A new attack called “WiKI-Eve” can intercept clear text transmissions from smartphones connected to modern WiFi routers, estimate individual numeric keystrokes with up to 90% accuracy, and steal numeric passwords. Masu.
WiKI-Eve utilizes Beamforming Feedback Information (BFI), a feature introduced in WiFi 5 (802.11ac) in 2013. This allows the device to send feedback about its location to the router, allowing the router to send its signal more accurately.
The problem with BFI is that the information exchange involves data in plain text format. This means that this data can be easily intercepted and used without the need for hardware hacking or cracking encryption keys.
This security gap was discovered by a team of university researchers from China and Singapore who tested the potential secrets obtained from these communications.
Researchers found that it was fairly easy to identify numeric keystrokes 90% of the time, crack six-digit numeric passwords with 85% accuracy, and crack complex app passwords with about 66% accuracy. I discovered that.
This attack only works for numeric passwords, but NordPass research showed that 16 of the top 20 passwords use only numeric characters.
WiKI-Eve attack
The WiKI-Eve attack is designed to intercept WiFi signals while entering passwords, making it a real-time attack that must be performed while the target is actively using the smartphone and trying to access certain applications. is.
Some preparation is required because the attacker must identify the target using an identity indicator on the network, such as a MAC address.
“In practice, Eve can obtain this information in advance by performing visual and traffic monitoring simultaneously. By correlating user behavior with network traffic originating from various MAC addresses, Eve can ‘s physical device to the digital traffic, thereby allowing us to determine Bob’s MAC address,” the researchers explain.
In the main phase of the attack, the attacker uses a traffic monitoring tool such as Wireshark to capture the victim’s BFI time series while entering the password.
Every time a user presses a key, it impacts the WiFi antenna behind the screen and generates a unique WiFi signal.
“Although these only consider part of the downlink CSI on the AP side, the fact that on-screen inputs directly impact the Wi-Fi antenna (and therefore the channel) directly behind the screen (see Figure 1) ) allows the BFI to contain sufficient information about the AP side keystrokes,” the paper says.
However, the paper highlights that the boundaries between keystrokes can be blurred by the recorded BFI series, so we developed an algorithm to parse and recover the available data.
To tackle the challenge of filtering out factors that interfere with results, such as typing style, typing speed, and adjacent keystrokes, the researchers are using machine learning called a “1-D convolutional neural network.”
The system is trained to consistently recognize keystrokes regardless of typing style through a “domain adaptation” concept consisting of a feature extractor, keystroke classifier, and domain discriminator.
Finally, we apply a “gradient reversal layer” (GRL) to suppress domain-specific features, allowing the model to learn keystroke representations that are consistent across domains.
attack result
Researchers experimented with WiKI-Eve using a laptop and WireShark, but smartphones could also be used as attack devices, although the number of supported WiFi protocols may be more limited. I pointed out that there is.
The captured data were analyzed using Matlab and Python, and the segmentation parameters were set to the indicated values for best results.
Twenty participants connected to the same WiFi access point but used different phone models. They entered different passwords with a combination of active background apps, entered different input speeds, and measurements were taken from six different locations.
Experimental results show that WiKI-Eve’s keystroke classification accuracy is stable at 88.9% when using sparse recovery algorithm and domain adaptation.
For 6-digit numeric passwords, WiKI-Eve was able to guess the password with an 85% success rate in less than 100 attempts, and remained consistently above 75% in all test environments.
However, the distance between the attacker and the access point is important for this performance. Increasing that distance from 1 meter to 10 meters reduced guess success by 23%.
The researchers also conducted an experiment to emulate a realistic attack scenario to retrieve WeChat Pay user passwords and found that WiKI-Eve correctly guessed the password 65.8% of the time. .
The model consistently predicted the correct password within the top five guesses in more than 50% of the 50 tests conducted. This means that an attacker has a 50% chance of gaining access before reaching his security threshold of 5 incorrect password attempts, beyond which the app will be locked. .
In conclusion, this paper shows that an attacker can infer secrets without hacking the access point simply by using network traffic monitoring tools and machine learning frameworks.
This will require increased security for WiFi access points and smartphone apps, including keyboard randomization, data traffic encryption, signal obfuscation, CSI scrambling, and WiFi channel scrambling.
