UNDERSTANDING AND MITIGATING THE THREATS OF THERMAL IMAGING ON SECURITY

Abstract

The evolution of thermal cameras from exclusive, prohibitively expensive technology to compact, economically accessible consumer products has paved the way for their potential widespread adoption in personal gadgets such as smartphones, wearables, and displays. However, this accessibility raises significant security concerns, as it can be exploited for malicious uses, such as thermal attacks. In a thermal attack, an attacker captures a thermal image of a user interface, like a keyboard or touchscreen, to reveal thermal traces left by the user's touch. These attacks can be performed without any overt action taken by the attacker, as heat traces persist for up to 60 seconds after the user has interacted and left the device unattended. Attackers can then analyze the captured image either through visual means or via advanced techniques such as image processing to reconstruct sensitive inputs made by the user, including passwords and other confidential information. Recognizing this threat, this thesis investigates the feasibility of thermal attacks when advanced methods of thermal image analysis are employed and explores mitigation methods against thermal attacks. Six studies were conducted, with the first two examining the feasibility of thermal attacks on common computer keyboards. ThermoSecure, a Deep Learning (DL) system that analyzes thermal images to estimate user input, was introduced, alongside the first publicly available dataset of 1500 thermal images of keyboards. Results from these studies highlighted that AI-driven thermal attacks are more effective. Success varied based on factors, including input-related ones like password length and user typing behavior, and interface-related ones such as keycap material and thermal conductivity. These findings underscored the pressing need for mitigation methods against thermal attacks, leading to the third study, which investigated user perceptions of privacy in relation to thermal cameras, their understanding of thermal attacks, and their preferences for mitigation methods. Previous research proposed several user-centric mitigation methods, yet the results from this study emphasized the need for holistic approaches requiring minimal user involvement. Users expressed openness towards using thermal cameras in daily life but also exhibited privacy and security concerns, largely due to unawareness of thermal attacks and mitigation strategies. With that in mind, Two camera-centric mitigations were introduced and evaluated: four distinct obfuscations (Mitigation 1) and a GANs-based mitigation (ThermoGANs) (Mitigation 2), both of which proved effective against thermal attacks. The results emphasized user preference for mitigation methods that require minimal involvement, even at the potential cost of utility. This thesis underscores the need for holistic strategies that not only prevent camera misuse but also minimize utility impact. The final study explores such a method, investigating input-based induced noise that ensures ineffective heat traces for password reconstruction, both in terms of identifying used keys and the sequence of presses. This research contributes a novel understanding of thermal attack feasibility, user perceptions, and mitigation techniques, providing a foundation for future security measures against thermal attacks.