A hot potato: We're already experiencing a rash of mobile device thefts fueled by thieves spying on and recording victims as they input their passwords. Now, researchers warn the situation could worsen if hijackers begin using AI-assisted thermal imaging to determine passwords shortly after they've been entered.

Researchers at The University of Glasglow have unveiled a method to guess recently entered passwords on keyboards and phone screens with high accuracy by imaging the heat signatures from users' fingers. The technique's success rate varies depending on timing, materials, and password length, but could worsen a recent uptick in device thefts.

Thieves have lately started stealing and breaking into users' phones and other devices by watching them enter their passcodes in public. Logging in with a victim's password is a straightforward way to overcome all the security measures companies like Apple and Google have painstakingly implemented, and victims can't do much once someone has stolen and logged into their device.

However, a successful robbery requires the perpetrator to either remember the password they saw or record the victim as they enter it. The researchers' new method could give thieves a wider window by letting them discern a password after someone typed it.

If a person uses a thermal camera to take a picture of a screen or keyboard within a minute of a password being entered, AI can reliably guess the order in which the keys were hit. The system, called ThermoScure, has at least a 62 percent success rate depending on conditions.

Speed is key. ThermoSecure is 86 percent successful when analyzing pictures taken within 20 seconds of entering passwords. The rate drops to 76 percent at 30 seconds, and 62 percent after one minute.

Longer passwords decrease the system's effectiveness somewhat. ThermoSecure can guess a 16-character password 67 percent of the time with an image taken within 20 seconds of someone entering a password. The rate rises to 82 percent for 12-character passwords, 93 percent for eight-character passwords, and 100 percent for six-character passwords. The results make any non-alphanumeric iPhone passcode a prime target for the system, as the device's simple passcodes max out at six numbers.

For keyboards, other things like typing style and materials also affect ThermoSecure's chances. With an image of a 30-second-old heat signature, the system can guess a touch typist's password 80 percent of the time and a hunt-and-peck user's password in 92 percent of cases. Meanwhile, keys made of PBT plastics reduce the success rate to 14 percent, while ABS plastics only cut it to around 50 percent. Backlit keyboards are also more secure because they generate more heat, hiding thermal fingerprints.

Thieves can already easily and cheaply acquire thermal cameras. While the means to combine them with AI-driven guessing aren't in the wild yet, the research appears to prove the theory, giving users even more reason to enact strong security measures. They should avoid entering passcodes where visible to others, and use other authentication methods like biometrics when possible.

Image credit: David Dodge