ThermoSecure: Cracking Passwords Using Finger Heat on Keyboards is Now Possible

What if a hacker could guess your passwords from the heat you leave behind on your keyboard? A group of computer security researchers at the University of Glasgow's School of Computing Science in the UK succeeded in deploying such an attack.

In a paper to be published in the upcoming issue of the ACM Transactions on Privacy and Security journal, a team led by associate professor Mohamed Khamis developed ThermoSecure, a system using a thermal imaging camera to guess and identify the keys that were last touched by an individual – the brighter the area appears in the thermal image, the more recently it was touched.

The researchers then used this system to guess passwords and PINs on computer keyboards, smartphone screens and ATM keypads.

Their results are quite staggering, with 86% of passwords revealed when thermal images were taken within 20 seconds, 76% with images taken within 30 seconds and 62% after 60 seconds.

With ThermoSecure, the researchers could crack two–thirds of passwords of up to 16 characters. And it got even easier with shorter ones: 12–character passwords were guessed up to 82% of the time and eight–character passwords were guessed up to 93% of the time. Passwords from six characters or less were guessed 100% of the time.

While for research only, this demonstration is a clear warning that short passwords and PINs, such as the ones we use to access to our bank accounts at an ATM, are particularly vulnerable.

What is more, tools like the ones used by Khamis’ team are getting ever more accessible. "Access to thermal–imaging cameras is more affordable than ever – they can be found for less than £200 ($220) – and machine learning is becoming increasingly accessible, too. That makes it very likely that people around the world are developing systems along similar lines to ThermoSecure in order to steal passwords," said Khamis.