Hackers wage ‘thermal attack’ by cracking victims’ passwords using body heat
First, they turned to extortionware, now they’re using our body heat to bypass our (oftentimes weak) passwords. Hackers are back stronger than ever, peeps—with new research conducted by the University of Glasgow’s School of Computing Science showing that thermal imaging cameras, paired with AI, are the latest gadgets being used by hackers to access unknowing individuals’ computers and smartphones.
Speaking on the study’s results, Dr Mohamed Khamis explained that while the risk of a thermal attack remains slim, the detecting and measuring technology is becoming cheaper than ever—they can be found for less than £200—in turn, making the practice more accessible.
How does a thermal attack work?
Let’s say you’re spending the day at your go-to co-working space. What’s the first thing you do once you’ve found a cosy spot, plugged in your laptop charger and taken your computer out? Right, you type in your password.
The same applies to your phone. If someone happens to stand behind you as you suddenly decide to do the oh-so-dreaded monthly bank account balance check, even if they didn’t get a chance to catch a close look at your password as you typed it in, all they need to do is snap a quick picture of your smartphone’s screen and bam—your private information is up for grabs.
Once in possession of your screen’s picture, which was snapped using a thermal imaging camera, all a hacker needs to do is trace the heat signature your fingers have left on your keyboard after typing in your password.
The more recently an area has been touched, the brighter it will appear on the heat-detecting image. By measuring the intensity of the warmer areas using an AI algorithm, people can even find specific letters or symbols that make up a password and use it themselves to hack into your device.
“They say you need to think like a thief to catch a thief,” Dr Khamis stated, continuing, “We developed ThermoSecure by thinking carefully about how malicious actors might exploit thermal images to break into computers and smartphones.”
After being tested on 1,500 thermal photos of recently-used QWERTY keyboards from different angles, ThermoSecure was capable of revealing 86 per cent of passwords when thermal images were taken within 20 seconds of surfaces being touched, and 76 per cent when within 30 seconds, dropping to 62 per cent after 60 seconds of entry.
The team of researchers also found that within 20 seconds, ThermoSecure was capable of successfully attacking even long passwords of 16 characters, with a rate of up to 67 per cent correct attempts.
As passwords grew shorter, success rates increased—12-symbol passwords were guessed up to 82 per cent of the time, eight-symbol passwords up to 93 per cent of the time, and six-symbol passwords were successful in up to 100 per cent of attempts.
I hate to be the bearer of bad news, but unfortunately, there’s not much you can personally do to stop such attacks. My one piece of advice? Start coming up with passwords that are longer than 16 characters and hope that the hackers can’t access your notes page titled “passwords.”
“One potential risk-reduction pathway could be to make it illegal to sell thermal cameras without some kind of enhanced security included in their software. We are currently developing an AI-driven countermeasure system that could help address this issue,” Dr Khamis added. Not all heroes wear capes.
