A team of computer security experts has unveiled a series of recommendations designed to safeguard against "thermal attacks," a method that uses heat-sensitive cameras to steal personal information on smartphones and computers.
How Thermal Attacks Work
Thermal attacks involve using heat-sensitive cameras to detect residual fingerprints on surfaces like smartphone screens, keyboards, and PIN pads. Hackers can reconstruct users' passwords by analyzing the intensity of heat traces on recently-touched surfaces.
In a previous study, Dr. Mohamed Khamis and his team from the University of Glasgow showcased the potential of thermal images to crack passwords. They introduced ThermoSecure, an AI-driven system that rapidly deduced passwords from heat-trace images, effectively increasing awareness of the thermal attack threat.
The same research team has undertaken an extensive evaluation of prevailing computer security strategies and carried out surveys to collect user preferences aimed at averting thermal attacks on public payment devices, including ATMs and transport ticket dispensers.
Their discoveries will be presented in a paper at the forthcoming USENIX Security Symposium conference. The team also identified 15 diverse methods capable of reducing the risk associated with thermal attacks.
Recommendations Against Thermal Attacks
The suggestions encompass a spectrum of measures, such as wearing gloves or rubber thimbles to curtail heat transfer from users' hands, employing hardware and software solutions such as heating elements to eliminate traces of finger heat, and introducing physical barriers to shield keys until the heat subsides.
An online survey with 306 participants revealed users' preferences for the strategies identified. Respondents suggested novel tactics, such as using ATMs when their surroundings felt safest, while also expressing a preference for familiar methods like two-factor authentication.
Khamis, from the University of Glasgow's School of Computing Science, noted that users' consideration of hygiene and privacy influenced their acceptance of certain security measures.
The team also recommends early consideration of thermal attacks in the design phase of devices for public spaces. They propose augmenting devices with physical screens or privacy-enhancing keyboards that shuffle key layouts.
For existing devices, software updates could serve as reminders for users to remain vigilant against thermal camera observation. Khamis underscored the importance of thermal camera manufacturers' involvement, suggesting that integrating new software locks to prevent pictures of sensitive surfaces could deter attacks.
"Ultimately, our advice to the public would be to try to find one strategy that suits their own personal habits and behaviors and to remember to use it as often as possible in their lives. Any action they can take regularly to help guard against thermal attacks will make it harder for others to gain access to their personal data," Khamis noted.