WiKI-Eve: Intercepting Smartphone Keystrokes via WiFi for Password Theft

A newly identified attack, named ‘WiKI-Eve,’ has the capability to intercept the cleartext transmissions of smartphones connected to modern WiFi routers. This attack can deduce individual numeric keystrokes with an accuracy rate of up to 90%, thereby enabling the theft of numeric passwords.

WiKI-Eve takes advantage of BFI (beamforming feedback information), a feature introduced with WiFi 5 (802.11ac) in 2013. BFI allows devices to send feedback about their position to routers, aiding in the precise direction of their signals.

Overview of the WiKI-Eve attack (arxiv.org)

However, the vulnerability lies in the fact that BFI data is exchanged in cleartext, making it susceptible to interception and immediate use, without the need for hardware hacking or encryption key cracking.

This security gap was discovered by a group of researchers from universities in China and Singapore. They conducted tests to retrieve potential secrets from these transmissions.

Their findings revealed that it’s relatively easy to identify numeric keystrokes with an accuracy rate of 90%, decode 6-digit numeric passwords with an 85% accuracy, and discern complex app passwords with an accuracy rate of approximately 66%.

While this attack specifically targets numeric passwords, a study by NordPass showed that 16 out of the top 20 passwords are purely numeric.

WiKI-Eve Attack

The WiKI-Eve attack operates in real-time, intercepting WiFi signals during password entry. To carry out this attack, the attacker must actively monitor the target while they use their smartphone and attempt to access a specific application.

Finger movement and taps creating BFI signal variations (arxiv.org)

Identification of the target is crucial, and the attacker may use an identity indicator on the network, such as a MAC address, requiring some preparatory work.

In the attack’s primary phase, the attacker captures the victim’s BFI time series during password entry using a traffic monitoring tool like Wireshark. Each time the user presses a key, it affects the WiFi antennas behind the screen, generating a distinct WiFi signal.

However, the recorded BFI series may blur the boundaries between keystrokes. To address this, the researchers developed an algorithm to parse and restore usable data.

Neural model to parse captured data (arxiv.org)

To filter out factors that could interfere with results, such as typing style, speed, adjacent keystrokes, and more, machine learning in the form of a “1-D Convolutional Neural Network” is employed.

The researchers used this system to consistently recognize keystrokes, regardless of typing styles, through a concept called “domain adaptation,” which includes a feature extractor, a keystroke classifier, and a domain discriminator.

Training of ML framework for WiKI-Eve (arxiv.org)

Ultimately, a “Gradient Reversal Layer” (GRL) is applied to suppress domain-specific features, allowing the model to learn consistent keystroke representations across domains.

WiKI-Eve attack steps (arxiv.org)

Results of the Attack

In experiments with WiKI-Eve using a laptop and WireShark, the researchers also noted that a smartphone could be used as an attacking device, although it may have limitations regarding the number of supported WiFi protocols.

The experiments, which involved 20 participants using various phone models and typing different passwords, showed that WiKI-Eve’s keystroke classification accuracy remained stable at 88.9% when employing sparse recovery algorithms and domain adaptation.

Overall accuracy of WiKI-Eve compared to CSI-targeting models (arxiv.org)

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link