Windtalker can infer keystrokes on mobile dives through Wi-Fi side channels
Windtalker can infer keystrokes on mobile dives through Wi-Fi side channels

Security researchers have devised a way of discovering passwords and other sensitive data by observing how bodily movements interfere with Wi-Fi signals.

The researchers from Shanghai Jaio Tong University, the University of Massachusetts at Boston, and the University of South Florida, found that they could find out private information by analysing the radio signal from a malicious Wi-Fi router.

According to a paper published by the researchers, a framework they set up, dubbed WindTalker, can enable a hacker to infer the sensitive keystrokes on a mobile device through Wi-Fi-based side-channel information. 

They said that keystrokes on mobile devices will lead to different hand coverage and the finger motions, which will introduce a unique interference to the multi-path signals and can be reflected by the channel state information (CSI).

“The adversary can exploit the strong correlation between the CSI fluctuation and the keystrokes to infer the user's number input,” said the paper's authors. “WindTalker presents a novel approach to collect the target's CSI data by deploying a public WiFi hotspot. Compared with the previous keystroke inference approach, WindTalker neither deploys external devices close to the target device nor compromises the target device.”

WindTalker uses public Wi-Fi to collect user's CSI data, which is easy to deploy and difficult to detect. In addition, it jointly analyses the traffic and the CSI to launch the keystroke inference only for the sensitive period where password entering occurs.

“WindTalker can be launched without the requirement of visually seeing the smartphone user's input process, backside motion, or installing any malware on the tablet,” said the researchers.

They also implemented Windtalker on several mobile phones and performed a detailed case study to evaluate the practicality of the password inference towards Alipay, the largest mobile payment platform in the world. According to evaluation results, it showed that the attacker can recover the key with a high success rate.

The researchers said that one of the most straightforward defence strategies is to randomise the layouts of the PIN keypad, such that the attacker cannot recover the typed PIN number even if they can infer the keystroke positions on the touchscreen. But researchers added that a more practical defence strategy is preventing the collection of CSI data. “For example, the user refuses to connect to free public Wi-Fi or pays attention to the deployed Wi-Fi devices nearby,” they said.

Mark James, security specialist at ESET, told SCMagazineUK.com that any attack, if successful, is a real threat and should be treated as such.

“What we need to do is understand the potential of seeing this attack being used and the likelihood of encountering it,” he said.

“We see many new and unique methods of gathering information on a regular basis some attainable and some requiring very specific hardware to accomplish. Securing our devices is the same as securing other aspects of our lives; understand the threat, have a realistic view of what we can do and put in place the best measures we can to protect ourselves.”

Alex Mathews, EMEA technical manager of Positive Technologies, said that the idea to use Wi-Fi as a "cheap radar" isn't new. In 2013, Dina Katabi from MIT's Department of Electrical Engineering and Computer Science showed how low-power Wi-Fi signals could be used to track moving humans in buildings, even through walls.

“So it's not beyond the realms of possibility that RFID reading signals could be used to guess what area of an iPhone screen is touched,” he told SC.

“It's hard to estimate how this attack would work in the wild in reality as there are potentially some obstacles. Here are some things that would affect feasibility – it only works over short distances; you can only target one person at a time, so it won't work if there are several people all using their smart phones.

“There's a degree of research involved meaning a lot of statistics should be collected in advance. Another consideration is that different phone models will work differently which may affect success, also you'd need to determine the keyboard layout of the target. Also physically performing the attack as a hacker could be spotted given he has to transmit a signal in the first place,” he said.

“In summary, there are other easier ways to learn someone's password.”