This post is also available in: heעברית (Hebrew)

Traces of heat left on keyboards and screens may be used to crack users’ passwords in new thermal attack threat.

Security experts warn that threat actors could analyze the intensity of heat traces left by fingerprints on smartphone screens, computer keyboards, or ATM pads with a heat-sensitive camera and reconstruct passwords within moments.

Researchers from the Universities of Glasgow, Lancaster, and Ruhr-University Bochum published a study in which they identified 15 approaches to reduce the security risk resulting from greater accessibility of thermal imaging cameras and machine learning software.

Some user solutions include wearing gloves or touching something cold to change the temperature of the hands before typing, or alternately pressing the whole hand onto the surface after typing as a sort of “eraser”.

More hardware and software-based solutions urge manufacturers to place a heating element behind surfaces that could erase finger heat, use material that dissipates heat more rapidly or introduce a physical shield that covers keys until the heat has dissipated.

Lead author of the study Dr. Mohamed Khamis states that privacy is another issue that makes the use of biometrics like face or fingerprint recognition a less attractive option for the public but adds that users seem accepting of familiar strategies like two-factor authentication.

According to Cybernews, a study published last year and led by Dr. Khamis demonstrated how easy it is to use thermal images to crack passwords. An AI-driven system developed by his team called ThermoSecure could reveal 86% of passwords when thermal images were taken within 20 seconds and 76% when within 30 seconds. Within 20 seconds, the system cracked longer passwords with a 67% success rate and guessed shorter passwords up to 82% of the time. The success rate of breaking shorter, six-symbol passwords was up to 100%.

Corresponding author Prof. Karola Marky said: “We advise that they (users) pay close attention to their surroundings when entering sensitive data in public to make sure no one is watching or use a secure facility such as a bank,” and added: “Where that’s not possible, we suggest resting palms on devices to obscure traces of heat or wearing gloves or finger protection if they can.”