Inferring Your Mobile Phone Password via WiFi Signals (opens in new tab)

(fermatslibrary.com)

340 pointspogba1019y ago64 comments

64 comments

For those who want more information on CSI (Channel State Information):

http://dhalperi.github.io/linux-80211n-csitool/

This allows you to use a custom firmware developed for the Intel 5300 wireless adapter and read the CSI values with each packet.

Every 802.11n implementation that I am aware of keeps a CSI vector (IQ values, typically as integers) within the wifi chip. Both the Wifi AP and STA do this. The CSI vector is updated with every packet, using the training data at the beginning of the packet. (802.11 is CSMA [2] so there is a fixed transmission to start the packet)

In other words, Intel has this nice tool for one of their (now somewhat dated) chips. But CSI is not restricted to Intel chips. Atheros chips have a decent but limited CSI readback method, not quite as nice as Intel's [3]. But CSI has been used for experiments on all major wifi chips out there.

With 802.11n this is used to determine the quality of signal likely to be received on each sub-carrier within the signal.

CSI is useful for many other things: RF experiments, indoor position sensing, and now apparently also password cracking.

[2] https://en.wikipedia.org/wiki/Carrier_sense_multiple_access_...

[3] http://pdcc.ntu.edu.sg/wands/Atheros/

gefh9y ago

Holy shit. From a brief scan it looks like the paper concentrates on recovering a numeric pin, but these attacks never get worse, only better, so I assume full keyboard access is not too far off. What's the defense? Have your phone manage the passwords and unlock via fingerprint?

gene-h9y ago

Well if one modifies the channel state information in an unpredictable manner while performing sensitive operations, it becomes very difficult to extract any information. The simplest way to do this might be to fidget. Use one hand to type and another hand to fidget with something.

A more high tech method would be to use a modulated wifi reflector that is randomly modulated.

One should also watch out for wifi hotspots with ominously pointed directional antenna

danielhooper9y ago

The defence is definitely to not use public wifi. This technology works because they can identify small target windows (e.g. you just accessed a URL to login to your bank account) in which to make and process these measurements. Any kind of abnormal obfuscation of your device should introduce enough noise to prevent this attack from generating any meaningful data from the victim, but I'm running on assumption.

zrm9y ago

Couldn't this work against any wifi? Impersonating a public access point gives you some extra unencrypted information so you know the server IP and can more easily infer when a password is being entered, the same things you conceal by using a VPN over public wifi.

But what stops a passive wifi observer who can guess those things or already knows them?

droopybuns9y ago

I think this is pretty hand-wavey and requires a lot assumptions to be true.

Also: "We collected training and testing data from 10 volunteers." Not a statistically useful sample set.

Under very controlled environments, measuring signal deltas may be possible- but I would like to see sample data that suggests high success rates before I think this is worthy of concern.

Finally- Self tuning antennas are a thing. This is going to get harder over time. https://www.qualcomm.com/videos/qualcomm-rf360-dynamic-anten...

zkms9y ago

The easiest defence is to temporarily kill all the radios (wifi, bluetooth, LTE) while someone is entering a password.

frandroid9y ago

Or scramble the numeric keypad on every try, but that would get annoying fast.

birdman31319y ago

Anybody who plays Runescape will recognize this. They have a pin you can set to gain access to your in game bank. It has a fair few security features to combat keyloggers which were (and still can be) a major issue.

Some security features I can recall.

Random layout of the numbers on both the button itself and which button has which number. This is shuffled on every click.

Upon clicking all numbers and the mouse pointer vanish. This prevents screenshots taken on clicks by some keyloggers from working.

No keyboard input. Annoying but needed to combat keyloggers.

http://vignette2.wikia.nocookie.net/2007scape/images/c/c3/Ba...

pmontra9y ago

My bank did that with a JavaScript number pad. They went back to a standard password field with the new design of the site a couple of years ago. That made me feel less safe because I understood why the were complicating the input.

Another strategy I've seen is to ask some random digits of a longer PIN, with a mask to fill out.

1 more reply

adevine9y ago

I've seen some secure financial sites that already do that.

ultrasandwich9y ago

Convenient option on Cyanogenmod. Been using it for about 2 years and it's surprisingly easy to get used-to.

sundvor9y ago

Touch typing? Should present significantly different to one finger key hunting.

Fingerprints and never using public WiFi would both be good strategies. (I use my fingerprint to log into my banking app when on mobile.)

Piskvorrr9y ago

Touch typing on a flat, featureless surface? Best of luck with that. I tried, and tended to drift off-center within a few tens of keystrokes. The F and J nubs on physical keyboard are there for Good Reasons - but even without, feeling where exactly you are striking the key (center or corner) gives you feedback to reposition. Touchscreen gives you nothing.

1 more reply

djrogers9y ago

> Have your phone manage the passwords and unlock via fingerprint?

Yes, that would defeat this particular attack.

mratzloff9y ago

Never use public wifi. I don't.

cortesoft9y ago

That is a large cost to pay.

2 more replies

josu9y ago

As far as I understood, this attack vector has nothing to do with using public wifi.

1 more reply

calebm9y ago

If you want to be really secure, just never use the internet.

user6599y ago

This paper is available through Google scholar if you search for "CCS 16 password WiFi" or click here: https://www.a51.nl/sites/default/files/pdf/p1068-li.pdf

I've been a part of a similar paper that detected exact keystrokes. This one seems to build on a similar idea. The thing to keep in mind is that these systems need user and environment specific training. That is if the user is changed or the user or something in the environment moves, the system needs to retrain.

kardos9y ago

Direct link to PDF without the (infuriating) popups/overlays: http://delivery.acm.org/10.1145/2980000/2978397/p1068-li.pdf

coldpie9y ago

NoScript prevented any popups/overlays from appearing for me.

orliesaurus9y ago

popped by the comments just to find something like this (but the link doesnt work)! thanks anyway!

technologywon9y ago

Here is the ACM link: http://dl.acm.org/citation.cfm?id=2978397

andai9y ago

See also: detecting and motion tracking people behind walls, with the ability to recognise specific people ( also using wifi ).

http://www.theverge.com/2015/10/28/9625636/rf-capture-mit-wi...

Of particular interest: It can determine breathing patterns and heart rate.

danbruc9y ago

Or the 2013 discussion of Wi-Fi signals enable gesture recognition throughout entire home here on Hacker News with links to other related ideas in the comments.

[1] https://news.ycombinator.com/item?id=5824286

danielhooper9y ago

Some weeks back I read a post here about detecting people in rooms by measuring how the physical body interferes with the wifi signals. I wouldn't have imagined someone could extract useful information at this small of a scale. wow!

andai9y ago

This one!

http://www.theverge.com/2015/10/28/9625636/rf-capture-mit-wi...

It can detect people and track their movements behind walls, and tell different people apart.

It can also measure breathing patterns and heart rate.

danielhooper9y ago

I clearly did not read into this enough as it is more impressive than I had remembered. It's quite the eye-opener on how much unique data there is out in the wild...

program_whiz9y ago

Read the section "limitations". Only works on 10 users right now, must be trained for the pattern "per user", phone must be sitting on stable surface, gesture must be performed as close to "the same" every time. This is just clickbait and "please fund our research" IMO.

pslam9y ago

What did you expect — a turn-key solution for sale? They claim no such thing.

This is great research. They've demonstrated that it is in fact possible to obtain a passcode at a distance, at least in contrived conditions. The fact it's possible whatsoever is a significant result. Even without being able to obtain the exact passcode, this would yield the ability to guess a passcode in much better time than just random selection.

program_whiz9y ago

Ok I think my issue with this is that its akin to saying: Given the same users, in the same position, with the same hardware, performing the same gestures, we discovered the signals are consistent enough that a NNet can figure out a pattern. However, if the users, the hardware, the wifi router, the positions, the orientations, the conditions, or the gestures used change, you would need to retrain your NNet for that situation.

After working on a couple of "ambitious" projects that tried to use wifi or bluetooth signals to mine data, it turns out its not super reliable in real-world situations.

Arnt9y ago

Remember: Attacks never get worse, only better. What you've read is the new lower bound of what's possible.

mrbukers9y ago

Throw in the fact that mobile phones adjust their radio power output based on battery and AP signal strength and any signal strength measurements become completely unreliable

adynatos9y ago

LTE and HSDPA (and maybe older gens) have Channel Quality Indicator, which afaik has the same role as CSI. So I wonder if the same trick can be achieved with LTE signalling? To pull that off you would need access to a BTS, but today with open source stacks, like OpenBTS or OpenAirInterface,you could roll out your own.

saycheese9y ago

RELATED: "Keystroke Recognition Using WiFi Signals"

https://www.cse.msu.edu/~alexliu/publications/KamranWiKey/Ka...

freyr9y ago

It looks like they're inferring the right 6-digit password about 20% of the time on their first try, presumably using the Xiaomi phone. But if they can try 20 candidates before getting locked out, they can guess the 6-digit password about 50% of the time.

With the Samsung phone, which has a much lower 1-digit recovery rate, it seems that it would be closer to 6% on the first try, and 20% by the twentieth try.

baby9y ago

I like this Fermat thing but it would be cooler if it could add a date to the papers who, for some reason, do not have a date.

ominous9y ago

Following DOI: http://dx.doi.org/10.1145/2976749.2978397 we find the paper was presented in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria.

Date: 2016-10-24

leejoramo9y ago

Also never enter a password in any location where a hidden video camera could be observing you. Or where a hidden microphone could be listening to your typing. Or where ruffians holding crowbars could be lurking in the next room.

Amorymeltzer9y ago

Moral of this (and every other) story: Never, ever connect to a free, public wifi.

ETA: This was meant to be glib, given the frequency of such stories seen on HN, and the many children below are quite correctly pointing out that the real moral is https://news.ycombinator.com/item?id=13645694

swsieber9y ago

It would seem that that's not the moral of the story: it looks like your device doesn't even have to connect to the wifi. It appears that this is more like using wifi as radar to detect finger movements.

pc869y ago

Real moral of the story: Read the article before commenting.

sounds9y ago

Yes, I think a passive listener in promiscuous mode would work. And more listeners located around the room would be even better, if their signals could be very precisely correlated in time.

In more detail: CSI is available to the _receiver_ of the wifi packet. In other words:

• Your phone can determine CSI for all AP broadcasts. (Useful for indoor positioning)

• The AP can determine CSI for any packet sent to it. Thus your phone would have to be associated. (Or, at least trying to associate.)

• A passive listener in promiscuous mode should still work -- maybe -- though I couldn't say for certain. The CSI value would not be identical to what the AP receives since the listener is in a different physical location and is not synchronized to the AP. The CSI data is In-phase and Quadrature values which can only be interpreted in relation to the clock that is being used to sample the radio signal. But maybe this approach manages to get around clock sync issues somehow.

• If your finger locations change without any wifi packet transmission, there is no way to detect that.

I'd say the best mitigation is to turn off wifi while typing your password. Then turn it on just before hitting "Submit" or "Enter" or whatever.

1 more reply

xenithorb9y ago

So then its probably a pretty good idea to randomize the number keypad for the lock screen, which I do. Does this defeat that, I can't think of a way it does..

2 more replies

rhino3699y ago

I think that wifi devices only send a sounding packet when requested from the AP. You need to know you are capturing a sounding packet to determine CSI (or have it send explicitly by the receiver aka explicit beamforming).

fsckin9y ago

If you're that paranoid, you might want to also keep in mind that it would be far more reliable to shoulder surf via video surveillance. As a bonus, it even works with radios disabled.

j / k navigate · click thread line to collapse

64 comments

sounds9y ago

For those who want more information on CSI (Channel State Information):

http://dhalperi.github.io/linux-80211n-csitool/

This allows you to use a custom firmware developed for the Intel 5300 wireless adapter and read the CSI values with each packet.

With 802.11n this is used to determine the quality of signal likely to be received on each sub-carrier within the signal.

CSI is useful for many other things: RF experiments, indoor position sensing, and now apparently also password cracking.

[2] https://en.wikipedia.org/wiki/Carrier_sense_multiple_access_...

[3] http://pdcc.ntu.edu.sg/wands/Atheros/

gefh9y ago

gene-h9y ago

A more high tech method would be to use a modulated wifi reflector that is randomly modulated.

One should also watch out for wifi hotspots with ominously pointed directional antenna

danielhooper9y ago

zrm9y ago

But what stops a passive wifi observer who can guess those things or already knows them?

droopybuns9y ago

I think this is pretty hand-wavey and requires a lot assumptions to be true.

Also: "We collected training and testing data from 10 volunteers." Not a statistically useful sample set.

Under very controlled environments, measuring signal deltas may be possible- but I would like to see sample data that suggests high success rates before I think this is worthy of concern.

Finally- Self tuning antennas are a thing. This is going to get harder over time. https://www.qualcomm.com/videos/qualcomm-rf360-dynamic-anten...

zkms9y ago

The easiest defence is to temporarily kill all the radios (wifi, bluetooth, LTE) while someone is entering a password.

frandroid9y ago

Or scramble the numeric keypad on every try, but that would get annoying fast.

birdman31319y ago

Some security features I can recall.

Random layout of the numbers on both the button itself and which button has which number. This is shuffled on every click.

Upon clicking all numbers and the mouse pointer vanish. This prevents screenshots taken on clicks by some keyloggers from working.

No keyboard input. Annoying but needed to combat keyloggers.

http://vignette2.wikia.nocookie.net/2007scape/images/c/c3/Ba...

pmontra9y ago

Another strategy I've seen is to ask some random digits of a longer PIN, with a mask to fill out.

1 more reply

adevine9y ago

I've seen some secure financial sites that already do that.

ultrasandwich9y ago

Convenient option on Cyanogenmod. Been using it for about 2 years and it's surprisingly easy to get used-to.

sundvor9y ago

Touch typing? Should present significantly different to one finger key hunting.

Fingerprints and never using public WiFi would both be good strategies. (I use my fingerprint to log into my banking app when on mobile.)

Piskvorrr9y ago

1 more reply

djrogers9y ago

> Have your phone manage the passwords and unlock via fingerprint?

Yes, that would defeat this particular attack.

mratzloff9y ago

Never use public wifi. I don't.

cortesoft9y ago

That is a large cost to pay.

2 more replies

josu9y ago

As far as I understood, this attack vector has nothing to do with using public wifi.

1 more reply

calebm9y ago

If you want to be really secure, just never use the internet.

user6599y ago

This paper is available through Google scholar if you search for "CCS 16 password WiFi" or click here: https://www.a51.nl/sites/default/files/pdf/p1068-li.pdf

kardos9y ago

Direct link to PDF without the (infuriating) popups/overlays: http://delivery.acm.org/10.1145/2980000/2978397/p1068-li.pdf

coldpie9y ago

NoScript prevented any popups/overlays from appearing for me.

orliesaurus9y ago

popped by the comments just to find something like this (but the link doesnt work)! thanks anyway!

technologywon9y ago

Here is the ACM link: http://dl.acm.org/citation.cfm?id=2978397

andai9y ago

See also: detecting and motion tracking people behind walls, with the ability to recognise specific people ( also using wifi ).

http://www.theverge.com/2015/10/28/9625636/rf-capture-mit-wi...

Of particular interest: It can determine breathing patterns and heart rate.

danbruc9y ago

Or the 2013 discussion of Wi-Fi signals enable gesture recognition throughout entire home here on Hacker News with links to other related ideas in the comments.

[1] https://news.ycombinator.com/item?id=5824286

danielhooper9y ago

andai9y ago

This one!

http://www.theverge.com/2015/10/28/9625636/rf-capture-mit-wi...

It can detect people and track their movements behind walls, and tell different people apart.

It can also measure breathing patterns and heart rate.

danielhooper9y ago

I clearly did not read into this enough as it is more impressive than I had remembered. It's quite the eye-opener on how much unique data there is out in the wild...

program_whiz9y ago

pslam9y ago

What did you expect — a turn-key solution for sale? They claim no such thing.

program_whiz9y ago

After working on a couple of "ambitious" projects that tried to use wifi or bluetooth signals to mine data, it turns out its not super reliable in real-world situations.

Arnt9y ago

Remember: Attacks never get worse, only better. What you've read is the new lower bound of what's possible.

mrbukers9y ago

Throw in the fact that mobile phones adjust their radio power output based on battery and AP signal strength and any signal strength measurements become completely unreliable

adynatos9y ago

saycheese9y ago

RELATED: "Keystroke Recognition Using WiFi Signals"

https://www.cse.msu.edu/~alexliu/publications/KamranWiKey/Ka...

freyr9y ago

With the Samsung phone, which has a much lower 1-digit recovery rate, it seems that it would be closer to 6% on the first try, and 20% by the twentieth try.

baby9y ago

I like this Fermat thing but it would be cooler if it could add a date to the papers who, for some reason, do not have a date.

ominous9y ago

Following DOI: http://dx.doi.org/10.1145/2976749.2978397 we find the paper was presented in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria.

Date: 2016-10-24

leejoramo9y ago

Amorymeltzer9y ago

Moral of this (and every other) story: Never, ever connect to a free, public wifi.

swsieber9y ago

pc869y ago

Real moral of the story: Read the article before commenting.

sounds9y ago

Yes, I think a passive listener in promiscuous mode would work. And more listeners located around the room would be even better, if their signals could be very precisely correlated in time.

In more detail: CSI is available to the _receiver_ of the wifi packet. In other words:

• Your phone can determine CSI for all AP broadcasts. (Useful for indoor positioning)

• The AP can determine CSI for any packet sent to it. Thus your phone would have to be associated. (Or, at least trying to associate.)

• If your finger locations change without any wifi packet transmission, there is no way to detect that.

I'd say the best mitigation is to turn off wifi while typing your password. Then turn it on just before hitting "Submit" or "Enter" or whatever.

1 more reply

xenithorb9y ago

So then its probably a pretty good idea to randomize the number keypad for the lock screen, which I do. Does this defeat that, I can't think of a way it does..

2 more replies

rhino3699y ago

fsckin9y ago

If you're that paranoid, you might want to also keep in mind that it would be far more reliable to shoulder surf via video surveillance. As a bonus, it even works with radios disabled.

j / k navigate · click thread line to collapse