TAPS: Assessing, Mitigating and Raising Awareness of the Security and Privacy Risks of Thermal Imaging

Lead Research Organisation: University of Glasgow
Department Name: School of Computing Science

Abstract

Thermal imaging technologies are continuously becoming more affordable and accessible to everyone. Today, a thermal camera can be bought for less than £150. Thermal imaging can be used maliciously to infer the user input on keyboards and touchscreens. For example, taking a thermal image of a keyboard after a user has interacted with it reveals recent input such as passwords, or sensitive messages. This project aims to 1) assess the viability of thermal attacks in everyday computer and mobile usage scenarios, 2) develop and evaluate methods for resisting them on desktop and mobile settings, and 3) raise awareness about this threat and possible countermeasures through impact activities that engage with Logitech, a major manufacturer of input peripherals, and local partners such as CENSIS. This project will produce 1) a dataset of thermal images for research on thermal attacks, 2) empirical findings that explain which factors impact the effectiveness of thermal attacks in realistic everyday scenarios in desktop and mobile settings, 3) recommendations for users and manufacturers for resisting thermal attacks on touchscreens and keyboards, 4) a novel machine learning model to be used by researchers and practitioners to analyse the effectiveness of thermal attacks and evaluate countermeasures, 5) a novel machine learning model that predicts vulnerability to thermal attacks and tools that use it to mitigate the risk, and 6) material to raise awareness about thermal attacks and possible countermeasures.
 
Description Thermal cameras are becoming ubiquitous and more affordable than before. Today, thermal cameras can be bought online for less than £200. While they have many benefits, they present a new front for side-channel attacks. Namely, taking a thermal image of a user interface, such a keyboard or a touchscreen, reveals heat traces that can be used to determine the user's input. This input can range from day-to-day input on said devices, to sensitive input such as passwords, PINs, credit card numbers, and more. These types of attacks are referred to as thermal attacks [1].

The contributions of this project are as follows:
1. We empirically assessed the success of thermal imaging attacks in revealing passwords entered on desktop keyboards, laptop keyboards, smartphone touchscreens, and laptop touchpads. We found that attacks on all said interfaces are successful to a large extent by visually inspecting the thermal images (i.e., without the use of any software), and is even more successful (up to 100% accuracy in some cases) when using automated image processing and AI-driven approaches. This work has been published in four conference papers, and two journal papers.
2. We released the first datasets that contain thermal images of keyboards, smartphones and keypads containing heat traces resulting from interactions. The datasets are open access and publicly available under Creative Commons Attribution 4.0 International License: https://zenodo.org/record/5997104 and https://zenodo.org/record/7069957
3. We developed machine learning algorithms that analyze thermal images and reveal whether the user's input can be recovered from them.
4. We developed and evaluated novel user-centered approaches for authentication that is resistant to thermal attacks. This includes predicting vulnerability to thermal attacks through typing behavior, gaze-based authentication methods and authentication using 3D models.

The project received significant media attention from significant news outlets like The independent, Bloomberg, FutureScot, Telegraph and Daily Mail. We also had a radio interview on this topic with the BBC, and an entire episode on the famous science TV show Galileo was dedicated to this work.

Summary: First, this project investigated the effectiveness of two approaches of thermal attacks: 1) thermal attacks by visual inspection, and 2) automated thermal attacks. Second, we developed methods to make input secure against thermal attacks through two lines of work: 1) we investigated how eye tracking can be used to provide a more secure alternative to password entry, and 2) we found evidence that vulnerability to thermal attacks can be predicted through the way users type.

1. Understanding Thermal Attacks
We investigated two forms of thermal attacks: The first was thermal attacks by visual inspection, and then the attacker attempts to identify the input by visually examining the thermal image without the help of any tools. The second form was thermal attacks using automated methods, where the attacker employs image processing and/or machine learning approaches to infer the input from the thermal image.

1.1 Thermal attacks by Visual Inspection
The results of this work were published in [2] and [3]. In the first paper [2], we investigated the susceptibility of common touch inputs to thermal attacks when non-expert attackers visually inspect thermal images. By non-experts, we refer to users of thermal cameras who do not employ automated methods to analyse thermal images. Using an off-the-shelf thermal camera, we collected thermal images of a smartphone's touchscreen and a laptop's touchpad after 25 participants had entered passwords using touch gestures and touch taps. We then invited 18 different participants to visually inspect the collected images. The participants were able to recover the majority of passwords. We tested two types of input: touch gestures and touch taps. We found that touch gestures are more vulnerable to thermal attacks (60.65% successful attacks) than touch taps (23.61%), and attacks against smartphone touchscreens are more accurate than on laptop touchpads (87.04% vs 56.02%). These results were statistically significant.

In a second paper [3], we investigated the effectiveness of thermal attacks against input of text on smartphone touchscreens and laptop keyboards. We experimented with different characteristics of text, including short words, website URLs, and complex strings (i.e., that contain special characters, digits and letters). We collected a dataset of thermal images from 25 participants after they have provided input using the aforementioned properties. We then recruited 20 different participants to visually inspect the thermal images and attempt to identify the input. We found that long and complex entries are less vulnerable to thermal attacks, that visual inspection of thermal images that contain text reveal up to 82% of the content (36% on average) even if the attack is not fully successful. We also found that entering text on laptop keyboards is more vulnerable to thermal attacks than when entering them on smartphones. We attribute this to the hardware design of the interfaces: Smartphones' screen is directly attached to the processing unit which means that it may heat up due to CPU usage. This may distort heat traces. On the other hand, laptop's processing unit is rather affecting a relatively smaller area of the keyboard, leaving heat traces on the rest of the keyboard unaffected and potentially more visible.

1.2 Automated Thermal Attacks
Prior work that proposed automated methods to perform thermal attacks employed basic image processing techniques. In our ACM TOPS paper [4], we implemented ThermoSecure, which is an AI-driven system that integrates deep learning to 1) determine the placement of keyboards in thermal images using Mask RCNNs, 2) determine which keys were pressed on the keyboard including accurate detection of keys that were pressed multiple times using K-mean clustering, 3) distinguish which keys were part of a username and which were part of a password entry, and 4) determine the order in which the keys were pressed to produce a list of the most likely user input using probability functions. Our models were trained and evaluated using a dataset of 1500 thermal images taken in realistic conditions. We made this dataset publicly available as soon as this work was published.

After developing ThermoSecure, we evaluated it in an empirical within subjects study in which 21 participants entered usernames and passwords on an external keyboard. Our participants entered passwords of different properties, and we took thermal images at 20, 30 and 60 seconds after entry. Our results reveal insights about 1) properties that make passwords more secure against thermal attacks and 2) typing behaviours that make input more secure against thermal attacks. For example, our analysis shows that hunt and peck typing is significantly more vulnerable to thermal attacks (92% thermal attack success if taken within 30 seconds) compared to fast typing (80%) and that this typing behavior can be determined in real time through keystroke dynamics. This creates avenues for future work on real time protection from thermal attacks by analysing typing behaviour. We also found that long passwords are significantly more resilient to thermal attacks; 100% of 6-symbol passwords are detected using ThermoSecure whereas 67% of 16-symbol passwords are detected within 20 seconds. In a second study, we investigate how some physical properties of external keyboards impact the success of thermal attacks through a follow up within-subjects user study in which 16 participants entered passwords on two keyboards: one that uses Acrylonitrile Butadiene Styrene (ABS) keycaps, and one that uses Polybutylene Terephthalate (PBT) keycaps. Our results indicate that Keycaps made of ABS were more vulnerable to thermal attacks than those made of PBT (52% and 14% attack success respectively).

2. Mitigating Thermal Attacks

There are three lines of work in this direction: 1) alternative authentication methods: we proposed alternative password entry methods that are contact-free (i.e., do not require the user to touch an interface); 2) predicting vulnerability: we developed AI-driven approaches to predict vulnerability to thermal attacks, based on the user's typing behaviour; and 3) prevention by obfuscation: we are currently developing approaches to prevent the misuse of thermal cameras by detecting interfaces with heat traces their video feed before obfuscating the heat traces.

In this research project, we have done progress in the first two directions. Investigation into the third direction is starting in the context of a newly funded research project: PT.HEAT, which is funded by the PETRAS National Centre of Excellence for IoT Systems Cybersecurity.

Alternative authentication methods:
The first direction we explored was proposing alternative authentication methods that are not vulnerable to thermal attacks. Biometric authentication, using fingerprints, facial features, gaze behaviour or interaction behaviour, is a promising against thermal attacks. However, there are still situations in which knowledge-based authentication is needed. For example, biometrics involve a lot of personal data, and may be unreliable on the long run if the user's features or behaviours change.

Gaze has many advantages in the context of authentication. Namely, eye movements can be subtle and hard to notice, making gaze attractive for observation-resilient and high-entropy authentication. These reasons encouraged researchers to investigate ways to leverage gaze for explicit and implicit authentication. We summarize three lines of work: 1) explicit gaze-based authentication, 2) implicit gaze-based authentication, and 3) gaze-supported multi-factor authentication. In our review paper [5], we summarized the applications of eye gaze in security and privacy contexts. Our paper addresses not only authentication, but also privacy protection and gaze monitoring during security critical tasks. Gaze-based authentication is secure against thermal attacks, as well as some other types of side-channel attacks like observation attacks and smudge attacks.

During the research project, we developed novel approaches for providing gaze input and evaluated them in a PIN entry scenario [6,7]. We also evaluated GazeLockPatterns [8] and compared it to Touch Lock Patterns which is a popular authentication method on Android mobile devices. Through a between-subjects study with 40 participants, we found that users employ comparable strategies for pattern composition regardless of the modality. We also found that the gaze behaviour during authentication using touch patterns follows the patterns, which suggests it can be used for eye tracker calibration. The gaze data collected during authentication using text passwords can also be used to estimate the strength of the text password [9]. This means that employing gaze can benefit the authentication procedure in many ways both when used both alongside passwords and as an alternative authentication approach.

Predicting vulnerability to thermal attacks:

The second direction that was explored in this project is predicting vulnerability to thermal attacks by analysing the user's typing behaviour. Based on the results pertaining to the user's typing behaviour [4], we argue that typing behaviour can be an predictor of how vulnerable a user can be to thermal attacks. We were able to classify users into hunt-and-peck and fast typists by objectively analysing their typing behaviour. This means that future systems can leverage the typing behaviour to do the same in real time, and consequently take measures to improve security against thermal attacks. For example, these users may be required to use longer passwords, or they may be asked to provide random input after entering their passwords, so that the heat traces can be distorted.

Our paper on that is published in ACM TOPS [4]. It concludes with a discussion of how systems can protect users from thermal attacks by presenting 7 mitigation approaches that are based on our findings and previous work.

Conclusion
The project successfully delivered the first datasets of thermal images of heat traces (see https://www.gla.ac.uk/schools/computing/research/researchsections/gist-section/thermalimagingattacks/datasets/). We have also contributed novel empirical results about the effectiveness of thermal attacks. Finally, we contributed methods to overcome thermal attacks by predicting vulnerability to thermal attacks, and by using alternative methods to enter passwords. We are still working on extending the work on preventing thermal attacks, and there are ongoing impact activities.


References
[1] Yomna Abdelrahman, Mohamed Khamis, Stefan Schneegass, and Florian Alt. 2017. Stay Cool! Understanding Thermal Attacks on Mobile-based User Authentication. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems (CHI '17). Association for Computing Machinery, New York, NY, USA, 3751-3763. DOI: https://doi.org/10.1145/3025453.3025461
[2] Yasmeen Abdrabou, Yomna Abdelrahman, Ahmed Ayman, Amr Elmougy, and Mohamed Khamis. 2020. Are Thermal Attacks Ubiquitous? When Non-Expert Attackers Use Off the shelf Thermal Cameras. In Proceedings of the International Conference on Advanced Visual Interfaces (AVI '20). Association for Computing Machinery, New York, NY, USA, Article 47, 1-5. DOI: https://doi.org/10.1145/3399715.3399819
[3] Yasmeen Abdrabou, Reem Hatem, Yomna Abdelrahman, Amr Elmougy, and Mohamed Khamis. (2021) Passphrases Beat Thermal Attacks: Evaluating Text Input Characteristics Against Thermal Attacks on Laptops and Smartphones. In: Ardito C. et al. (eds) Human-Computer Interaction - INTERACT 2021. INTERACT 2021. Lecture Notes in Computer Science, vol 12935. Springer, Cham. https://doi.org/10.1007/978-3-030-85610-6_41
[4] Norah Alotaibi, John Williamson, Mohamed Khamis. ThermoSecure: Investigating the effectiveness of AI-driven thermal attacks on commonly used computer keyboards. In the ACM Transactions on Privacy and Security (TOPS). https://dl.acm.org/doi/10.1145/3563693
[5] Christina Katsini, Yasmeen Abdrabou, George Raptis, Mohamed Khamis, Florian Alt.
The Role of Eye Gaze in Security and Privacy Applications: Survey and Future HCI Research Directions. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (CHI 2020) - 24.31% acceptance rate. DOI: https://doi.org/10.1145/3313831.3376840
[6] Misahael Fernandez, Florian Mathis, Mohamed Khamis. GazeWheels: Recommendations for using Wheel Widgets for Feedback during Dwell-time Gaze Input. it - Information Technology, vol. 63, no. 3, 2021, pp. 145-156. DOI: https://doi.org/10.1515/itit-2020-0042
[7] Misahael Fernandez, Florian Mathis, Mohamed Khamis. GazeWheels: Comparing Dwell-time Feedback and Methods for Gaze Input. In Proceedings of the 11th Nordic Conference on Human-Computer Interaction (NordiCHI 2020). Association for Computing Machinery - 14.7% acceptance rate. DOI: http://dx.doi.org/10.1145/3419249.3420122
[8] Yasmeen Abdrabou, Ken Pfeuffer, Mohamed Khamis, Florian Alt. GazeLockPatterns: Comparing Authentication Using Gaze and Touch for Entering Lock Patterns. In Proceedings of the ACM International Symposium on Eye Tracking Research & Applications (ETRA 2020). DOI: https://doi.org/10.1145/3379156.3391371
[9] Yasmeen Abdrabou, Ahmed Shams, Mohamed Omar Mantawy, Anam Ahmad Khan, Mohamed Khamis, Florian Alt, Yomna Abdelrahman. GazeMeter: Exploring the Usage of Gaze Behaviour to enhance Password Assessments. In Proceedings of the ACM International Symposium on Eye Tracking Research & Applications (ETRA 2021)
[10] Ceenu George, Daniel Buschek, Andrea Ngao, Mohamed Khamis. GazeRoomLock: Using Gaze and Head-pose to Improve the Usability and Observation Resistance of 3D Passwords in Virtual Reality. In Proceedings of the 7th International Conference on Augmented Reality, Virtual Reality, and Computer Graphics (AVR 2020). DOI: https://doi.org/10.1007/978-3-030-58465-8_5
[11] Mohamed Khamis, Florian Alt. Privacy and Security in Augmentation Technologies. In "Technology-Augmented Perception and Cognition" (chapter 8). Springer Nature Switzerland AG. DOI: http://doi.org/10.1007/978-3-030-30457-7_8
Exploitation Route The work has been presented in multiple engagement activities, including demos in the International 2023 Augmented Humans Conference , the PETRAS showcase event, and Glasgow Science Festival. In addition, I've delivered several invited talks on that topic to raise awareness of our solutions.

Our ongoing work on mitigating thermal attacks can be used by a) manufacturers of thermal cameras, b) manufacturers of keyboards and touchscreens, and c) organizations that employ access control methods and need secure authentication mechanisms e.g. banks.

The datasets can be used by researchers and practitioners to build detectors of interfaces in thermal images. This can in turn be used to prevent the misuse of thermal cameras.

Our papers are useful to researchers in HCI, Security and Computer Vision as they advance state of the art in these fields.

The work is also relevant to policymakers. Ideally, there would be a policy in place that requires thermal camera manufacturers to implement methods similar to ours that would prevent their misuse.
Sectors Aerospace, Defence and Marine,Financial Services, and Management Consultancy,Government, Democracy and Justice,Retail,Security and Diplomacy
URL https://www.gla.ac.uk/schools/computing/research/researchsections/gist-section/thermalimagingattacks/
 
Description Facilitating Parental Insight and Moderation for Safe Social VR
Amount $75,000 (USD)
Organisation Facebook 
Sector Private
Country United States
Start 01/2022 
End 02/2023
 
Description Preventing THErmal ATtacks (PT.HEAT)
Amount £177,075 (GBP)
Organisation PETRAS National Centre of Excellence 
Sector Academic/University
Country United Kingdom
Start 11/2021 
End 04/2023
 
Title A Dataset of Thermal images of User Interfaces 
Description Thermal cameras are becoming more affordable. These cameras have many potential applications but can also be used for malicious purposes. In particular, thermal cameras can retrieve the heat traces left on interfaces as a result of interaction, which can in turn be used to reveal sensitive input on said interfaces, such as PINs or passwords. This dataset was created during an interactive user study investigating the threat of thermal attacks on user interfaces. We adapted the following experimental variables during data collection: 1) Two camera perspectives: A FLIR E8-XT camera was placed behind the participant and an Optris PI 450i camera was placed left of the participant. 2) Four types of input devices: a) smartphone, b) three keyboards - a PBT keyboard, an ABS keyboard, and a metal frame keyboard. 3) Three types of user input data (text, email address, password). In total, we have collected 1152 images from the FLIR camera and another 1152 images from the Optris camera during the study which was conducted with 32 participants. For each participant, we captured 36 thermal images. The created dataset can be used to evaluate the deep learning model developed to prevent thermal imaging attacks. Furthermore, the ground truth user input of text, email addresses, and passwords are structured along with the corresponding image ID so that the advanced data-driven models can be employed to identify user input and investigate the type of user input that can be easily cracked from thermal images using machine learning techniques. 
Type Of Material Database/Collection of data 
Year Produced 2022 
Provided To Others? Yes  
Impact We have utilized the dataset to evaluate the deep learning model developed to prevent thermal imaging attacks. Recently, one of our preliminary work has been accepted to present as a demo at the 27th Annual Conference on Intelligent User Interfaces, by University of Helsinki, Finland, March 21-25, 2022. 
URL https://zenodo.org/record/5997104
 
Title Thermal Attacks Dataset (ThermoSecure) 
Description Thermal cameras can be utilized inconspicuously to expose heat traces left on input interfaces, posing a rising threat of a new front for side channel attacks. This research project aims to significantly contribute to and build on previous studies on thermal attacks by investigating deep learning models that can improve the accuracy of thermal attacks and testing them in real-world scenarios in an attempt to understand the impact of thermal attacks on user privacy and security. As part of the evaluation of our deep learning model, we captured and annotated 1,500 thermal images to create the first dataset of thermal images that capture the heat traces following an interaction (i.e. password entries). 
Type Of Material Database/Collection of data 
Year Produced 2022 
Provided To Others? Yes  
Impact This is the first dataset of thermal images of keyboards accompanied with usage logs. It will support researchers in developing methods to overcome thermal attacks. 
URL https://zenodo.org/record/7069957
 
Description Collaboration with CENSIS 
Organisation Innovation Centre for Sensor and Imaging Systems CENSIS
Country United Kingdom 
Sector Charity/Non Profit 
PI Contribution Dr Khamis approached CENSIS, which is Scotland's Innovation Centre for sensing, imaging and Internet of Things (IoT) technologies, when preparing the TAPS project proposal. CENSIS were invited to give feedback on the proposal and on the project outcomes.
Collaborator Contribution Dr Cade Wells from CENSIS has given us feedback on our plans for thermal attack mitigation. He also connected us with additional partners, namely the Scottish Business Resilience Center, and invited Dr Khamis to participate in an online panel about thermal imaging.
Impact CENSIS joined the PETRAS project, PT.HEAT, as a beneficiary and they are helping us with one of the workpackages.
Start Year 2021
 
Description Telecooperation Lab (Technical University of Darmstadt) 
Organisation Technical University of Darmstadt
Country Germany 
Sector Academic/University 
PI Contribution Our research team collected a dataset with thermal images from 64 participants interacting with different devices and materials in a data collection study. The participants were asked to type different types of input (email addresses, passwords, and phrases) on the devices. Further, participants were asked to perform different gestures on materials (paper, mirror, plastic, and painted wood). During the interaction, three cameras filmed the devices and materials: two were thermal cameras (above the participant and next to them), one was an RGB camera. Our team analysed this dataset using machine learning and deep learning, as well as inference statistics.
Collaborator Contribution Our partners currently analyse the collected dataset using image processing to identify the user input.
Impact The collaborators are currently working on shared paper submission for the A*-ranked conference "Usenix Security". Our research team is contributing expertise from the disciplines of study design, statistical analysis and machine learning, while the Telecooperation Lab contributes their expertise on image processing.
Start Year 2021
 
Description 2022.09.05 Guest talk on ``Security and Privacy in the Age of Ubiquitous Computing'' at Aalto University, Finland 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Postgraduate students
Results and Impact 13 PhD students, postdocs and professors attended the talk. This initiated discussions for collaborations and follow up work on the thermal imaging research.
Year(s) Of Engagement Activity 2022
 
Description 2022.10.20 Invited talk on ``Security and Privacy in the Age of Ubiquitous Computing'' at Kore University of Enna, Italy. 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Undergraduate students
Results and Impact 50-60 students at different levels and academics attended the talk. There were follow up discussions. A funding application was submitted to the Royal Society of Edinburgh based on the collaboration discussions.
Year(s) Of Engagement Activity 2022
 
Description 2022.10.23 TV Interview on my work on thermal attacks on TalkTV 
Form Of Engagement Activity A broadcast e.g. TV/radio/film/podcast (other than news/press)
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Public/other audiences
Results and Impact My journal paper on thermal attacks published in 2022 led to an interview on TalkTV on 23 October 2023.
Year(s) Of Engagement Activity 2022
 
Description 2023.02.22 Presentation of Thermal Imaging Attacks research to the UK's National Authority for Counter Eavesdropping 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Policymakers/politicians
Results and Impact In February 2023, I led my team to present a demo of our ThermoSecure paper to the UK NACE. This led to discussions about a possible project funded by the NACE.
Year(s) Of Engagement Activity 2023
 
Description 2023.02.27 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Industry/Business
Results and Impact I gave an invited talk at Futurescot's Cyber Security in February 2023, Scotland's largest public sector cyber event.
Year(s) Of Engagement Activity 2023
URL https://futurescot.com/futurescot-events/cyber-security-2023/
 
Description 2023.03.13 Demo at the Augmented Humans 2023 conference 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact We presented a demo of the ThermoSecure work as well as our mitigation methods at the Augmented Humans 2023 demo track.
Year(s) Of Engagement Activity 2023
URL https://augmented-humans.org/
 
Description Demo for Barclays 
Form Of Engagement Activity Participation in an open day or visit at my research institution
Part Of Official Scheme? No
Geographic Reach Local
Primary Audience Industry/Business
Results and Impact In an event to encourage collaborations between Barclays and the University of Glasgow, we presented a posted about our work on thermal imaging. Shaun, who presented the posted, also brought a thermal camera to showcase some of our work in a live demo.
Year(s) Of Engagement Activity 2023
 
Description Expert Feedback Presentation 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Schools
Results and Impact The main goals of the research project where presented. This was followed by preliminary results (dataset, current status and challenges).
Experts from different domains (machine learning, security, HCI, and further computer scientists) provided feedback regarding the presented ideas and challenges.
The talk was delivered by Dr Marky and was an in-person event in context of a research retreat organized by the Technical University of Darmstadt (Germany).
Year(s) Of Engagement Activity 2021
 
Description Interview by BBC Radio Scotland 
Form Of Engagement Activity A press release, press conference or response to a media enquiry/interview
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Public/other audiences
Results and Impact The article https://www.independent.co.uk/tech/heat-atm-security-privacy-scottish-b2199345.html led to many interview requests, one of those by BBC Radio Scotland.
Year(s) Of Engagement Activity 2022
 
Description Invited talk at the University of Lisbon in Portugal 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach Local
Primary Audience Undergraduate students
Results and Impact Dr Khamis delivered an invited talk on "Security and Privacy in the age of Ubiquitous Computing" in an undergraduate course on Human-Computer Interaction on 27/04/2021. The talk presented our work on thermal imaging attacks and how our use of empirical methods helps understand security threats further, and allows us to design novel and effective mitigation methods. The talk was delivered online due to COVID-19.
Year(s) Of Engagement Activity 2021
 
Description Invited talk in King's College London (KCL) 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach Local
Primary Audience Postgraduate students
Results and Impact Dr Khamis gave a talk on Security and Privacy in the age of ubiquitous computing on 28/09/2021. The talk drew on several outcomes from our team's work on thermal imaging attacks.
Year(s) Of Engagement Activity 2021
 
Description Invited talk in University College London (UCL) 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach Local
Primary Audience Postgraduate students
Results and Impact Dr Khamis gave a talk on Security and Privacy in the age of ubiquitous computing on 08/01/2022. The talk drew on several outcomes from our team's work on thermal imaging attacks.
Year(s) Of Engagement Activity 2022
URL https://www.youtube.com/watch?v=THs2yIfBpoA&ab_channel=UCLInformationSecurityResearchGroup
 
Description News coverage by 200+ international news outlets 
Form Of Engagement Activity A magazine, newsletter or online publication
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Public/other audiences
Results and Impact Our paper titled ``ThermoSecure: Investigating the effectiveness of AI-driven thermal attacks on commonly used computer keyboards.'' received media attention from 200+ online news outlets including The Independent, Bloomberg, The Telegraph, and others. Examples below:
https://www.independent.co.uk/tech/heat-atm-security-privacy-scottish-b2199345.html
https://news.stv.tv/west-central/heat-from-fingertips-can-be-used-to-crack-passwords-in-seconds-glasgow-university-researchers-show
https://www.telegraph.co.uk/news/2022/10/10/why-heat-fingertips-could-make-vulnerable-hackers/
https://inews.co.uk/news/thermal-attack-technology-scammers-crack-passwords-pins-heat-fingers-warn-experts-1903250
https://www.dailymail.co.uk/video/sciencetech/video-2791653/Video-Heat-fingertips-used-crack-passwords-study-finds.html
https://www.the-sun.com/tech/6407814/security-warning-password-pin-stealing-heat-camera/
https://futurescot.com/glasgow-researchers-warn-of-thermal-cyberattacks-using-fingertip-heat-trace/
https://www.digit.fyi/thermal-attack-system-heat-tracing-tech-passwords/
https://www.aol.co.uk/heat-fingertips-used-crack-passwords-102357793.html?guccounter=1
Year(s) Of Engagement Activity 2022
 
Description Presentation and interactive demo at the PETRAS Networking & Research Showcase conference 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Other audiences
Results and Impact The participation included a presentation to the academic members of PETRAS, followed by an interactive demo that was open to policy consultants, industry practitioners and more.
Year(s) Of Engagement Activity 2022
 
Description Project Presentation 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Postgraduate students
Results and Impact The project's goal and research questions were presented to PhD students, postdocs and professors of the research training group "Privacy and Trust for Mobile Users" at the Technical University of Darmstadt, University of Kassel and University of Frankfurt (all in Germany). This was done in two talks in November 2021 and March 2022.
The talk was primarily to raise awareness about the topic and side-channel attacks in general. The talks was delivered by Dr Marky, the first one was an in-person event. The second one was online.
Year(s) Of Engagement Activity 2021,2022
URL https://www.informatik.tu-darmstadt.de/privacy-trust/privacy_and_trust/news_2/news_details_252800.en...
 
Description Showcased an interactive demo at the Glasgow Science Festival 2022 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Schools
Results and Impact The participation included an interactive demo that was open to visitors of the Glasgow Science Festival. School students and their parents, teachers, and the general public participated in our demo session where the task was to type some random four-digit PINs on an ATM keypad. Our system identified PIN and obfuscated thermal images as mitigation to prevent thermal attacks. The participants understand the thermal attacks and express their concern that this is a new emerging threat they didn't think of before.
Year(s) Of Engagement Activity 2022
 
Description Talk on Human-centered Security to the Health & Safety Executive (HSE) 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach Local
Primary Audience Professional Practitioners
Results and Impact Dr Khamis delivered an online workshop on human-centered security to the Health & Safety Executive (HSE) on 01/07/2021. He drew on his experience in user-centered design, HCI and usable security to explain why human factors should be an important factor when making cybersecurity-related decisions in organizations.
Year(s) Of Engagement Activity 2021
 
Description Talk on ``Thermal imaging attacks; what they are, how they work and how they can be mitigated'' at the industry advisory board meeting at the University of Glasgow. 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach Local
Primary Audience Industry/Business
Results and Impact This talk was attended by about 20 members of the Industry Advisory Board of the School of Computing Science at the University of Glasgow. The discussions allowed me to collect feedback from industry practitioners that
Year(s) Of Engagement Activity 2022