Glasgow University team suggests steps to counter ‘thermal attacks’

Protect passwords & PINs with multi-factor authentification

Society

Technology

August 11, 2023

/ By / Paris

Glasgow University team suggests steps to counter ‘thermal attacks’

Heat cameras detect fingerprints on surfaces like screens. Hackers reconstruct passwords from heat patterns.

With increasing use of thermal images by hackers to steal passwords and mount attacks, a group of scientists in Glasgow University lays out steps to counter such ‘thermal attacks’.

Rate this post

A team of computer security experts has developed a set of recommendations to help defend against ‘thermal attacks’ which can steal personal information.

Thermal attacks use heat-sensitive cameras to read the traces of fingerprints left on surfaces like smartphone screens, computer keyboards and PIN pads. Hackers can use the relative intensity of heat traces across recently-touched surfaces to reconstruct users’ passwords.

According to a press statement by Glasgow University, last year a team of scientists led by Mohamed Khamis set out to demonstrate how easily thermal images could be used to crack passwords.

The statement adds that the team developed ‘ThermoSecure’, a system which used Artificial Inelligence (AI) to scan heat-trace images and correctly guess passwords in seconds, alerting many to the threat of thermal attacks.

Now, Khamis and colleagues have put together the first comprehensive review of existing computer security strategies, and surveyed users on their preferences on how thermal attacks can be prevented at public payment devices like ATMs or transport ticket dispensers.

Their research i set to be presented as a paper at the ‘USENIX Security Symposium Conference’ at Anaheim in California in the United States on later today. According to the statement, the team has also proposed measures manufacturers can undertake to make their devices more secure. USENIX Security is widely recognised as one of the leading conferences in the fields of computer security and cybersecurity.

The team identified 15 different approaches described in previous papers on computer security which could reduce the risk of thermal attacks.

Those included ways to reduce the transfer of heat from users’ hands, by wearing gloves or rubber thimbles, or changing the temperature of hands by touching something cold before typing.

Approaches suggested in the literature also included pressing hands against surfaces or breathing on them to obscure their fingerprint heat once they had finished typing.

Other suggestions for increased security focused on hardware and software. A heating element behind surfaces could erase traces of finger heat, or surfaces could be made from materials which dissipate heat more rapidly.

Security on public surfaces could be increased by introducing a physical shield which covers keys until heat has dissipated. Alternatively, eye-tracking inputs or biometric security could reduce the risk of successful thermal attacks.

After their research on existing security measures, the team conducted an online survey with 306 participants. The survey aimed to determine users’ preferences among the strategies the team had identified, as well as asking their own thoughts about security measures they could adopt when using public devices like bank machines.

“This is the first comprehensive literature review of security measures against thermal attacks, and our survey showed some interesting results. Intuitively, users suggested some strategies that weren’t in the literature, like waiting to use an ATM until their surroundings seemed safest. They were also keen on strategies that were already familiar, like two-factor authentication, because they were aware of their effectiveness. We also saw that they considered issues like hygiene, which made the strategy of breathing on devices to mask heat traces very unpopular, and privacy, which some users considered when thinking about additional security measures like face or fingerprint recognition,” says Khamis, the team leader.

The paper also makes recommendations for users on how they can defend themselves against thermal attacks in public, and for device manufacturers on how safety measures could be built into future generations of hardware and software.

“Users told us that they considered themselves at least partially responsible for their own security, so we advise that they pay close attention to their surroundings when entering sensitive data in public to make sure no-one is watching, or use a secure facility such as a bank. Where that’s not possible, we suggest resting palms on devices to obscure traces of heat, or wearing gloves or finger protection if they can. We would also advise using multi-factor authentication wherever users are able because it protects against a range of different attacks including thermal attacks, and safeguard all authentication factors as much as possible,” says Karola Marky, corresponding author, who was a postdoctoral researcher in Dr Khamis’ team at the University of Glasgow during this research, and is now a professor  at the Ruhr-University Bochum in Germany.

“For manufacturers of devices used in public spaces, we suggest that thermal attacks are considered as early as possible in the design phase, so that devices could be augmented with physical screens to block the surfaces for a brief period, or privacy-enhancing keyboards that shuffle the layout of keys after use. Where devices are already in circulation, software updates could help remind users to be aware of their surroundings and take action to prevent observation with thermal cameras,” says Shaun Macdonald, from the University of Glasgow’s School of Computing Science.

“Our final recommendation is to the manufacturers of thermal cameras, who could stop attacks by integrating new software locks to prevent thermal cameras from taking pictures of surfaces like PIN pads on bank machines. We are continuing to explore potential approaches to mitigating the risk of thermal attacks. Although we still don’t know how widespread these attacks on personal information are at the moment, it’s important that computer security researchers keep pace with the risks that thermal cameras could pose to users’ personal information, particularly since they are now so cheap and widely available,’’ says Khamis.

“Ultimately, our advice to the public would be to try to find one strategy that suits their own personal habits and behaviours and to remember to use it as often as possible in their lives. Any action they can take regularly to help guard against thermal attacks will make it harder for others to gain access to their personal data,” he adds.

YOU MAY ALSO LIKE

0 COMMENTS

Leave a Reply

Your email address will not be published. Required fields are marked *