Researchers at the University of Glasgow It was published A paper highlighting a so-called ThermoSecure implementation for detecting passwords and PINs. The name ThermoSecure holds a clue to the underlying methodology, as researchers use a combination of thermal imaging technology and AI to reveal passwords from input devices such as keyboards, touchpads, and even touchscreens. Offers.
Before looking at the underlying techniques and technology, it’s worth emphasizing just how good ThermoSecure is at revealing password entries. During testing, the research paper states: Moreover, these results are due to relatively “cold” evidence, the paper adds, “even higher precision.” [is achieved] If the thermal image is taken within 30 seconds. ”
How does ThermoSecure work? The system requires a thermal camera, which has become a more affordable item in recent years. According to the research paper, the price of the usable device is only $150. On the AI software side, the system basically uses an object detection technique based on Mask RCNN that maps (thermal) images to keys. In three phases, variables such as keyboard localization are considered, then keystrokes and multiple presses are detected, and then the algorithm determines the order in which to press the keys. Overall, it seems to work pretty well, as the results suggest.
Hunt and peck typist is hunted
The above thermal attack looks like a very viable option for hackers to spy on passwords, PINs, etc., but what can be done to mitigate the ThermoSecure threat? We have summarized the main factors.
Input factor: Users can be more secure by using longer passwords and typing them faster. “Users who are hunting-and-pecking typists are particularly vulnerable to thermal attacks,” the researchers point out.
Interface factor: Thermodynamic properties of input device materials are important. If a hacker can create an image of an input device within 30 seconds of her, it would be very helpful. Keyboard enthusiasts will probably also be interested in how the ABS keycaps retain the touch heat signature much longer than his PBT keycaps.
Erasure activity: The heat emitted by a backlit keyboard helps mask the heat signatures of human interaction with the keyboard. An observant person may not leave the input area for at least a minute after touching a key and entering a username/password without actuating it.
Go passwordless: Even the best passwords are embarrassingly insecure when compared to alternative authentication methods such as biometrics.
In summary, the accuracy of these thermal attacks is surprisingly high, even after the user leaves the keyboard/keypad. This is worrisome, but like any other monitoring/skimming technique already prevalent. The best solution to this kind of password and PIN guessing method seems to be biometrics or his move to two or more factors of authentication. Preventing unauthorized access to the device in the first place (i.e. never leaving her laptop or phone unattended), especially immediately after entering her PIN/password, also helps deter attackers.
