Hackers may now use thermal cameras and artificial intelligence to reveal passwords

Researchers warn that current password-based security protections could deteriorate if hijackers start using artificial intelligence-assisted thermal imaging to determine passwords shortly after they are entered. Researchers at the University of Glasgow have unveiled a method to guess recently entered passwords on keyboards and phone screens with high accuracy by imaging the heat signature of users' fingers.

The technique's success rate varies with time, materials and password length, but could worsen a recent uptick in device thefts.

Thieves have recently begun stealing and breaking into phones and other devices by watching users enter their passwords in public places. Logging in with a victim's password is a straightforward way to overcome all the security measures that companies like Apple and Google have painstakingly put in place, and once someone steals and logs into their device, there's nothing the victim can do.

However, a successful identity theft requires the perpetrator to remember the password as they see it, or to record the victim as they enter it. The researchers' new method could give thieves a wider window into deciphering passwords after someone types them in.

If a person takes a picture of the screen or keyboard with a thermal camera within a minute of entering their password, the AI ​​can reliably guess the sequence of key presses. The system, called ThermoScure, has a success rate of at least 62 percent, depending on the conditions.

Timing is of the essence, and ThermoSecure had an 86% success rate when analyzing photos taken within 20 seconds of entering a password. The success rate dropped to 76% at 30 seconds and to 62% after one minute.

Longer passwords reduce the effectiveness of the system to some extent. ThermoSecure can guess a 16-character password 67 percent of the time in images taken within 20 seconds of someone entering the password. The guess rate rose to 82% for 12-character passwords, 93% for 8-character passwords, and 100% for 6-character passwords. These results make any non-alphanumeric iPhone passcode a prime target for the system, as simple passcodes for the device can be up to six numbers.

As with keyboards, other factors such as typing style and materials can also affect ThermoSecure's accuracy. From a 30-second thermal signature image, the system could guess the passwords of touch-typists 80% of the time and the passwords of predatory users 92% of the time. Meanwhile, keys made of PBT plastic reduce the success rate to 14%, while ABS plastic only reduces it to about 50%. Backlit keyboards are also safer because they generate more heat and hide thermal fingerprints.

Identity thieves already have easy and cheap access to thermal cameras. While methods to combine them with AI-driven guesswork are not yet available, this study appears to prove the theory, giving users more reason to enact strong security measures. They should avoid entering passwords where others can see them and use other authentication methods, such as biometrics, where possible.