Inferring Your Mobile Phone Password via WiFi Signals(fermatslibrary.com) |
Inferring Your Mobile Phone Password via WiFi Signals(fermatslibrary.com) |
http://dhalperi.github.io/linux-80211n-csitool/
This allows you to use a custom firmware developed for the Intel 5300 wireless adapter and read the CSI values with each packet.
Every 802.11n implementation that I am aware of keeps a CSI vector (IQ values, typically as integers) within the wifi chip. Both the Wifi AP and STA do this. The CSI vector is updated with every packet, using the training data at the beginning of the packet. (802.11 is CSMA [2] so there is a fixed transmission to start the packet)
In other words, Intel has this nice tool for one of their (now somewhat dated) chips. But CSI is not restricted to Intel chips. Atheros chips have a decent but limited CSI readback method, not quite as nice as Intel's [3]. But CSI has been used for experiments on all major wifi chips out there.
With 802.11n this is used to determine the quality of signal likely to be received on each sub-carrier within the signal.
CSI is useful for many other things: RF experiments, indoor position sensing, and now apparently also password cracking.
[2] https://en.wikipedia.org/wiki/Carrier_sense_multiple_access_...
A more high tech method would be to use a modulated wifi reflector that is randomly modulated.
One should also watch out for wifi hotspots with ominously pointed directional antenna
But what stops a passive wifi observer who can guess those things or already knows them?
Also: "We collected training and testing data from 10 volunteers." Not a statistically useful sample set.
Under very controlled environments, measuring signal deltas may be possible- but I would like to see sample data that suggests high success rates before I think this is worthy of concern.
Finally- Self tuning antennas are a thing. This is going to get harder over time. https://www.qualcomm.com/videos/qualcomm-rf360-dynamic-anten...
Some security features I can recall.
Random layout of the numbers on both the button itself and which button has which number. This is shuffled on every click.
Upon clicking all numbers and the mouse pointer vanish. This prevents screenshots taken on clicks by some keyloggers from working.
No keyboard input. Annoying but needed to combat keyloggers.
http://vignette2.wikia.nocookie.net/2007scape/images/c/c3/Ba...
Another strategy I've seen is to ask some random digits of a longer PIN, with a mask to fill out.
Fingerprints and never using public WiFi would both be good strategies. (I use my fingerprint to log into my banking app when on mobile.)
Yes, that would defeat this particular attack.
I've been a part of a similar paper that detected exact keystrokes. This one seems to build on a similar idea. The thing to keep in mind is that these systems need user and environment specific training. That is if the user is changed or the user or something in the environment moves, the system needs to retrain.
http://www.theverge.com/2015/10/28/9625636/rf-capture-mit-wi...
Of particular interest: It can determine breathing patterns and heart rate.
http://www.theverge.com/2015/10/28/9625636/rf-capture-mit-wi...
It can detect people and track their movements behind walls, and tell different people apart.
It can also measure breathing patterns and heart rate.
This is great research. They've demonstrated that it is in fact possible to obtain a passcode at a distance, at least in contrived conditions. The fact it's possible whatsoever is a significant result. Even without being able to obtain the exact passcode, this would yield the ability to guess a passcode in much better time than just random selection.
After working on a couple of "ambitious" projects that tried to use wifi or bluetooth signals to mine data, it turns out its not super reliable in real-world situations.
https://www.cse.msu.edu/~alexliu/publications/KamranWiKey/Ka...
With the Samsung phone, which has a much lower 1-digit recovery rate, it seems that it would be closer to 6% on the first try, and 20% by the twentieth try.
Date: 2016-10-24
ETA: This was meant to be glib, given the frequency of such stories seen on HN, and the many children below are quite correctly pointing out that the real moral is https://news.ycombinator.com/item?id=13645694
In more detail: CSI is available to the _receiver_ of the wifi packet. In other words:
• Your phone can determine CSI for all AP broadcasts. (Useful for indoor positioning)
• The AP can determine CSI for any packet sent to it. Thus your phone would have to be associated. (Or, at least trying to associate.)
• A passive listener in promiscuous mode should still work -- maybe -- though I couldn't say for certain. The CSI value would not be identical to what the AP receives since the listener is in a different physical location and is not synchronized to the AP. The CSI data is In-phase and Quadrature values which can only be interpreted in relation to the clock that is being used to sample the radio signal. But maybe this approach manages to get around clock sync issues somehow.
• If your finger locations change without any wifi packet transmission, there is no way to detect that.
I'd say the best mitigation is to turn off wifi while typing your password. Then turn it on just before hitting "Submit" or "Enter" or whatever.
Without this information, it is difficult to determine if the user is inputting a password. In addition, if we know the user is using the bank of america app, and we know that the app uses a specific key lay out, it becomes a lot easier to figure out what keys they are pressing.
There is no reason that the other technique they discussed, which does not require the target to connect to a specific wifi hotspot, could not be improved though.
Probably not a bad idea...
Also, what safety does a VPN add if you are already using https?
Last year after a trip in Germany, my older iPhone had a random password saved in Safari settings. On top of that, every time I tried to delete the password, it would reappear when I went back (iCloud sync was off, etc.). I don't remember browsing anything out of the ordinary, but did connect to a bunch of public wifi spots. Here's to hoping it was just a really persistent ad-tracking method.
Slower too maybe, but we're long past the point it really matters, except for latency sensitive applications. 50+ Mbps is just plenty for most applications.
Only real need of wifi to save some battery power and maybe to get better latency and jitter for VoIP and interactive applications.
AFAIK, US and UK are still pretty bad. I guess they have to limit bandwidth and data volume to be able to, ahem, listen to their customer.
In which countries is that true? Certainly not any that I visit.
I generally don't browse on my phone, so if I'm opening up Safari on a public network, it's to a known site or bookmark to quickly reference something (e.g. transit map, exchange rate). It's totally possible an ad on the NYT or Bloomberg has some malicious Javascript, but currently I'm naively assuming otherwise.
Also, I think many people on their phones will connect to a public hotspot just to check Facebook / Instagram / Snapchat these days and not much else.