Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Wireless Networking Cellphones Security

Smartphone WiFi Signals Can Leak Your Keystrokes, Passwords, and PINs (bleepingcomputer.com) 46

Bleeping Computer warns that "The way users move fingers across a phone's touchscreen alters the WiFi signals transmitted by a mobile phone, causing interruptions that an attacker can intercept, analyze, and reverse engineer to accurately guess what the user has typed...when the attacker controls a rogue WiFi access point." The new WindTalker attack leverages the "channel state information" in WiFi signals. An anonymous reader quotes their article: Because the user's finger moves across the smartphone when he types text, his hand alters CSI properties for the phone's outgoing WiFi signals, which the attacker can collect and log on the rogue access point... By performing basic signal analysis and signal processing, an attacker can separate desired portions of the CSI signal and guess with an average accuracy of 68.3% the characters a user has typed... but it can be improved the more the user types and the more data the attacker collects.
The new attack is described in a research paper titled "When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals."
This discussion has been archived. No new comments can be posted.

Smartphone WiFi Signals Can Leak Your Keystrokes, Passwords, and PINs

Comments Filter:
  • That should be more secure then. Oh wait...
    • "The way users move fingers across a phone's touchscreen"

      Type with thumbs!

    • by Rob Y. ( 110975 )

      Cyanogenmod (I think?) used to have a very clever fix for this. An option to scramble the positions of the numbers on your lockscreen so that 'finger movement' patterns would be meaningless. That helps with prying eyes watching you enter your pin too.

      But I'm running CM 13 on my phone, and it doesn't seem to have that option anymore.

  • by Anonymous Coward on Sunday November 13, 2016 @10:36AM (#53275811)

    some smartphones (namely the Samsung Galaxy Note 7) can leak passwords through smoke signals.

  • Use a real keyboard or an emulation [github.com] and wifi won't be required. The side channel will be audio, easy to distinguish by an unaided human ear, from the next building.

  • Always has been. Always will be. Privacy should be put up for display in the Smithsonian along side dinosaurs and freedom.

    • Because safes were perfectly secure? Privacy and anonymity are recent cultural developments along with urbanization. Prior to urbanization the entire local government knew you by name, they didn't need any fancy face recognition database. And everybody in town knew your address, your interests, your religion, all of it.

  • when the attacker controls a rogue WiFi access point

    Why? It would seem, the technique can be used with a perfectly passive radio-receiver, which would not be (mis)taken for an access point at all.

    BTW, are you covering your mouth, when you talk outside? Your words can be deciphered from far away by a lip-reading expert [google.com] (or software). Supposedly, only 30-40% of English language can be "read" over the speaker's lips alone [signlanguagenyc.com]. That may be true for human lip-readers, but there is software, that claims 93.4% success rate [telegraph.co.uk]. The attack described in TFA has only 68% accuracy... For now...

  • by Forthan Red ( 820542 ) on Sunday November 13, 2016 @10:55AM (#53275883)
    Just one more "research paper" with results that no one else will be able to reproduce. Of no value, except for providing material for "Wait, Wait, Don't Tell Me".
    • by GTRacer ( 234395 )
      This is one of those times I really wished I had mod points - Insightful, and supportive of a great show to boot!
  • Way too much trouble. If someone invests that much time and effort to get lil ole me's passwords, they've earned them.
  • punched Holerith cards .... although someone will probably find a way to work out what they contain by looking at the chads ...

  • JFC (Score:4, Informative)

    by Etcetera ( 14711 ) on Sunday November 13, 2016 @11:39AM (#53276053) Homepage

    People should assume that nothing is secure at this point. If you have an advanced device, someone will be able to spy on you.

    Starting to wonder if the smartphone (advanced operating system, application ecosystem, sensors out the wazoo) are basically a net loss for society, even before you get to the actual cultural effects of mass, constant, information/internet use.

    • We don't have to give up on privacy or security. In fact, that advanced device in our pocket could greatly improve our privacy and security, which could protect or replace the items we already carry in your wallet or purse.

      The demand for smartphone features allows companies to design products which actively violate security and privacy because there is no alternative to obtain those features. Perhaps there is no perfectly secure device, but the smartphone is intentionally designed to NOT achieve it.

      • by Etcetera ( 14711 )

        In fact, that advanced device in our pocket could greatly improve our privacy and security

        How could it "greatly improve privacy and security" over, say, life in 1998? -- with the sole exception of a better voice call GSM/CDMA encryption algorithm.

  • CSI? (Score:5, Informative)

    by wonkey_monkey ( 2592601 ) on Sunday November 13, 2016 @12:40PM (#53276331) Homepage

    CSI is Channel State Information, in case you were wondering, since the editors don't do their jobs.

    • by Anonymous Coward

      I offer you a deep heart felt, "Thank you."

    • CSI is Channel State Information, in case you were wondering, since the editors don't do their jobs.

      That's what CSI stands for? No wonder i could never get into that TV show.

  • Might be a reasonable solution?
  • I use Siri to duct tape my massages.

  • We need a concept of AI-Proof Security, one that even the best AI or signals analysis algorithms cannot crack except via brute force. For one this means adding a lot of random noise to thwart the signals, or otherwise to use equal signals. The point is that there shouldn't be exploitable patterns in the signals, and if they do exist, future AI will seek them out. How can we do this? Using AI, of course.
  • ANY electronic communication device has variations in it's internal electronic / emission-producing process of generating an output, which are device-specific - - - but still decode-able with the proper software / tools / information.
    If you generate a data stream, the hardware produces variations which are emitted by the electronic circuits, and those variations can be intercepted and decoded with sufficient information about the generating equipment. This electronic 'leakage' cannot be dealt with unless y

  • in a telephone.
  • I can see it as theoretically possible, but exploiting it seems damn near impossible. If it's actually doable, I'm blown right the hell away.

The more they over-think the plumbing the easier it is to stop up the drain.

Working...