Password-cracking and guessing attempts are successful enough as it is to put more than a little gray in the hair of experienced cybersecurity professionals. Now new research shows even more effective cracking attempts could be perpetrated by attackers equipped with a cheap thermal camera and some simple deep-learning models.
The AI-driven attacks were conceptualized and refined by Dr. Mohamed Khamis of the University of Glasgow School of Computing Science and his colleagues at the school, Norah Alotaibi and Dr. John Williamson, who are set to publish their results in an upcoming issue of the ACM Transactions on Privacy and Security journal.
The paper details their work to use off-the-shelf thermal cameras and a probabilistic model that utilized 1,500 thermal images they took of recently used keyboards to create a method of accurately cracking passwords — even in uncontrolled settings. Dubbed ThermoSecure, the method captures heat signatures via thermal cameras and analyzes them with the researchers' AI modeling to guess a password with 86% accuracy when the images are taken within 20 seconds of input, and 62% accuracy within 60 seconds of input.
"Even without knowing the order of the keys, it is possible to significantly reduce the search space, which means fewer attempts are required to guess a password," the researchers wrote in their paper.
Khamis pointed to the accessible price of thermal cameras — which can be picked up for less than $200 — as a cue for why his team wanted to explore this as a potential threat vector. As he explains, this is likely an area where the bad guys are already innovating to develop ways to leverage these tools to their advantage.
"They say you need to think like a thief to catch a thief. We developed ThermoSecure by thinking carefully about how malicious actors might exploit thermal images to break into computers and smartphones," he said. "It's important that computer security research keeps pace with these developments to find new ways to mitigate risk, and we will continue to develop our technology to try to stay one step ahead of attackers."
Not the First Thermal Rodeo
While this is not the first piece of research touching on the use of thermal imaging to guess passwords, previous studies took pictures in highly controlled settings. This latest one focused on how the layering of AI can bridge the gap in accuracy in uncontrolled conditions that might be affected by different camera angles and user behavior. The study also examined how factors like password length and typing styles could impact the accuracy of this technique, offering some hints for mitigation measures.
For example, the jump from eight-symbol passwords up to 16-symbol passwords cut the accuracy of the attack by 26 points when images were taken 20 seconds after input. Similarly, faster-touch typists left less of a heat signature than slower "hunt-and-peck" typists, meaning that the accuracy was about 12 points lower for the former compared with the latter.
Some other mitigating factors included the use of backlit keyboards — which heat up keys enough to "light up" a thermal image enough to flummox the AI model — and the kind of plastic used in a keyboard. For example, ABS plastic retains heat for significantly less time than PBT plastic.
Of course, one of the most reliable mitigations are the ones that are cited for just about any kind of password-cracking or guessing attacks: that is, seeking out alternative login methods.
"Users can help make their devices and keyboards more secure by adopting alternative authentication methods, like fingerprint or facial recognition, which mitigate many of the risks of thermal attack," Khamis said. "In my team, we have previously proposed authentication schemes that rely on eye movements for password entry; gaze-based authentication is resistant to thermal attacks by design."