Using Free WiFi? Better Watch Your Passwords

This post is also available in: עברית (Hebrew)

Researchers from universities in China and Singapore revealed a security gap that permits malicious snoops to steal your password through keystroke identification, in what they call “Wiki-Eve”, or “the first WiFi-based hack-free keystroke eavesdropping system.”

This type of cyberattack is possible thanks to a feature in wireless communications called beamforming feedback information, or BFI. This feature permits devices to more accurately transmit feedback about their location and send signals specifically toward the relevant routers instead of sending them in all directions.

Unfortunately, BFI’s vulnerability is that it transmits data in cleartext, so there is no need for physical hacking or cracking of an encryption key. Unlike older side-channel attacks, Wiki-Eve does not require planting rogue programs that trick a user into logging on to an illegitimate site, or even setting up additional links to sense a target user’s keystrokes.

The researchers said Wiki-Eve “achieves 88.9% inference accuracy for individual keystrokes and up to 65.8% top-10 accuracy for stealing passwords of mobile applications.”

According to Techxplore, keystroke inference is the determination of what key is being pressed based on BFI data. As a user glides over keys on a keypad, the variations in wireless signals between the device and the base station can be tracked and identified, with the help of a deep-learning model.

The research team ran tests with numerical passwords and demonstrated Wiki-Eve by successfully lifting WeChat Pay passwords from a subject in a nearby conference room.

The study assumed users were using an unprotected network likely in public spaces such as coffee shops, airports, train stations and other gathering places offering free WiFi.

When it comes to defending oneself against Wiki-Eve, the researchers recommended: “Since WiKI-Eve achieves keystroke eavesdropping by overhearing Wi-Fi BFI, the most direct defense strategy is to encrypt data traffic, hence preventing attackers from obtaining BFI in cleartext.”

The study “Password-Stealing without Hacking: Wi-Fi Enabled Practical Keystroke Eavesdropping” was presented on the preprint server arXiv.