Researchers in a team from Shanghai, Boston and Tampa recently published an temptingly titled paper about password stealing.
Dubbed When CSI Meets Public Wi-Fi: Inferring Your Mobile Phone Password via Wi-Fi Signals, the paper makes you think of Crime Scene Investigation, but that’s just a handy collision of acronyms.
This CSI is short for “channel state information,” a collection of readings that describes what’s happening at the lowest level of the data link between a Wi-Fi sender, such as your laptop, and a receiver, such as as an access point.
If you remember the cassette tapes on which early home computer programs were stored, you’ll know that there wasn’t much CSI going on: there were typically two sound frequencies, 1200Hz and 2400Hz, and the pitch of the recording warbled between them every few milliseconds to denote zeros and ones.
In modern Wi-Fi standards, however, connections are much more complex, with each radio channel divided into many sub-channels that transmit in parallel, and multiple antennas that measure different signal paths, thus turning echoes and reflections into an advantage, not a liability.
Chopping your radio spectrum into lots of sub-channels is a bit like sending 20 bicycle couriers across town at the same time, each carrying a modest amount of correspondence, instead of stuffing the whole lot in a van and delivering it in one go.
When you have numerous independent delivery channnels, your throughput copes much better with localised interference, because you haven’t got all your communication eggs in one basket.
Now imagine that you have a stream of real-time information about how what route each courier is taking, and how much progress each of them has made so far.
You can build up a picture of what the traffic looks like in various parts of the city, and you can guess at what’s causing the various holdups.
After all, protesters converging on parliament cause a different pattern of disruption than a pile-up on the airport access road.
That’s the kind of approach that the researchers tried in this paper.
They used specially modified firmware dowloaded into a Wi-Fi network card to create an access point that could keep track of minute variations in the underlying communication signal and correlate those changes with your typing.
They dubbed their attack WindTalker.
Their idea was that if they could get their rogue access point close enough to your phone, then the interference caused even by your fingers moving in front of the on-screen keyboard might produce detectable differences in the CSI data that they measured.
And if they could guess when you were about to start entering a PIN using just 10 widely spaced positions on the screen, rather than when you were busy with the more complicated business of navigating through a web form or typing words from the entire keyboard…
…then they could focus their attention on the moments when they had the best chance of success.
Limitations of the attack
The paper is mathematically rather technical: it helps if you are already familiar with techniques such as discrete wavelet transforms, dynamic time warping and machine learning.
But the bottom line, in brief, is that the researchers claim modest success in guessing PINs tapped in on mobile phones, based on Wi-Fi interference caused by the fingers doing the tapping.
Fortunately, the current version of the attack seems to have many limitations:
- The attack only works with one model of Wi-Fi network card, which limits the range of Wi-Fi devices that can be modified for malicious purposes.
- The attack relies on modified firmware code that is prone to crashing, which limits its usefulness.
- The attack only works on unencrypted networks, because the authors haven’t yet managed to squeeze both the CSI-grabbing code and Wi-Fi decryption code into the limited firmware space available.
- The tests were done in what looks like a rather sterile radio environment, without the levels of interference you might expect in real life.
- The attack relies on a consistent stream of network replies from your phone (800 ping replies per second) to form the basis of the CSI measurements, a rate that we found hard to maintain when we tried in an office environment.
- The attack doesn’t yet seem to scale from PIN entry to full-on passwords, so it isn’t applicable to all login pages you may use.
- The attack is thwarted by two-factor authentication (2FA), because it relies on guessing a password that can be re-used indefinitely.
What to do?
You can probably guess our advice in this case.
Use 2FA whenever you can, and you will be taking a big step towards a digital lifetstyle in which you greatly reduce the risk of sniffed and stolen passwords.
If the crooks can’t figure out what tomorrow’s login code is going to be, there’s no longer much point in stealing today’s.
9 comments on “Wi-Fi shadows cast by your fingers could leak your password”
An odd mix of radar and time domain reflectometry.
Good writing, as always, and good writing makes for good reading. The courier comparison was a nice touch.
Thanks. I appreciate your kind words.
Yes; I was thinking that…the “infer traffic patterns via bicyclist telemetry” is a great metaphor; even if it didn’t relate to this project it still would be rather incisive.
I cheated a little bit – the metaphor doesn’t work in London, for example. If you have ever ridden there, you will know that there is only one rule, at least if you’re a dispatch rider. “Stop for no one; stop for nothing :-)” It’s like being in a never-ending alleycat race.
Wouldn’t this be prevented if mobile phones still had antennas?
You mean external antennas that were away from your hand a bit 🙂 We shall never know, because old phones with antennas don’t have Wi-Fi to do an experiment, and if they had, it wouldn’t have been MIMO anyway. You used to get more recent phones with external antenna connectors, but I haven’t seen one in a while, and I think they were for the GSM radio only.
My recommendation is that if you’re in a coffee shop, sit near something with lots of electromagnetic noise, e.g. the coffee grinder.
Your cassette tape frequency explanation made me chuckle. I used to have a ZX Spectrum and I didn’t know, until reading this, that computer games were recorded onto tape using 2 tones to denote zeros and ones. That explains the hours that I spent failing to get a knackered stretched tape to work 🙂
Some encodings were a bit more sophisticated than that, but not by much. I had a computer that IIRC supported 300, 1200 or 2400 bits/sec. 2400 was obviously much better for loading stuff you used a lot, but you had to save twice at 2400 then at 300 afterwards if you wanted a fighting chance of one of your loads to work later on. That made 1200 much quicker when saving, because it was mostly OK done once.