Testing a side-channel attack technique called WindTalker, researchers guessed the six-digit password that volunteers entered into their phones nine out of 10 times, when given 100 guesses or fewer.
Testing a side-channel attack technique called WindTalker, researchers guessed the six-digit password that volunteers entered into their phones nine out of 10 times, when given 100 guesses or fewer.

Academic researchers at three universities have developed a technique for measuring Wi-Fi signal interference caused by an individual's fingers in order to guess what numerical password that person just entered on the device screen.

This side-channel attack, named WindTalker by its creators, works by using a malicious Wi-Fi network to hone in on a device's Channel State Information (CSI), a sequence of readings that describes the current properties of a wireless communication link between a transmitter and receiver. According to the study, a user's hand and finger movements can create subtle fluctuations in CSI data, which can be mathematically interpreted to correspond to the touching of numbers on a device's keypad.

Entitled “When CSI Meets Public Wi-Fi: Inferring Your Mobile Phone Password via Wi-Fi Signals,” the study was published last month and conducted by Mengyuan Li, Yan Meng, Junyi Liu, Haojin Zhu and Na Ruan from Shanghai Jiao Tong University; Xiaohui Liang from the University of Massachusetts at Boston; and Yao Liu at the University of South Florida.

In an experiment conducted on the Samsung Galaxy Note 5, Xiaomi Redmi Note 3 and Nexus 5 phones using 10 volunteers – each with her or her own unique hand movements – the researchers attempted to guess 10 different six-character passwords using this technique. They were able to guess two of the passwords in five tries or less, four passwords in 10 tries or less, seven passwords in 50 tries or less and nine passwords in 100 tries or less. The researchers chose a continuous six-bit password input because that is what is required from the popular Chinese payment platform Alipay.

In a separate test in which volunteers were asked to key in the numbers zero through nine, the researchers found that WindTalker was accurate in guessing an inputted number on the Xiaomi phone 81.8 percent of the time, on the Nexus phone 73.2 percent of the time and on the Samsung phone 64 percent of the time.

WindTalker is easy to set up, requiring a commercial laptop with an Intel 5300 network interface controller and an Intel driver modified to collect CSI data via the ICMP protocol. The system, which is also outfitted with an external directional antenna and two mini-directional antennas, acts as an openly accessible Wi-Fi network that an attacker could plant in a public space. In this study, the Wi-Fi signal was set up in a cafeteria environment and placed at a distance of 75 cm from the user's device.

Another key component of WindTalker is Wireshark, an open-source packet analyzer, used to collect Wi-Fi traffic data and CSI data while connected. By examining key metadata such as the IP address of the site a user is actively visiting (information that is not protected by the HTTPS protocol), Wireshark helps WindTalker know when users visited a page where they likely inputted key information such as a password. WindTalker then examines CSI data during this critical window of time and begins to discern fluctuations in the readings, correlating them with users' hand movements.

According to the report, WindTalker carries certain advantages over other attacks that leverage side channels to guess inputs on target devices – attacks that might, for instance, look for subtle changes in microphone acoustic signals or electromagnetic radio antenna signals. “Unlike prior side-channel attacks or traditional CSI-based gesture recognition, WindTalker neither deploys external devices close to the target device nor compromises any part of the target device,” the report explains. “Instead, WindTalker setups a ‘rogue' hotspot to lure the target user with free Wi-Fi service, which is easy to deploy and difficult to detect.”

With that said, the researchers noted several limitations that currently temper the effectiveness of WindTalker in a real-world scenario. For starters, the technique does not work on iPhones and certain Android smartphones. Also, the experiment required the volunteers to be relatively constrained with their hand gestures while the phone rested on a table surface. And the volunteers needed to train the system to learn their input patterns.

Still, such impediments could be fixed over time – for example, WindTalker could perhaps be trained to recognize a user's input patterns by requiring the user to type in a text CAPTCHA before accessing the free Wi-Fi network.

SC Media reached out to a contact email listed on the report, and has asked for additional comment from the researchers.