Llamado\u00a0ThermoSecure, los investigadores de la Facultad de Ciencias de la Computaci\u00f3n de la Universidad de Glasgow desarrollaron el sistema para mostrar c\u00f3mo la ca\u00edda del precio de las c\u00e1maras termogr\u00e1ficas y el aumento del acceso a los algoritmos de aprendizaje autom\u00e1tico e inteligencia artificial (IA) est\u00e1n creando nuevas oportunidades para lo que describen como ataques t\u00e9rmicos.<\/p>\n
Computer security researchers say they’ve developed an AI-driven system that can guess computer and smartphone passwords in seconds by examining the heat signatures that fingertips leave on keyboards and screens when entering data.<\/p>\n
Called ThermoSecure, researchers at the\u00a0University of Glasgow’s School of Computing Science<\/a>\u00a0developed the system to show how the falling price of thermal-imaging cameras and increasing access to\u00a0machine-learning and artificial intelligence<\/a>\u00a0(AI) algorithms are creating new opportunities for what they describe as thermal attacks.<\/p>\n By using a thermal-imaging camera to look at a computer keyboard, smartphone screen or ATM keypad, it’s possible to take a picture that reveals the recent heat signature from fingers touching the device.<\/p>\n The brighter the area appears in the thermal image, the more recently it was touched \u2013 meaning that the image could be used to crack a password or pin code by analyzing where the keyboard or screen was touched, and when.<\/p>\n Earlier research by the University of Glasgow into thermal attacks has suggested that humans without expertise can guess passwords by looking at thermal images, and now \u2013 by adding artificial intelligence \u2013 passwords could be cracked even faster by specialist attackers.<\/p>\n Using ThermoSecure to analyse images using AI, 86% of passwords were revealed when thermal images were taken within 20 seconds, 76% could be guessed using images within 30 seconds, and 62% could be discovered after 60 seconds.<\/p>\n The longer the\u00a0password<\/a>, the more difficult it was to reveal, but it still proved possible in the majority of cases. ThermoSecure could crack two-thirds of passwords of up to 16 characters and, as passwords get shorter, the more success the system had \u2013 12-character passwords were guessed up to 82% of the time and eight-character passwords were guessed up to 93% of the time.<\/p>\n Passwords made up of six characters or less were successfully cracked 100% of the time \u2013 something that could make ATM PIN codes or shorter codes that are used to protect smartphones particularly vulnerable to attacks.<\/p>\n By using this clever technique, a malicious attacker observing potential victims could take a thermal photo of a keyboard, smartphone or ATM and use that to guess passwords. In some cases, they’d also need to physically access the device themselves \u2013 but it’s also possible that the target could leave their computer unattended.<\/p>\n There’s also the possibility that an attacker could already know the username of their target’s online account \u2013 or they could potentially use the thermal attack to uncover that, too.<\/p>\n The paper on ThermoSecure<\/a>\u00a0\u2013 authored by the University of Glasgow’s Dr Mohamed Kham, Dr John Williamson and Norah Alotaibi \u2013 has been released in the hope that it shows the potential risk posed by thermal imaging attacks as the technology used to power them becomes cheaper and more widely available.<\/p>\n “Access to thermal-imaging cameras is more affordable than ever \u2013 they can be found for less than \u00a3200 \u2013 and machine learning is becoming increasingly accessible, too. That makes it very likely that people around the world are developing systems along similar lines to ThermoSecure in order to steal passwords,” said Dr Mohamed Khamis, reader in computer science at the University of Glasgow, who led the development of ThermoSecure.<\/p>\n “It’s important that computer security research keeps pace with these developments to find new ways to mitigate risk, and we will continue to develop our technology to try to stay one step ahead of attackers,” he added.<\/p>\n But while the research demonstrates some advanced techniques that could be used to crack passwords, for users, protecting their accounts is possible by doing one relatively simple thing \u2013\u00a0using stronger passwords<\/a>.<\/p>\n “Longer passphrases take longer to type, which also makes it more difficult to get an accurate reading on a thermal camera, particularly if the user is a touch typist,” said Dr Khamis, who also suggested that\u00a0biometric verification<\/a>\u00a0also adds protection.<\/p>\n “Users can help make their devices and keyboards more secure by adopting alternative authentication methods, like fingerprint or facial recognition, which mitigate many of the risks of thermal attack.”<\/p>\n