Smartphone WiFi Signals Can Leak Your Keystrokes, Passwords, and PINs

Bleeping Computer warns that "The way users move fingers across a phone's touchscreen alters the WiFi signals transmitted by a mobile phone, causing interruptions that an attacker can intercept, analyze, and reverse engineer to accurately guess what the user has typed...when the attacker controls a rogue WiFi access point." The new WindTalker attack leverages the "channel state information" in WiFi signals. An anonymous reader quotes their article: Because the user's finger moves across the smartphone when he types text, his hand alters CSI properties for the phone's outgoing WiFi signals, which the attacker can collect and log on the rogue access point... By performing basic signal analysis and signal processing, an attacker can separate desired portions of the CSI signal and guess with an average accuracy of 68.3% the characters a user has typed... but it can be improved the more the user types and the more data the attacker collects.
The new attack is described in a research paper titled "When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals."

In that case I'll use a bluetooth keyboard instead

[JoeyRox]

That should be more secure then. Oh wait...

Not only WiFi

some smartphones (namely the Samsung Galaxy Note 7) can leak passwords through smoke signals.

Re:Not only WiFi

And to think, those silly Indians used to use fires. Fires made with logs!
How far we've come. Keep it up humans, proud of you.

Re: Not only WiFi

Yep, now those Indians are building casinos so they can afford booze

Model M

[KiloByte]

Use a real keyboard or an emulation and wifi won't be required. The side channel will be audio, easy to distinguish by an unaided human ear, from the next building.

The Whole System Is Insecure

[zenlessyank]

Always has been. Always will be. Privacy should be put up for display in the Smithsonian along side dinosaurs and freedom.

Re: The Whole System Is Insecure

[im_thatoneguy]

Because safes were perfectly secure? Privacy and anonymity are recent cultural developments along with urbanization. Prior to urbanization the entire local government knew you by name, they didn't need any fancy face recognition database. And everybody in town knew your address, your interests, your religion, all of it.

Why does attacker need to control an access point?

[mi]

when the attacker controls a rogue WiFi access point

Why? It would seem, the technique can be used with a perfectly passive radio-receiver, which would not be (mis)taken for an access point at all.

BTW, are you covering your mouth, when you talk outside? Your words can be deciphered from far away by a lip-reading expert (or software). Supposedly, only 30-40% of English language can be "read" over the speaker's lips alone. That may be true for human lip-readers, but there is software, that claims 93.4% success rate. The attack described in TFA has only 68% accuracy... For now...

Re:In that case I'll use a bluetooth keyboard inst

It would actually be fairly secure, if the Bluetooth implementation isn't done by idiots.

Really?

[Forthan+Red]

Just one more "research paper" with results that no one else will be able to reproduce. Of no value, except for providing material for "Wait, Wait, Don't Tell Me".

Re:Really?

[GTRacer]

This is one of those times I really wished I had mod points - Insightful, and supportive of a great show to boot!

Use Swipe or Swiftkey

Does it still work if I don't take my finger off the screen when I type?

password sealant

Walking around and scanning people manually is the riskiest form of hacking. Unlike being online it requires your presence. I wouldn't worry too much unless you are a target of intelligence organizations that would be capable of pulling off such operations indefinitely. Even then the universal radio sealant can be deployed: tin foil. Darned inconvenient though, kinda kills the point of having a phone.

That sounds like...

[sugapablo]

Way too much trouble. If someone invests that much time and effort to get lil ole me's passwords, they've earned them.

Re:That sounds like...

[AK+Marc]

Yup. At most, it'll be used for billion dollar corporate espionage, or a little government spying, but unless you are CEO of Toyota, or head of a government, you have nothing to worry about.

Re:That sounds like...

[cdrudge]

It's really just a $5 investment...

Re:In that case I'll use a bluetooth keyboard inst

[infolation]

"The way users move fingers across a phone's touchscreen"

Type with thumbs!

I'm going back to using

[Alain+Williams]

punched Holerith cards .... although someone will probably find a way to work out what they contain by looking at the chads ...

Re:In that case I'll use a bluetooth keyboard inst

[Rob+Y.]

Cyanogenmod (I think?) used to have a very clever fix for this. An option to scramble the positions of the numbers on your lockscreen so that 'finger movement' patterns would be meaningless. That helps with prying eyes watching you enter your pin too.

But I'm running CM 13 on my phone, and it doesn't seem to have that option anymore.

Go cheap

Go cheap, buy a phone that has a IEEE 802.11 WLAN chip that hasn't paid for the "WiFi" seal of approval.
Should be secure, according to TFS, right?

Re:In that case I'll use a bluetooth keyboard inst

[flyingfsck]

This is only an issue because people are holding it wrong.

60GHz with beam-forming/phased array antennas

When 60 GHz comes, a couple of 60GHz APs with modded firmware should be good enough to do a millimeter-wave full body scan, like in airports.

JFC

[Etcetera]

People should assume that nothing is secure at this point. If you have an advanced device, someone will be able to spy on you.

Starting to wonder if the smartphone (advanced operating system, application ecosystem, sensors out the wazoo) are basically a net loss for society, even before you get to the actual cultural effects of mass, constant, information/internet use.

Re:JFC

[peawormsworth]

We don't have to give up on privacy or security. In fact, that advanced device in our pocket could greatly improve our privacy and security, which could protect or replace the items we already carry in your wallet or purse.

The demand for smartphone features allows companies to design products which actively violate security and privacy because there is no alternative to obtain those features. Perhaps there is no perfectly secure device, but the smartphone is intentionally designed to NOT achieve it.

Re:JFC

[Etcetera]

In fact, that advanced device in our pocket could greatly improve our privacy and security

How could it "greatly improve privacy and security" over, say, life in 1998? -- with the sole exception of a better voice call GSM/CDMA encryption algorithm.

Re:Why does attacker need to control an access poi

[fustakrakich]

So, it's pretty easy to wreck a nice beach these days, huh?

Pad scrambling

It was probably not designed with this in mind, but some keypads allow you to scramble the characters on the screen each time. This would obviously make it impossible to use while you're not looking at it (e.g. going down the road, where you shouldn't be using it anyways).

CSI?

[wonkey_monkey]

CSI is Channel State Information, in case you were wondering, since the editors don't do their jobs.

Re:CSI?

I offer you a deep heart felt, "Thank you."

Re:CSI?

[jittles]

CSI is Channel State Information, in case you were wondering, since the editors don't do their jobs.

That's what CSI stands for? No wonder i could never get into that TV show.

Re:In that case I'll use a bluetooth keyboard inst

I am running latest Cyanogenmod on HTC m9. Has had the option to scramble Pin layout as far as I can remember.

Password managers like Lastpass

[rebtun]

Might be a reasonable solution?

Re:In that case I'll use a bluetooth keyboard inst

Same, but on an Amazon Firephone.

Re:In that case I'll use a bluetooth keyboard inst

It's cute that you think security holes and weaknesses in modern protocols are there due to incompetence rather than design...

Re:Why does attacker need to control an access poi

when the attacker controls a rogue WiFi access point

Why? It would seem, the technique can be used with a perfectly passive radio-receiver, which would not be (mis)taken for an access point at all.

Why do people ask questions that are answered in the article?

Of course, if you can come up with a variant of this attack that can be used completely passively, please publish a paper on it, then submit the story to Slashdot.

Re:Gay anal sex

President Barry Soetoro loves it in the bath houses.

No pro blame

[93+Escort+Wagon]

I use Siri to duct tape my massages.

Yes, I think

[bigbang137]

Yes. I don't recall the last time I actually manually typed a password on my smartphone. It's almost always copy-pasted.

AI-Proof Security

[bigbang137]

We need a concept of AI-Proof Security, one that even the best AI or signals analysis algorithms cannot crack except via brute force. For one this means adding a lot of random noise to thwart the signals, or otherwise to use equal signals. The point is that there shouldn't be exploitable patterns in the signals, and if they do exist, future AI will seek them out. How can we do this? Using AI, of course.

Re: In that case I'll use a bluetooth keyboard ins

In related news, infrared cameras etc can track your finger movements making it possible to learn password.

Smartphone WiFi Signals Can Leak . . .

[rickyslashdot]

ANY electronic communication device has variations in it's internal electronic / emission-producing process of generating an output, which are device-specific - - - but still decode-able with the proper software / tools / information.
If you generate a data stream, the hardware produces variations which are emitted by the electronic circuits, and those variations can be intercepted and decoded with sufficient information about the generating equipment. This electronic 'leakage' cannot be dealt with unless you barricade your 'source' devices behind a Faraday cage and good encryption.
ANYTHING electronic used for communications inherently has variations in it's internal electronic emission patterns in the process of producing the transmitted data, otherwise the data-stream would just be 'null-data'. If you expose the generating electronics to the world-at-large, then expect your source-electronics' variations to be intercepted, decoded, and read by any agency with sufficient knowledge of your communication device and it's electronic characteristics.
On the same (more or less) issue, anybody using a COM device in the open (WiFi, Cell phone, Texting, - even copper-link telephones), should expect the information to be intercept-able ( and intercepted under the wide spanning sweep of our snooping intelligence agencies).

Remember, if your source is protected (emission shielded), then your best friend is ENCRYPTION - - - and even if it is breakable, it still serves a purpose - - - it makes the 'snoops' spend time and resources to decode your "pizza order sent to your brother for Friday night's poker game" - - - rofl

Re:In that case I'll use a bluetooth keyboard inst

I've actually worked with Bluetooth in the past, It isn't hard to do MITM protected pairing with BT 2.1 SSP and passkey entry.

It also would be difficult to eavesdrop on the connection normally, if neither side is using Debug mode from some reason (which would use preset keys).

I'm not saying there aren't any weaknesses in the standard, but AFAIK Bluetooth 2.1 and up are fairly decent.

Just a TEMPEST...

[srussia]

in a telephone.

I'm astonished. That's possible??

[sabbede]

I can see it as theoretically possible, but exploiting it seems damn near impossible. If it's actually doable, I'm blown right the hell away.

Re:Why does attacker need to control an access poi

I wonder how it handles tools such as swiftkey that will autocomplete/autocorrect various words you are using frequently.
Such features are not that uncommon, really. I would expect that the attempt to deduce the message assumes that it is using a default keyboard layout, too.