This is the first comprehensive literature review of security measures against thermal attacks, and our survey showed some interesting results. Intuitively, users suggested some strategies that weren’t in the literature, like waiting to use an ATM until their surroundings seemed safest. They were also keen on strategies that were already familiar, like two-factor authentication, because they were aware of their effectiveness. We also saw that they considered issues like hygiene, which made the strategy of breathing on devices to mask heat traces very unpopular, and privacy, which some users considered when thinking about additional security measures like face or fingerprint recognition.”

Khamis recommended that manufacturers could help to thwart cyberattackers “by integrating new software locks to prevent thermal cameras from taking pictures of surfaces like PIN pads on bank machines”.

“We’re continuing to explore potential approaches to mitigating the risk of thermal attacks,” he added. “Although we still don’t know how widespread these attacks on personal information are at the moment, it’s important that computer security researchers keep pace with the risks that thermal cameras could pose to users’ personal information, particularly since they are now so cheap and widely available. Ultimately, our advice to the public would be to try to find one strategy that suits their own personal habits and behaviours and to remember to use it as often as possible in their lives. Any action they can take regularly to help guard against thermal attacks will make it harder for others to gain access to their personal data.”