The cybercriminal has a wide variety of tricks at his disposal to steal information from the victim. Recently, a group of researchers from the University of Glasgow, in Scotland, has warned about a method that, in the wrong hands, could compromise Internet users’ data in a matter of seconds: the ‘heat attack‘, in which the only thing that is needed is to analyze the heat that remains on the Internet user’s keyboard or the screen of his ‘smartphone’ after typing.
Specifically, the team of researchers from the British center has devised its own system, called Thermosecurewith which he demonstrates how the falling prices of thermal imaging cameras -which detect and measure the infrared energy of objects- and the increase in access to machine learning are creating new risks for the development of this type of attack.
In order to be successful in a thermal attack, the researchers stress that no need to be a great expertI don’t even have a lot of computer skills. Nor is it necessary to make a large outlay; for less than 300 euros you can have what you need to get the information.
They say you have to think like a thief to catch a thief. We developed ThermoSecure by thinking carefully about how thermal imaging could be exploited by malicious actors to access computers and smartphones,” explains Dr. Mohamed Khamis, principal investigator for the system’s development.
In order to carry out their research, the team at the University of Glasgow took 1,500 thermal photos of QWERTY keyboards that had recently been used from different angles. After this, they trained an AI to be able, from the captured images, to share the most likely combinations that users would have used as passwords.
Up to 86% reliability
During the investigation, the team demonstrated that ThermoSecure was capable of revealing 86% of passwords when thermal images were taken 20 seconds later that the user had a keyboard, 76% in 30 seconds and, finally, 62% after 60 seconds.
“Access to thermal imaging cameras is more affordable than ever, they can be found for less than £200, and machine learning is also becoming more accessible. That makes it very likely that people all over the world are developing systems similar to ThermoSecure to steal passwords,” Khamis notes.
The researchers also found that within 20 seconds, ThermoSecure was able to successfully attack even 16-character long passwords, with a successful attempt rate of up to 67%. As passwords became shorter, success rates increased: 12-symbol passwords were guessed up to 82% of the time, eight-symbol passwords up to 93% of the time, and six-symbol passwords were guessed Success up to 100% of attempts.
With this investigation, the members of the team want to alert us to what how easy it is to steal information of users resorting to ‘thermal attacks’. Dr. Khamis, in turn, explains that “a possible risk reduction route could be to make it illegal to sell thermal cameras without some kind of enhanced security included in their software.”