When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals Adekemi Adedokun May 2, 2017

Introduction Smartphones have become means of performing personal transaction Banking, social, health, automation and control and other personal transactions A lot of personal information are generated Increased the attack surface Open wireless communication Eavesdropping Vulnerable to unintended access

Eavesdropping Intercepting communications between two parties who are unaware that the attacker is present.  Example: Keylogging (keyboard eavesdropping) Keystroke inferencing Direct eavesdropping Directly observing the input on target device from screen and keyboard Indirect eavesdropping (side-channel attacks) Use of channel attacks to infer inputs on target’s device Acoustic signal, WiFi signal, EM signal, or through status of motion sensor External signal collector device or compromising the targeted device

WiFi-based Keystroke Inference Models WiFi devices continuously monitor the variations of the communication channel to obtain Channel State Information (CSI) Out-of-band keystroke inference (OKI) model In-band keystroke inference (IKI) model Tx Rx Keystrokes are inferred from multipath distortions in the signals COTS WiFi device Target device COTS WiFi device (Attacker) Rx CSI-based key inference method is launched to recognise sensitive inputs Tx Tx COTS WiFi device (Attacker) Target device

Why CSI-based inference method? CSI reflects interference (changes) of several multipath signal This is because of multiple antennas on commodity Wi-Fi devices There is an intuition that touching gestures generate a unique pattern in the time-series of CSI value while typing a certain key This unique patterns is referred to as CSI waveform CSI waveform can be used to determine when the sensitive input starts Touching gestures Oblique touch (When different keys are pressed) Vertical touch (continuously pressing same key)

WindTalker Framework Created a fake hot spot Victim device connects to this hotspot The attacker eavesdrop the WiFi traffic to identify sensitive windows The CSI is selectively analysed in order to obtain keystroke information

Framework Modules Sensitive Window Recognition Module Wireshark is used to capture all packets information Metadata of the traffic is used to recognise sensitive input window It builds on sensitive IP pool for interested applications or services ICMP Based CSI Acquirement module Acquiring CSI by enforcing ICMP Reply Uses ICMP to collect CSI It sends high frequency ICMP echo to the victim’s smartphone The smartphone replies at the same frequency Packets are sent at 800 packets per seconds Reducing Noise This is noise is caused by the interference of finger and body movement A unidirectional is used to decrease the effect of the interference

Framework Modules Data processing module Keystroke inference module Low pass filtering This is used to reduce high frequency noise Butterworth low-pass filter Dimension reduction Principal Component Analysis (PCA) is used to reduce the dimension of the data It identifies the strongest representation components influenced by the victim’s hand and body movement It removes uncorrelated noisy components Keystroke inference module Keystroke extraction using burst detection algorithm to determine the start and end time Keystroke recognition Dynamic Time wrapping (DTW) Keystroke classification using Discrete Wavelet Transform (DWT) Classifier training – recognize keystroke based on their keystroke waveform shapes DTW is a method that calculates an optimal match between two given sequences (e.g. time series) with certain restrictions Calculates the distance between two time series of keystroke waveforms with different length. It compares waveform of different keystrokes DWT is used for signal processing and it captures both frequency and location information (location in time). It compress the length of the waveform by extracting approximate sequence

Result Ten users enters 10 randomly generated 6-digit passwords using 3 loops as training data set A loop sample refers CSI waveform for key number from 0- 9 The higher the number of keys the inference rate A total of 200 sets of password which includes 1200keys. 852 were recovered Password inference Result Phone 1-digit 2-digit 3-digit SamSung 63% 83% 89% XiaoMi 79% 88% 95% Recovery rate

Summary The aim is to measure the impact of hand and finger’s movement on WiFi signals leveraging correlation of CSI and the hand motion to recognize PIN. WindTalker uses In-band keystroke inference (IKI) model for obtaining CSI It is assumed that an attacker can only control a WiFi access point. They infer the PIN input on smartphones and also analyse network based on the CSI to determine when the sensitive input starts. This is done by removing high frequency noises, and Use of Principal Component Analysis (PCA) to reduce the dimension of the data Dependency on particular hardware cards.

Issues The framework is impracticable in reality victim’s phone needs to be in a stable environment it works with only fixed /controlled gestures Requires very close distance to the victim It requires user-specific training Retrain dataset for the same victim with different distance Dependency on particular hardware cards

Possible improvements Improving CSI collection Using powerful antennae and WiFi device

Thank you for your time and attention!