Thermal imaging cameras with the help of artificial intelligence can be used to detect the keys pressed when entering a password on the keyboard.
team at University of Glasgow (opens in a new tab) looked at how artificial intelligence, rather than mere visual inspection, could be successfully used to process thermal images that detect heat traces left on keyboard keys when entering passwords.
The researchers demonstrated the effectiveness of the system, known as ThermoSecure, using 1,500 photos of keyboards with heat traces left over from typing.
In their first study, the researchers say that “ThermoSecure successfully attacks 6-, 8-, 12-, and 16-symbol passwords with an average accuracy of 92%, 80%, 71%, and 55%, respectively, and even greater accuracy when thermal images are taken in within 30 seconds.”
They also said that “typing behavior significantly affects susceptibility to thermal attacks: hunt-and-peck typists are more at risk than fast typists (92% versus 83% thermal attack success).”
The second study also showed that the key material had a significant impact on the success of thermal attacks. A commonly used material, acrylonitrile butadiene styrene (ABS) copolymer, resulted in longer heat traces from presses than those on PBT keycaps. This meant that ABS keystrokes had an average accuracy of 52%, while PBT keystrokes had only 14%.
In terms of hardware, only a basic thermal imaging camera is needed – the researchers noted that models costing only about $150 will suffice. The AI software works by detecting objects based on Mask RCNN, which maps a thermal image to the keys of the keyboard. Variables such as the location of the keyboard are taken into account before key input and multiple presses are detected, and the algorithm determines the order in which the keystrokes are pressed.
While it’s unlikely you’ll have a thermal camera trained on your device in the real world, there are a few steps you can take to protect yourself against such attacks. First, as previously mentioned, typists are more vulnerable, so using longer passwords and typing faster where possible can help.
Also, backlit keyboards can radiate more heat, which actually helps to mask the heat signatures from the keys you press. And even if you use the most secure passwords created by a password generator, along with the best possible password manager, biometric options and other passwordless options will always be preferable because there are no significant keystrokes from a thermal attack point of view.