Stay Cool! Understanding Thermal Attacks on Mobile-based User Authentication

Abdelrahman, Y., Khamis, M. , Schneegass, S. and Alt, F. (2017) Stay Cool! Understanding Thermal Attacks on Mobile-based User Authentication. In: CHI '17: CHI Conference on Human Factors in Computing Systems, Denver, CO, USA, 6-11 May 2017, pp. 3751-3763. ISBN 9781450346559 (doi:10.1145/3025453.3025461)

170222.pdf - Accepted Version



PINs and patterns remain among the most widely used knowledge-based authentication schemes. As thermal cameras become ubiquitous and affordable, we foresee a new form of threat to user privacy on mobile devices. Thermal cameras allow performing thermal attacks, where heat traces, resulting from authentication, can be used to reconstruct passwords. In this work we investigate in details the viability of exploiting thermal imaging to infer PINs and patterns on mobile devices. We present a study (N=18) where we evaluated how properties of PINs and patterns influence their thermal attacks resistance. We found that thermal attacks are indeed viable on mobile devices; overlapping patterns significantly decrease successful thermal attack rate from 100% to 16.67%, while PINs remain vulnerable (>72% success rate) even with duplicate digits. We conclude by recommendations for users and designers of authentication schemes on how to resist thermal attacks.

Item Type:Conference Proceedings
Additional Information:This work was partly conducted within the Amplify project which received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement no. 683008) and received funding from the German Research Foundation within the SimTech Cluster of Excellence (EXC 310/2).
Keywords:Mobile authentication, thermal imaging, touchscreens.
Glasgow Author(s) Enlighten ID:Khamis, Dr Mohamed
Authors: Abdelrahman, Y., Khamis, M., Schneegass, S., and Alt, F.
College/School:College of Science and Engineering > School of Computing Science
Copyright Holders:Copyright © 2017 The Authors
First Published:First published in Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems: 3751-3763
Publisher Policy:Reproduced in accordance with the publisher copyright policy

University Staff: Request a correction | Enlighten Editors: Update this record