Security researchers at the University of Glasgow's School of Computing Science have developed a new AI-driven method that allows to guess computer and smartphone users’ passwords in seconds by examining traces of heat left by fingertips on a keyboard or screen.

Dubbed “ThermoSecure,” the technique is meant to demonstrate how falling prices of thermal imaging cameras and rising access to machine learning are creating new risks for ‘thermal attacks.’

By using a thermal camera an attacker can take a picture that shows the heat signature left by users’ fingertips on the area where they touched a keyboard, smartphone screen or ATM keypad.

The brighter an area appears in the thermal image, the more recently it was touched, and by measuring the relative intensity of the warmer areas it is possible to identify specific letters, numbers, or symbols that a password consists of and estimate the order in which they were used.

To test their theory, the researchers took 1,500 thermal photos of recently-used QWERTY keyboards from different angles, and then used an artificial intelligence model to guess passwords from the heat signatures.

Through two user studies, they found that ThermoSecure was capable of revealing 86% of passwords when thermal images are taken within 20 seconds, and 76% when within 30 seconds, dropping to 62% after 60 seconds of entry.

The technique was also able successfully guess even long passwords of 16 characters within 20 seconds, with a rate of up to 67% correct attempts. As passwords grew shorter, success rates increased – 12-symbol passwords were guessed up to 82% of the time, eight-symbol passwords up to 93% of the time, and six-symbol passwords were successful in up to 100% of attempts.

“Longer passwords are more difficult for ThermoSecure to guess accurately, so we would advise using long passphrases wherever possible. Longer passphrases take longer to type, which also makes it more difficult to get an accurate reading on a thermal camera, particularly if the user is a touch typist. Backlit keyboards also produce more heat, making accurate thermal readings more challenging, so a backlit keyboard with PBT plastics could be inherently more secure,” the researchers said.

Users can also make their devices and keyboards more secure by adopting alternative authentication methods, like fingerprint or facial recognition, which mitigate many of the risks of thermal attack.