Researchers reveal WiFi-based mobile password discovery attack

A group of researchers has come up with WindTalker, a new attack method for discovering users’ passwords and PINs as they enter them into their smartphones.

WindTalker is the name of the attack, and the name of the keystroke inference framework that allows an attacker to perform it.

WindTalker framework

“WindTalker is motivated from the observation that keystrokes on mobile devices will lead to different hand coverage and the finger motions, which will introduce a unique interference to the multi-path signals and can be reflected by the channel state information (CSI),” the researchers noted. “The adversary can exploit the strong correlation between the CSI fluctuation and the keystrokes to infer the user’s number input.”

In order to collect the target’s CSI data, the attacker needs to set up a public WiFi access point to which the target will connect to. No visual contact with the user is required, nor any type of compromise of the target’s device.

“WindTalker is built with the off-the-shelf hardware, which is actually a commercial laptop computer equipped with Intel 5300 NIC with one external directional antenna and two omni-directional antennas,” they explained. “WindTalker also serves as the WiFi hotspot to attract the users to access to the WiFi. The laptop runs Ubuntu 14.04 LTS with a modified Intel driver to collect CSI data.”

The researchers tested the attack against several mobile phones, and were specifically after the 6-digit password required to finish a mobile payment transaction via Alipay, the largest mobile payment platform in the world. They tested the setup in a cafeteria-like environment, and found that they could recover inputed passwords and PINs with a high success rate.

The attack is more or less successful depending on the distance between the victim’s mobile device and the access point, as well as on the relative direction between the victim and the attacker.

Also, the attack is more successful if the system has had a chance to be “trained” by the victims themselves.

“Using WindTalker, the victim’s input can be recognized via the classifiers trained from the same user,” the researchers noted.

“In practice, the attackers have more choices to achieve the user specific training. For example, it can simply offer the user free WiFi access and, as the return, the victim should finish the online training by clicking the designated numbers. It can also mimic a Text Captchas to require the victim to input the chosen numbers. (…) Even if there is only one training sample for one keystroke, WindTalker can still achieve whole recovery rate of 68.3%.”

The attack, the researchers pointed out, is easy to deploy and difficult to detect, but can also be easily thwarted by either by randomizing the layouts of the PIN keypad, or by preventing the collection of CSI data.

The latter can be effected in several ways, such as making sure that the setup can’t be deployed near the users, CSI data obfuscation, and the detection and prevention of a high-frequency ICMP (protocol) ping required to collect CSI data.