AI Can Use Fingerprint Heat To Crack Passwords In Seconds, Researchers Find

Keyboard, thermal imaging

Humans are warm blooded. What this means, humans can regulate a stable internal body temperature regardless of the temperature of the environment.

What this also means, humans also leave traces of heat when they wander, especially when interacting with objects that have lower temperatures. Because of this, thermal imaging camera is widely used to render infrared radiation of heat, in order to see it as visible light.

Firefighters use this kind of camera to see areas of heat through smoke, darkness, or heat-permeable barriers. The military can also use it to spot targets within darkness.

And apparently, hackers can use it too.

According to Mohamed Khamis, of the University of Glasgow in the UK, thermal imaging cameras can help hackers crack passwords up to a minute after typing them.

Similar systems could also be developed to break into computers and also smartphones.

ThermoSecure architecture.

In a report, Khamis and his team found that heat radiating from people’s fingertips can be transferred to keyboards, and when using a thermal imaging camera, the heat can be clearly seen on recently-used keyboards.

Up to this step, it's still guessing, and brute force may still be useless.

This is why Khamis and his team use AI to help guess the correct password.

The tool they developed is called the 'ThermoSecure' system, and the AI being used is created by researchers at the University of Glasgow.

On their research paper, it's revealed that using the AI-powered tool, the researchers found that some 86% of passwords were cracked when thermal images were taken within 20 seconds of typing, whereas 76% success happens when passwords were typed within 30 seconds.

Success significantly dropped to 62% after 60 seconds of entry.

They also found within 20 seconds, the system they developed is capable of successfully attacking even long passwords of 16 characters, with a rate of up to 67% correct attempts.

Shorter passwords are easier to crack. Twelve-symbol passwords were guessed up to 82% of the time, eight-symbol passwords up to 93% of the time, and six-symbol passwords were successful in 100% of attempts.

According to Mohamed Khamis:

"They say you need to think like a thief to catch a thief."

"We developed ThermoSecure by thinking carefully about how malicious actors might exploit thermal images to break into computers and smartphones."

In an attack scenario, a hacker can use a thermal imaging camera soon after targets type their password on a keyboard, smartphone screen or keypad, before leaving the device unguarded.

Thermal imaging camera can see heat in visible light, in which warmer areas appear brighter.

In this case, the brighter the areas the more recently they were touched.

Impact of the heat trace age and the length of the password on the accuracy of the guess.

By measuring the relative intensity of the warmer areas, researchers found, it was possible to determine the specific letters, numbers of symbols that make up the password and estimate the order in which they were used.

Khamis who led the development of the technology with Norah Alotaibi and John Williamson, said that with thermal imaging cameras becoming more affordable than ever and machine learning becoming more accessible, it is "very likely that people around the world are developing systems along similar lines to ThermoSecure in order to steal passwords."

"It’s important that computer security research keeps pace with these developments to find new ways to mitigate risk, and we will continue to develop our technology to try to stay one step ahead of attackers," he said.

It's worth noting that the success rate depends on the way users type the keyboard, in which the slower they type, the heat signature should last longer. The material of the keyboard/screen/key pad is also crucial, as some plastics apparently retain heat longer than others.

Users can help make their devices and keyboards more secure by adopting alternative authentication methods, like fingerprint or facial recognition, "which mitigate many of the risks of thermal attack." Or, they can simply touch a wider area to confuse the system.