A group of researchers from the Shanghai Jaio Tong University, the University of South Florida and the University of Massachusetts at Boston have demonstrated a new technique that can reveal private information by analyzing the radio signal Interference, using just one rogue WiFi hotspot.
Dubbed WindTalker, the attack sniffs a user's fingers movement on the phone's touchscreen or a computer's keyboard by reading the radio signal patterns called Channel State Information (CSI).
CSI is part of the WiFi protocol which provides general information about the status of the WiFi signal.
"WindTalker is motivated from the observation that keystrokes on mobile devices will lead to different hand coverage and the finger motions, which will introduce a unique interference to the multi-path signals and can be reflected by the channel state information (CSI)," the researchers writes in their paper titled, 'When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals.'
"The adversary can exploit the strong correlation between the CSI fluctuation and the keystrokes to infer the user’s number input."
Here’s How An Attacker Track your fingers moves on a smartphone screen:
Now, hackers with control to a public Wi-Fi hotspot to which your device is connected to could then intercept, analyze, and reverse engineer those signals to accurately guess what sensitive data you have typed into your phone or in password input fields.
The WindTalker attack is particularly effective as it does not require any access to the victim's phone and works with regular mobile phones.
The attack needs the hacker to control a rogue WiFi access point to which the target will connect to and collect WiFi signal disturbances.
WindTalker will also not work with older internet router that has one antenna to broadcast Wi-Fi signals around your home, as it relies on a technology called Multiple Input, Multiple Output (MIMO).
WindTalker Attack has an Over 68% AccuracyThe researchers tested the WindTalker attack in a real-world scenario against several mobile phones and were able to recover the 6-digit transaction PIN required to complete a mobile payment transaction via Chinese Payment Service Alipay.
The researchers said, "the evaluation results show that the attacker can recover the key with a high successful rate."
"In practice, the attackers have more choices to achieve the user specific training. For example, it can simply offer the user free WiFi access and, as the return, the victim should finish the online training by clicking the designated numbers. It can also mimic a Text Captchas to require the victim to input the chosen numbers," the researchers said. "Even if there is only one training sample for one keystroke, WindTalker can still achieve a whole recovery rate of 68.3%."The accuracy of the WindTalker attack is different based on mobile phone models, and the accuracy could also be improved with users typing more and the attacker collecting more data on it.
The WindTalker attack technique was also presented at the 23rd Association for Computing Machinery Conference on Computer and Communications Security, held in Vienna, Austria, from 24 to 28 October.