Alotaibi, N., Williamson, J. and Khamis, M. (2023) ThermoSecure: investigating the effectiveness of AI-driven thermal attacks on commonly used computer keyboards. ACM Transactions on Privacy and Security, 26(2), 12. (doi: 10.1145/3563693)
Text
279998.pdf - Accepted Version 10MB |
Abstract
Thermal cameras can reveal heat traces on user interfaces, such as keyboards. This can be exploited maliciously to infer sensitive input, such as passwords. While previous work considered thermal attacks that rely on visual inspection of simple image processing techniques, we show that attackers can perform more effective AI-driven attacks. We demonstrate this by presenting the development of ThermoSecure, and its evaluation in two user studies (N=21, N=16) which reveal novel insights about thermal attacks. We detail the implementation of ThermoSecure and make a dataset of 1,500 thermal images of keyboards with heat traces resulting from input publicly available. Our first study shows that ThermoSecure successfully attacks 6-symbol, 8-symbol, 12-symbol, and 16-symbol passwords with an average accuracy of 92%, 80%, 71%, and 55% respectively, and even higher accuracy when thermal images are taken within 30 seconds. We found that typing behavior significantly impacts vulnerability to thermal attacks, where hunt-and-peck typists are more vulnerable than fast typists (92% vs 83% thermal attack success if performed within 30 seconds). The second study showed that the keycaps material has a statistically significant effect on the effectiveness of thermal attacks: ABS keycaps retain the thermal trace of users presses for a longer period of time, making them more vulnerable to thermal attacks, with a 52% average attack accuracy compared to 14% for keyboards with PBT keycaps. Finally, we discuss how systems can leverage our results to protect from thermal attacks, and present 7 mitigation approaches that are based on our results and previous work.
Item Type: | Articles |
---|---|
Additional Information: | This work was supported by the Royal Society of Edinburgh (RSE award number 65040), the EPSRC (EP/V008870/1), and the PETRAS National Centre of Excellence for IoT Systems Cybersecurity, which is also funded by the EPSRC (EP/S035362/1). |
Status: | Published |
Refereed: | Yes |
Glasgow Author(s) Enlighten ID: | Alotaibi, Miss Norah and Khamis, Dr Mohamed and Williamson, Dr John |
Authors: | Alotaibi, N., Williamson, J., and Khamis, M. |
College/School: | College of Science and Engineering > School of Computing Science |
Journal Name: | ACM Transactions on Privacy and Security |
Publisher: | Association for Computing Machinery |
ISSN: | 2471-2566 |
ISSN (Online): | 2471-2574 |
Published Online: | 15 September 2022 |
Copyright Holders: | Copyright © 2022 The Authors |
First Published: | First published in ACM Transactions on Privacy and Security 26(2): 12 |
Publisher Policy: | Reproduced in accordance with the publisher copyright policy |
Related URLs: | |
Data DOI: | 10.5281/zenodo.7069957 |
University Staff: Request a correction | Enlighten Editors: Update this record