How hackers use thermal imaging cameras to steal personal data

Thermal imaging cameras can be used to reconstruct and read traces of fingerprints on surfaces such as smartphone screens, computer keyboards or ATM touchscreens - in other words, anywhere users are prompted to enter a PIN code or other personal data. According to the study, hackers can use the relative intensity of heat traces on recently touched surfaces to reconstruct passwords, for example. A team of computer security experts from the University of Glasgow has now developed a set of recommendations for defending against such "heat attacks" that can be used to steal personal data.

Cracking passwords with handy thermal imaging cameras and AI

This was preceded by research by Dr. Mohamed Khamis, a professor at the University of Glasgow's School of Computing Science, and his colleagues. They showed how easily thermal images can be used to crack passwords. The team developed ThermoSecure, a system that uses artificial intelligence (AI) to scan thermal images and correctly guess passwords in seconds, alerting many to the threat of thermal attacks. Based on this, Dr. Khamis' research team conducted a comprehensive survey of existing computer security strategies and asked users for their preferences on how to prevent thermal attacks on public payment devices such as ATMs and ticket machines.

Measures against thermal attacks

The authors presented their research findings on August 11, 2023, at the USENIX Security Symposium conference in Anaheim, California. The work presented also included advice for manufacturers on how to make their devices more secure. The team identified 15 different approaches described in previous computer security research that could reduce the risk of thermal attacks. These included ways to reduce heat transfer from users' hands by wearing gloves or rubber finger hats, or changing the temperature of hands by touching something cold before typing. The literature also suggested pressing the hands against surfaces or breathing on them to hide the heat from fingerprints after typing.

Other suggestions for more security involved hardware and software. A heating element behind surfaces could erase traces of finger heat, or surfaces could be made of materials that dissipate heat more quickly. Security on publicly accessible surfaces could be enhanced by introducing a physical shield that covers the keys until the heat is dissipated. Alternatively, eye-tracking inputs or biometric security could reduce the risk of successful thermal attacks.

Users want two-factor authentication

After studying existing security measures, the team conducted an online survey with 306 participants. The goal of the survey was to determine users' preferences among the strategies identified by the team and to ask them for their own thoughts on security measures they might apply when using public devices such as ATMs or ticket machines. Dr. Mohamed Khamis, who led this study, can be quoted as saying, "This is the first comprehensive literature review on security measures against thermal attacks, and our survey revealed some interesting results. Intuitively, users suggested some strategies not found in the literature, such as waiting to use an ATM until the environment seems safest. They also advocated for strategies that were already known, such as two-factor authentication, because they were aware of its effectiveness. We also saw that they considered issues around hygiene, which made the strategy of breathing on devices to mask heat trails very unpopular, and privacy, which some users considered when thinking about additional security measures such as facial or fingerprint recognition."

The paper concludes with recommendations for users on how to protect themselves against heat attacks in public and for device manufacturers on how security measures could be built into future generations of hardware and software. Co-author Prof. Karola Marky, now working as a professor at Ruhr University in Bochum, Germany, but still a postdoctoral researcher on Mohamed Khamis' team at the time of the study, advises users to pay close attention to their surroundings when entering sensitive data in public to ensure no one is watching, or to use a secure facility such as a bank. "Where this is not possible, we recommend placing the palms of the hands on the devices to cover heat traces, or wearing gloves or finger guards if possible," Prof. Marky said. "We also advise using multi-factor authentication whenever possible, as it protects against a number of different attacks, including thermal attacks, and protecting all authentication factors as much as possible."

Manufacturers of vending machines and thermal imaging cameras also under obligation

Manufacturers of ATMs or ticket vending machines are advised to consider the possibility of attacks via handheld thermal imaging cameras at the design stage. Devices should be equipped with physical screens to block surfaces for a short period of time, or keyboards that improve privacy by rearranging the arrangement of keys after use. For devices already in circulation, software updates could help remind users to be aware of their surroundings and take measures to prevent observation by thermal cameras. "Our final recommendation is for thermal camera manufacturers to prevent attacks by incorporating new software locks that prevent thermal cameras from taking images of surfaces such as PIN pads on ATMs," adds Mohamed Khamis. "We continue to explore potential approaches to mitigate the risk of thermal imaging attacks. While we don't yet know how widespread these attacks on personal data currently are, it's important that computer security researchers keep up with the risks thermal imaging cameras could pose to users' personal data, especially since they're now so cheap and widely available."

Source: Techexplore.com / University of Glasgow