How hackers use thermal imaging cameras to steal personal data

Thermal imaging cameras can be used to reconstruct and read traces of fingerprints on surfaces such as smartphone screens, computer keyboards or ATM touchscreens - in other words, wherever users are asked to enter a PIN code or other personal data. Hackers can therefore use the relative intensity of heat traces on recently touched surfaces to reconstruct passwords, for example. A team of computer security experts from the University of Glasgow has now developed a series of recommendations to defend against such "heat attacks", which can be used to steal personal data.

Cracking passwords with handy thermal imaging cameras and AI

This was preceded by research by Dr. Mohamed Khamis, Professor at the University of Glasgow's School of Computing Science, and his colleagues. They showed how easily thermal images can be used to crack passwords. The team developed ThermoSecure, a system that uses artificial intelligence (AI) to scan thermal images and correctly guess passwords in seconds, alerting many to the threat of thermal attacks. Based on this, Dr. Khamis' research team conducted a comprehensive survey of existing computer security strategies and asked users for their preferences on how to prevent thermal attacks on public payment devices such as ATMs and ticket machines.

Measures against thermal attacks

The authors presented their research findings on August 11, 2023, at the USENIX Security Symposium conference in Anaheim, California. The work presented also included advice for manufacturers on how to make their devices more secure. The team identified 15 different approaches described in previous computer security research that could reduce the risk of thermal attacks. These included ways to reduce heat transfer from users' hands by wearing gloves or rubber finger hats, or changing the temperature of the hands by touching something cold before typing. The literature also suggested pressing the hands against surfaces or breathing on them to hide the heat from fingerprints after typing.

Other suggestions for more security involved hardware and software. A heating element behind surfaces could erase traces of finger heat, or surfaces could be made of materials that dissipate heat more quickly. Security on publicly accessible surfaces could be enhanced by introducing a physical shield that covers the keys until the heat is dissipated. Alternatively, eye-tracking inputs or biometric security could reduce the risk of successful thermal attacks.

Users want two-factor authentication

After examining the existing security measures, the team conducted an online survey with 306 participants. The aim of the survey was to identify users' preferences among the strategies identified by the team and to ask them for their own thoughts on security measures they might apply when using public devices such as ATMs or ticket machines. Dr. Mohamed Khamis, who led this study, is quoted as saying: "This is the first comprehensive literature review on security measures against thermal attacks, and our survey revealed some interesting results. Intuitively, users suggested some strategies that were not found in the literature, such as waiting to use an ATM until the environment seems safest. They also advocated already known strategies such as two-factor authentication because they were aware of its effectiveness. We also saw that they considered issues around hygiene, which made the strategy of breathing on devices to mask heat traces very unpopular, and privacy, which some users considered when thinking about additional security measures such as facial or fingerprint recognition."

The paper concludes with recommendations for users on how they can protect themselves against heat attacks in public and for device manufacturers on how security measures could be built into future generations of hardware and software. Co-author Prof. Karola Marky, now working as a professor at Ruhr University in Bochum, but still a postdoctoral researcher in Mohamed Khamis' team at the time of the study, advises users to pay close attention to their surroundings when entering sensitive data in public to ensure that no one is watching, or to use a secure facility such as a bank. "Where this is not possible, we recommend placing the palms of your hands on the devices to cover heat marks, or wearing gloves or finger protection where possible," said Prof. Marky. "We also advise using multi-factor authentication whenever possible, as this protects against a range of different attacks, including thermal attacks, and to protect all authentication factors as much as possible."

Manufacturers of vending machines and thermal imaging cameras also under obligation

Manufacturers of ATMs or ticket machines are advised to consider the possibilities of attacks via handheld thermal imaging cameras at the design stage. Devices should be equipped with physical screens to block the surfaces for a short period of time, or with keyboards that improve privacy by rearranging the layout of the keys after use. For devices already in circulation, software updates could help remind users to be aware of their surroundings and take measures to prevent observation by thermal cameras. "Our final recommendation is aimed at thermal camera manufacturers, who could prevent attacks by integrating new software locks that prevent thermal cameras from taking images of surfaces such as PIN pads on ATMs," adds Mohamed Khamis. "We continue to investigate possible approaches to mitigate the risk of thermal imaging attacks. Although we don't yet know how widespread these attacks on personal data currently are, it's important that computer security researchers keep abreast of the risks that thermal imaging cameras could pose to users' personal data, especially as they are now so cheap and widely available."

Source: Techexplore.com / University of Glasgow

This article originally appeared on m-q.ch - https://www.m-q.ch/de/wie-hacker-waermebildkameras-nutzen-um-persoenliche-daten-zu-stehlen/