Presentation is loading. Please wait.

Presentation is loading. Please wait.

When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals Warren Yeu When CSI Meets Public Wifi.

Published byMarilyn Ramsey Modified over 7 years ago

Similar presentations

Presentation on theme: "When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals Warren Yeu When CSI Meets Public Wifi."— Presentation transcript:

1 When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals
Warren Yeu When CSI Meets Public Wifi

2 Introduction Smartphones can be used for privacy transactions
Mobile devices connected to a dynamic network environment are vulnerable to direct and indirect eavesdropping attacks Direct eavesdropping attacks - Observes input of target device from screen and keyboard Indirect eavesdropping attacks - Infer inputs on target devices Smartphones are commonly used for performing privacy sensitive transactions And Mobile devices are often connected to a dynamic network environment where they are vulnerable to direct and indirect eavesdropping attacks Direct eavesdropping attacks means directly observing the input of the target device from the screen and keyboard While indirect eavesdropping attacks a.k.a. side-channel attacks infer the inputs on the target devices Source:

3 Indirect Eavesdropping Attacks
PIN can be inferred from signals in a WiFi architecture To access side channels, two assumptions made: 1. External signal collector devices close to the target device 2. Sensors of target devices compromised In this case, none of the two assumptions made to access side channels Instead, keystroke inference approach utilised, aiming at achieving high inference accuracy on series of keystrokes Indirect Eavesdropping Attacks The PIN and the words entered at keyboard can be inferred from the signals within a public WiFi architecture To access the side channels, normally two assumptions are made: 1. The external signal collector devices are close to the target device 2. Sensors of the target devices are compromised to provide side channel information In this case, none of the two assumptions above are made to access the side channels Instead, a keystroke inference approach is performed which aims at achieving high inference accuracy on a series of keystrokes Source:

4 CSI: Channel State Information
How signal propagates from transmitter to receiver e.g. WiFi signals Hand coverage and finger position on smartphone cause interference to WiFi signals leading to CSI changes The Channel State Information describes how a signal propagates from the transmitter to the receiver. For example, WiFi signals which measures the frequency over time The hand coverage and finger position on a smartphone touchscreen causes interference to the WiFi signals which leads to the changes of the CSI

5 CSI Malicious Usage CSI measures Channel Frequency Response (CFR)
CFR represents state of wireless channel in signal transmission process Waveforms can be plotted from CFR Attackers can infer what victim typed by analysing waveforms Impact of hand and finger movement of keystrokes on waveforms is subtle so signal analysis method needed to analyse keystrokes from limited CSI Using CSI maliciously CSI measures the Channel Frequency Response which represents the state of a wireless channel in a signal transmission process Unique waveforms can be plotted from the CFR and attackers can infer what the victim is typing by analysing these waveforms However, the impact of the hand and finger movement of keystrokes on these waveforms is very subtle so an effective signal analysis method is required to analyse keystrokes from this limited CSI Source:

6 Description: WindTalker
Keystroke inference framework allows adversary to infer sensitive keystrokes on smartphone using WiFi signals Can be launched without seeing smartphone user’s input process or installing any malware on phone Keystrokes on mobile devices lead to different hand coverage and finger motions, introduces unique interference to signals and is reflected by CSI Analyses WiFi traffic and CSI to identify sensitive period where password entering occurs Attackers can exploit the strong correlation between keystrokes and CSI to infer password WindTalker is a keystroke inference framework which allows an attacker to infer sensitive keystrokes on a mobile device through WiFi signals It can be launched without the requirement of visually seeing the smartphone user’s input process or installing any malware on the phone Keystrokes on the mobile devices lead to different hand coverage and finger motions which introduces a unique interference to the signals and can be reflected by the CSI WindTalker analyses the WiFi traffic and CSI to identify the sensitive period where password entering occurs and attackers can exploit the strong correlation between the keystrokes and CSI to infer the victim’s password

7 WindTalker: In-band Keystroke Inference (IKI) Model
WindTalker does not deploy external devices close to target device or compromises target device Uses WiFi hotspot When user connects device to hotspot, the hotspot monitors pattern of transmitted packets Periodically send Internet Control Message Protocol (ICMP) packets to obtain CSI from target device Hotspot launches keystroke inference method to recognise sensitive key inputs WindTalker utilises the IKI Model in which it neither deploys external devices close to the target device nor compromises the target device, instead it utilises the public WiFi hotspot When a user connects their device to the hotspot, the hotspot is able to monitor the pattern of the transmitted packets and periodically send ICMP packets to obtain the CSI information from the target device The hotspot can then launch the CSI-based keystroke inference method to recognise the sensitive key inputs Source:

8 Out-of-band Keystroke Inference (OKI) Model
Attacker makes sure target device close to and placed between two WiFi devices: 1. Sender device – continuously emits signals 2. Receiver device – continuously receive signals Keystrokes inferred from distortions in the signals Compared to the IKI model, in the OKI model, the attacker ensures that the target device is close to and placed right between two WiFi devices: The first device is the sender device which continuously emits signals and the second device is the receiver device which continuously receive signals The keystrokes are then inferred from the distortions in these signals Source:

9 IKI Model Advantages IKI model does not require sender and receiver device close to target Flexible and practical CSI collection model OKI model cannot differentiate non-sensitive operations from sensitive operations: - Clicking screen to open app or web- browsing (Non-sensitive operations) - Inputting password (Sensitive operation) IKI model allows attacker to obtain unencrypted traffic and CSI The advantages of the IKI Model Compared with the OKI model, the IKI model does not require the placement of both sender and receiver device close to the target It is a more flexible and practical CSI collection model The OKI model fails to differentiate non-sensitive operations from sensitive operations on mobile devices Examples of non-sensitive operations are clicking the screen to open an app or clicking to browse the web and Examples of a sensitive operation is inputting the password The IKI model allows the attacker to obtain both unencrypted traffic and the CSI data Source:

10 WindTalker Design WindTalker consists of modules:
Sensitive Input Window Recognition Module – Distinguishes sensitive inputs from non-sensitive inputs ICMP Based CSI Acquirement Module – Collects user’s CSI during access to WiFi hotspot Data Preprocessing Module – Preprocesses CSI to remove noises and reduce unused data Keystroke Extraction Module – Determines start and end point of keystroke waveform Keystroke Inference Module – Compares waveforms and determines keystroke The WindTalker design is consisted of the following five modules: The first being the Sensitive Input Window Recognition Module which distinguishes the sensitive inputs from the non-sensitive inputs The second being the ICMP Based CSI Acquirement Module which collects the user’s CSI data during their access to the WiFi hotspot The third being the Data Preprocessing Module which preprocesses the CSI data to remove noises and to reduce unused data The forth being the Keystroke Extraction Module which enables WindTalker to automatically determine the start and the end point of the keystroke waveforms And the final module being the Keystroke Inference Module which compares the different keystroke waveforms and determines the corresponding keystroke Source:

11 System Setup Laptop Computer
Serves as WiFi hotspot, 75cm away from participants 10 volunteers recruited to join the evaluation Volunteers participate in data training phase and testing phase by inputting numbers Data training phase: Records each input and its CSI Testing phase: Infers input based on CSI WindTalker is built with off-the-shelf hardware which is just an ordinary commercial laptop computer And it serves as the WiFi hotspot which is 75cm away from the participants 10 volunteers were recruited to join the evaluation by performing touch-screen operations The volunteers participate in the data training phase and the testing phase by inputting numbers according to the system hints In the data training phase, WindTalker records each input and its corresponding CSI data and In the testing phase, WindTalker infers the input data based on the observed CSI information Source:

12 System Evaluation Classification accuracy and password inference accuracy Each volunteer has 10 loop samples A loop is the CSI waveform for key number from 0 to 9 by pressing the corresponding digit Classification accuracy is accuracy of system’s ability to recognise each key number pressed In the system evaluation, the classification accuracy and the password inference accuracy are tested Each volunteer has 10 loop samples, where a loop is defined as the CSI waveform for key number from 0 to 9 by pressing the corresponding digit The classification accuracy is the average accuracy of WindTalker’s ability to recognise each key number pressed by all 10 participants Source:

13 System Evaluation Password inference accuracy is accuracy at which system is able to recognise the password pressed Each volunteer has 3 loop samples per number for training Each volunteer presses 10 randomly generated passwords Password inference accuracy increases when number of digits increases Reason: The more digits, the more time for keystroke inference module and frequency analysis to infer password pressed The more training, the more accurate the system The password inference accuracy is the accuracy at which WindTalker is able to recognise the password pressed To test the password inference accuracy, each volunteer has 3 loop samples per number for training and each of them presses 10 randomly generated passwords The results show that as the number of digits in the password increases, the password inference accuracy also increases This is because the more digits in the password, the more time available for the keystroke inference module and the frequency analysis to infer the password pressed The results also show that the more training that is done, the more accurate the system will be Source:

14 Criticism System only work when victim touches screen with fixed gesture User may shake phone while typing which interferes with CSI Different people have different finger movements and hand coverage Phone needs to be in stable environment Does not work with iOS phones In my opinion, there are some criticisms that I have noticed in WindTalker WindTalker can only work for the situation that the victim can only touch the screen with a relatively fixed gesture In reality, the user may hold and shake the phone or perform some other random actions while typing which interferes with the CSI data Different people also have different finger movements and hand coverage In order for WindTalker to work, the phone also needs to be placed in a relatively stable environment. For example, a table. And another thing I noticed is that WindTalker does not work on iOS smartphones due to the limitations of the hardware Source:

15 Criticism Keystrokes on phone are not always sensitive
Requires training for better accuracy WiFi hotspot needs to be close to victim Requires info. on target service Can only be used for phones, not laptops, etc. No mention on how system deals with interference from other WiFi signals in the area More criticisms I have noticed are that Keystrokes on a mobile device are not always highly sensitive Training is also required for better system accuracy which means more time is needed The WiFi hotspot still needs to be relatively close to the victim And the system requires information on the target service. For example, Alipay, Facebook and BNZ It can only be used for smartphones and not laptops or any other non-mobile devices And there is no mention on how the system deals with interference from other WiFi signals in the area Source:

16 Improvements Allow system to work with iOS phones and laptops, etc.
Allow system to work with keyboards Improve range of WiFi hotspot Reduce interference from external environment This limitation can be partially addressed by profiling victim ahead or by performing targeted attack WindTalker conjunction with other side-channel attacks may improve password inference accuracy These are some improvements that I have thought of Allow the system to work with iOS smartphones, laptops and other non-mobile devices by using hardware that supports wider range of devices And also allow the system to work with physical keyboards The range of the WiFi hotspot can be improved as well as 75cm is still too close for it to be implemented in public places We can also reduce the interference from the external environment. For example, the weather and unexpected hand and body movements. This limitation can be partially addressed by profiling the victim ahead to be familiar with their hand gestures or by performing a targeted attack And finally, a possible way to improve the password inference accuracy is to utilise WindTalker in conjunction with other side-channel attacks Source:

17 Thank You

Download ppt "When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals Warren Yeu When CSI Meets Public Wifi."

Similar presentations

Lecture 4. US Systems. Advanced Mobile Phone System Analog Signal Processing at the sender side Compress Pre Emphasize Limit Low Pass Filter + Frequency.

Lecture 4. US Systems. Advanced Mobile Phone System Analog Signal Processing at the sender side Compress Pre Emphasize Limit Low Pass Filter + Frequency.
Controlling Robot Car via Smartphone Supervisor: Dr. Jamal Kharousheh Prepared by : Hamza Qaddara Esmat Hedariya Hareth Hanani Faculty of Engineering Telecommunication.

Controlling Robot Car via Smartphone Supervisor: Dr. Jamal Kharousheh Prepared by : Hamza Qaddara Esmat Hedariya Hareth Hanani Faculty of Engineering Telecommunication.
Location Systems for Ubiquitous Computing Jeffrey Hightower and Gaetano Borriello.

Location Systems for Ubiquitous Computing Jeffrey Hightower and Gaetano Borriello.
THE SECOND LIFE OF A SENSOR: INTEGRATING REAL-WORLD EXPERIENCE IN VIRTUAL WORLDS USING MOBILE PHONES Sherrin George & Reena Rajan.

THE SECOND LIFE OF A SENSOR: INTEGRATING REAL-WORLD EXPERIENCE IN VIRTUAL WORLDS USING MOBILE PHONES Sherrin George & Reena Rajan.
By: Matthew Follett. Introduction  A Wireless local area network (WLAN) links two or more devices using some wireless distribution method and usually.

By: Matthew Follett. Introduction  A Wireless local area network (WLAN) links two or more devices using some wireless distribution method and usually.
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
“Security Weakness in Bluetooth” M.Jakobsson, S.Wetzel LNCS 2020, 2001 The introduction of new technology and functionality can provides its users with.

“Security Weakness in Bluetooth” M.Jakobsson, S.Wetzel LNCS 2020, 2001 The introduction of new technology and functionality can provides its users with.
CS380y Junior Thesis1 The Performance of TCP/IP over Bluetooth Chris Snow Supervisors: Serguei Primak, Electrical Engineering Hanan Lutfiyya, Computer.

CS380y Junior Thesis1 The Performance of TCP/IP over Bluetooth Chris Snow Supervisors: Serguei Primak, Electrical Engineering Hanan Lutfiyya, Computer.
TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion Liang Cai and Hao Chen UC Davis.

TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion Liang Cai and Hao Chen UC Davis.
1 C-DAC/Kolkata C-DAC All Rights Reserved www.cdackolkata.in Computer Security.

1 C-DAC/Kolkata C-DAC All Rights Reserved Computer Security.
Guided by: Jenela Prajapati Presented by: (08bec039) Nikhlesh khatra.

Guided by: Jenela Prajapati Presented by: (08bec039) Nikhlesh khatra.
Keystroke Recognition using WiFi Signals

Keystroke Recognition using WiFi Signals
Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University.

Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University.
Dynamic Source Routing in ad hoc wireless networks Alexander Stojanovic IST Lisabon 1.

Dynamic Source Routing in ad hoc wireless networks Alexander Stojanovic IST Lisabon 1.
Experimental Results ■ Observations:  Overall detection accuracy increases as the length of observation window increases.  An observation window of 100.

Experimental Results ■ Observations:  Overall detection accuracy increases as the length of observation window increases.  An observation window of 100.
Wi-Fi Technology. Agenda Introduction Introduction History History Wi-Fi Technologies Wi-Fi Technologies Wi-Fi Network Elements Wi-Fi Network Elements.

Wi-Fi Technology. Agenda Introduction Introduction History History Wi-Fi Technologies Wi-Fi Technologies Wi-Fi Network Elements Wi-Fi Network Elements.
Human Tracking System Using DFP in Wireless Environment 3 rd - Review Batch-09 Project Guide Project Members Mrs.G.Sharmila V.Karunya (81210132035) AP/CSE.

Human Tracking System Using DFP in Wireless Environment 3 rd - Review Batch-09 Project Guide Project Members Mrs.G.Sharmila V.Karunya ( ) AP/CSE.
SWAN simulation A Simulation Study of Denial of Service Attacks on Wireless Ad-Hoc Networks Samuel C. Nelson, Class of 2006, Dept. of Computer Science,

SWAN simulation A Simulation Study of Denial of Service Attacks on Wireless Ad-Hoc Networks Samuel C. Nelson, Class of 2006, Dept. of Computer Science,
It Starts with iGaze: Visual Attention Driven Networking with Smart Glasses It Starts with iGaze: Visual Attention Driven Networking with Smart Glasses.

It Starts with iGaze: Visual Attention Driven Networking with Smart Glasses It Starts with iGaze: Visual Attention Driven Networking with Smart Glasses.
ICT Unit 4: Network and the effects of using them

ICT Unit 4: Network and the effects of using them

Similar presentations

Ads by Google