Deep Dives Level Up Newsletters Saved Articles Challenges

AI

Hackers wage ‘thermal attack’ by cracking victims’ passwords using body heat

First, they turned to extortionware, now they’re using our body heat to bypass our (oftentimes weak) passwords. Hackers are back stronger than ever, peeps—with new research conducted by the University of Glasgow’s School of Computing Science showing that thermal imaging cameras, paired with AI, are the latest gadgets being used by hackers to access unknowing individuals’ computers and smartphones.

Speaking on the study’s results, Dr Mohamed Khamis explained that while the risk of a thermal attack remains slim, the detecting and measuring technology is becoming cheaper than ever—they can be found for less than £200—in turn, making the practice more accessible.

How does a thermal attack work?

Let’s say you’re spending the day at your go-to co-working space. What’s the first thing you do once you’ve found a cosy spot, plugged in your laptop charger and taken your computer out? Right, you type in your password.

The same applies to your phone. If someone happens to stand behind you as you suddenly decide to do the oh-so-dreaded monthly bank account balance check, even if they didn’t get a chance to catch a close look at your password as you typed it in, all they need to do is snap a quick picture of your smartphone’s screen and bam—your private information is up for grabs.

Once in possession of your screen’s picture, which was snapped using a thermal imaging camera, all a hacker needs to do is trace the heat signature your fingers have left on your keyboard after typing in your password.

The more recently an area has been touched, the brighter it will appear on the heat-detecting image. By measuring the intensity of the warmer areas using an AI algorithm, people can even find specific letters or symbols that make up a password and use it themselves to hack into your device.

“They say you need to think like a thief to catch a thief,” Dr Khamis stated, continuing, “We developed ThermoSecure by thinking carefully about how malicious actors might exploit thermal images to break into computers and smartphones.”

After being tested on 1,500 thermal photos of recently-used QWERTY keyboards from different angles, ThermoSecure was capable of revealing 86 per cent of passwords when thermal images were taken within 20 seconds of surfaces being touched, and 76 per cent when within 30 seconds, dropping to 62 per cent after 60 seconds of entry.

The team of researchers also found that within 20 seconds, ThermoSecure was capable of successfully attacking even long passwords of 16 characters, with a rate of up to 67 per cent correct attempts.

As passwords grew shorter, success rates increased—12-symbol passwords were guessed up to 82 per cent of the time, eight-symbol passwords up to 93 per cent of the time, and six-symbol passwords were successful in up to 100 per cent of attempts.

I hate to be the bearer of bad news, but unfortunately, there’s not much you can personally do to stop such attacks. My one piece of advice? Start coming up with passwords that are longer than 16 characters and hope that the hackers can’t access your notes page titled “passwords.”

“One potential risk-reduction pathway could be to make it illegal to sell thermal cameras without some kind of enhanced security included in their software. We are currently developing an AI-driven countermeasure system that could help address this issue,” Dr Khamis added. Not all heroes wear capes.

Ukrainian startup is offering hackers $100,000 to bring down Russian websites

On Tuesday 1 March at 4 am, Kyiv-based cybersecurity company Cyber Unit Technologies officially launched ‘Fuck Hack Russia’, a global ‘hackathon’ calling for volunteers to help expose Russian software vulnerabilities. In exchange, the company is promising $100,000 in cryptocurrency to the best online attacks conducted against Russian websites.

https://twitter.com/Yegor_au/status/1497880962990059522

The mastermind behind this unprecedented cyber effort is Cyber Unit’s co-founder Yegor Aushev, who called it a “decentralised cyber army [drawn] from the whole world.” He says over 500 people—including Ukrainians who work in the country’s technology sector as well as outsiders—have come forward so far to volunteer. Aushev’s firm is known for working with Ukraine’s government on the defence of critical infrastructure.

This initiative follows the highly unusual call on Saturday 26 February, made by Ukrainian Vice Prime Minister Mykhailo Fedorov, for global volunteers from the country’s hacker underground to help protect critical infrastructure and conduct cyber spying missions against Russian troops—forming an “IT Army.” Fedorov added that the army in question would be organising on the encrypted messaging app Telegram, where volunteers would be able to complete “operational tasks.”

The government’s effort, which even has its own Twitter account, is openly calling for hackers to work with the international hacktivist collective Anonymous. The group has also joined forces with a band of Belarusian activists called the Cyber-Partisans whose cyberattack on Belarus’ train network allegedly disrupted Russian troop movements into Ukraine—the first time ransomware has been used this way if proved true.

Reporting on the topic, Sifted added, “Other hacking groups include the Georgian Hackers Society, whose members are swapping disruption tips on social hub Discord. ‘We are ghosts attacking Russia and Russian occupiers,’” one anonymous member told the publication.

While it’s unclear so far how effective the community-driven cyberattacks will be at slowing down Russia, the message of resistance they promote has been helpful in itself for Ukrainians. At the very least, the defensive cyberattacks will “certainly cause annoyance and frustration,” Tim Stevens, director of the Cyber Security Research Group (CSRG) at King’s College London, told Sifted. “What we have not seen so obviously [before] is [the] mobilisation of domestic hacker and IT communities in defence of a sovereign nation.”

Cyber Unit Technologies is also calling for donations to grow its reward pot.