Getting colder -- cutting the risk of thermal attacks
Earlier this week we reported on a technique that could determine a password by listening to keystrokes. Just in case you weren't worried enough by that, today we learn of the risk of passwords being compromised by 'thermal attacks'.
These use heat-sensitive cameras to read the traces of fingerprints left on surfaces like smartphone screens, computer keyboards and PIN pads. Hackers can then use the relative intensity of heat traces across recently-touched surfaces to reconstruct users' passwords.
Dr Mohamed Khamis and colleagues from the University of Glasgow set out to demonstrate the technique last year. This has led them to develop ThermoSecure, a system which uses AI to scan heat-trace images and correctly guess passwords in seconds, alerting many to the threat of thermal attacks.
In a paper presented at the USENIX Security Symposium conference today the researchers have identified 15 different approaches which could reduce the risk of thermal attacks.
Dr Khamis says:
This is the first comprehensive literature review of security measures against thermal attacks, and our survey showed some interesting results. Intuitively, users suggested some strategies that weren't in the literature, like waiting to use an ATM until their surroundings seemed safest. They were also keen on strategies that were already familiar, like two-factor authentication, because they were aware of their effectiveness.
We also saw that they considered issues like hygiene, which made the strategy of breathing on devices to mask heat traces very unpopular, and privacy, which some users considered when thinking about additional security measures like face or fingerprint recognition.
Approaches to cut the risk of falling victim to a thermal attack include reducing the transfer of heat from users’ hands, by wearing gloves or rubber thimbles, or changing the temperature of hands by touching something cold before typing. They also include pressing hands against surfaces or breathing on them to obscure fingerprint heat once you’ve finished typing.
Co-author of the report, Dr Shaun Macdonald, from the University of Glasgow's School of Computing Science, says, "For manufacturers of devices used in public spaces, we suggest that thermal attacks are considered as early as possible in the design phase, so that devices could be augmented with physical screens to block the surfaces for a brief period, or privacy-enhancing keyboards that shuffle the layout of keys after use. Where devices are already in circulation, software updates could help remind users to be aware of their surroundings and take action to prevent observation with thermal cameras."
Image credit: University of Glasgow