Researchers have discovered that the heat from fingertips can be used to retrace recently-typed passwords through thermal imagery.
A study from the University of Glasgow saw researchers develop an AI system called ThermoSecure that can crack passwords up to a minute after being entered. This can be done by using thermal cameras on smartphones, ATM buttons, a computer keyboard, or a touchscreen.
The heat-detecting cameras show brighter markers the more recently the keys were touched, giving away the chronology.
According to the findings, roughly 86 per cent of passwords were cracked when thermal images were taken within 20 seconds of entering the PIN, 76 per cent when within 30 seconds, and a still-impressive 62 per cent after a minute.
The AI can detect passwords of up to 16 characters, with a 67 per cent success rate, after 20 seconds of being typed – with the rates increasing the shorter the password is. Six-character codes were detected 100 per cent of attempts.
Given that most smartphone passcodes — not to mention ATM PINs — are only four digits, this is very alarming research.
“They say you need to think like a thief to catch a thief,” said Dr. Mohamed Khamis (pictured below), from Glasgow University’s School of Computing Science.
“We developed ThermoSecure by thinking carefully about how malicious actors might exploit thermal images to break into computers and smartphones.
Given the quick rise of AI, and the dropping cost and improved quality of thermal cameras, such software is no doubt being developed in tandem elsewhere.
“It’s very likely that people around the world are developing systems along similar lines to ThermoSecure in order to steal passwords.
“It’s important that computer security research keeps pace with these developments to find new ways to mitigate risk, and we will continue to develop our technology to try to stay one step ahead of attackers.”