Researchers Suggest Ways to Tackle Thermal Attacks

Written by

Researchers at Glasgow University have identified 15 ways users and manufacturers could reduce the risk of thermal attacks to boost the security of logins.

Thermal attacks involve the use of thermal imaging cameras to identify the keys on a PIN pad or keyboard last touched by a user, thereby enabling an attacker to guess a user’s PIN or password.

A paper produced by the research team last year revealed that two-thirds of passwords of up to 16 characters could be cracked in this way, rising to 82% of 12-character passwords and 100% of six-character logins.

It also claimed that 86% of passwords were revealed when thermal images were taken within 20 seconds, 76% when images were taken within 30 seconds and 62% after 60 seconds.

Now Mohamed Khamis and his colleagues have developed a set of recommendations to mitigate such risks, after surveying user preferences and reviewing existing security strategies.

Among the 15 approaches listed in the paper, some are more practical than others. They include:

  • Wearing gloves or rubber thimbles
  • Changing the temperature of hands by touching something cold before typing
  • Pressing hands against surfaces
  • Breathing on surfaces after typing to obscure fingerprint heat
  • Placing a heating element behind surfaces
  • Making surfaces from materials which dissipate heat more rapidly
  • Introducing a physical shield that covers keys until heat has dissipated
  • Using eye-tracking inputs or biometric security

“Users told us that they considered themselves at least partially responsible for their own security, so we advise that they pay close attention to their surroundings when entering sensitive data in public to make sure no-one is watching, or use a secure facility such as a bank. Where that’s not possible, we suggest resting palms on devices to obscure traces of heat, or wearing gloves or finger protection if they can,” advised researcher Karola Marky.

“We’d also advise using multi-factor authentication (MFA) wherever users are able because it protects against a range of different attacks including thermal attacks, and safeguard all authentication factors as much as possible.”

What’s hot on Infosecurity Magazine?