Thermal cameras, with the help of AI, can be used to detect the keys you press when inputting your password on a keyboard.
A team at the University of Glasgow (opens in new tab) looked at how AI, rather than mere visual inspection, can be used successfully in processing thermal images that pick out traces of heat left on the keycaps of keyboards when passwords were entered.
The researchers demonstrated the effectiveness of the system, known as ThermoSecure, using 1,500 images of keyboards with heat traces leftover from typing.
ThermoSecure
In their first study, the researchers claim that “ThermoSecure successfully attacks 6-symbol, 8-symbol, 12-symbol, and 16-symbol passwords with an average accuracy of 92%, 80%, 71%, and 55% respectively, and even higher accuracy when thermal images are taken within 30 seconds.”
They also said that “typing behavior significantly impacts vulnerability to thermal attacks: hunt-and-peck typists are more vulnerable than fast typists (92% vs. 83% thermal attack success).”
The second study also revealed that the material the keys are made of had a significant impact on the success of thermal attacks. A common material used, the copolymer plastic Acrylonitrile Butadiene Styrene (ABS), resulted in longer lasting heat traces from presses than those on PBT keys. This meant that attacks on ABS keycaps had an average accuracy of 52%, while those on PBT keycaps had only 14%.
When it comes to the equipment used, only a basic thermal camera is needed – the researchers noted that models costing only around $150 suffice. The AI software works via object detection based on Mask RCNN, which maps the thermal image to the keyboard keys. Variables such as keyboard localization are taken into account, before key entry and multi-press detection is factored in, and an algorithm determines the order of the key presses.
Although it is unlikely you’ll have a thermal camera trained on your device in the real world, there are a few steps you can take to secure yourself against such attacks. Firstly, as previously indicated, hunt-and-peck typists are at greater risk, so using longer passwords and typing faster where possible may help.
Also, backlit keyboards can emit more heat, which actually helps to mask the heat signatures from pressed keys. And even if you use the most secure passwords created by a password generator, along with the best password manager possible, biometric and other passwordless options will always be better as there are no significant key presses at all from a thermal attack perspective.