
Ways Your Wi-Fi Router Can Spy on You - secfirstmd
http://www.theatlantic.com/technology/archive/2016/08/wi-fi-surveillance/497132/?utm_source=feed&utm_source=twitterfeed&utm_medium=twitter&amp;single_page=true
======
ddt_Osprey
Jesus, I wasn't even going to read this article, but holy shit, am I glad I
did.

    
    
      Using more precise sensors, the same MIT 
      researchers went on to develop systems that 
      can distinguish between different people 
      standing behind walls, and remotely
      monitor breathing and heart rates with 99 
      percent accuracy.
    
      A system called “WiKey” presented at a 
      conference last year could tell what keys 
      a user was pressing on a keyboard by 
      monitoring minute finger movements. 
    
      And a group of researchers led by a Berkeley 
      Ph.D. student presented technology at a 2014 
      conference that could “hear” what people were 
      saying by analyzing the distortions and 
      reflections in wi-fi signals created by their 
      moving mouths. 
    

Man, I was about to blow this off as yet another MAC address sob story. I
totally was not anticipating doppler effects and radar-style reflection/signal
strength analysis.

------
bgentry
_A system called “WiKey” presented at a conference last year could tell what
keys a user was pressing on a keyboard by monitoring minute finger movements.
Once trained, WiKey could recognize a sentence as it was typed with 93.5
percent accuracy—all using nothing but a commercially available router and
some custom code created by the researchers._

Ok that's pretty cool. But incredibly concerning.

The actual abstract of that paper mentions much higher figures for individual
keys:

 _WiKey achieves more than 97.5\% detection rate for detecting the keystroke
and 96.4% recognition accuracy for classifying single keys. In real-world
experiments, WiKey can recognize keystrokes in a continuously typed sentence
with an accuracy of 93.5%._

[http://dl.acm.org/citation.cfm?id=2790109](http://dl.acm.org/citation.cfm?id=2790109)

~~~
blacksmith_tb
I wonder if it makes any assumptions about layout and keyboard shape (for
example, it might not know that I was using Dvorak, or that I had an ergo
keyboard where my fingers were in atypical places).

~~~
4ndr3vv
_" Once trained..."_

It needs to know what keyboard/layout and also the person.

I'd guess that the position of the keyboard in the room needs to stay constant
too.

~~~
gleenn
Doesn't mean they couldn't get enough data to do it in general.

------
xg15
A rare example of a misleading title that is actually too underwhelming: No,
they are not talking about spying on your internet traffic but using the
router to observe your real-world movements...

------
cannonpr
There are a lot of interesting things you can do with wifi signals, human
bodies show up with a lot of accuracy in them. Such as breathing rate
detection, and heart rate.

[https://staticfloat.github.io/papers/WiBreathe_PerCom2015.pd...](https://staticfloat.github.io/papers/WiBreathe_PerCom2015.pdf)

~~~
rcthompson
Wait, so in a building full of wifi signals, you could theoretically detect a
body with no heartbeat or breathing and alert someone automatically?

~~~
homero
Possibly, better get a startup going

~~~
EGreg
Seriously, you can do this

~~~
cannonpr
A more interesting question is who might be already doing this, and could you
write a passive receiver for this to utilise ambient signals versus on purpose
emitted ones. Considering it's utility in several scenarios, I can see why
some money might be invested in developing this capacity without
commercialising it.

------
eximius
I wonder how accurately you can determine the location of individuals across a
house?

I remember WiSee
([http://wisee.cs.washington.edu/](http://wisee.cs.washington.edu/)) a while
back and ever since then I thought it would make for a fantastic home security
system. You plot out your perimeter and when armed it goes off whenever a
person crosses the threshold.

With some of the improvements from this system, it could even be possible to
have it always armed but excluded certain people from tripping the alarm.

I wish I had the knowledge and experience to implement such a system (radio-
wise).

------
StillBored
Hello radar... Is it any surprise that MMIO technology, designed to work
around problems caused by different signal return paths can make a really nice
3d radar?

Google for "SDR passive radar" for some really cool projects.

------
krick
This is pretty frightening all by itself, but I'm thinking: if this is
possible with a router, should't a simple smartphone be capable of the same,
since it can be used as hot-spot, and covers even more signal ranges? A device
owned by everyone, everywhere, generally less secure and more carelessly used,
with loads of proprietary software pretty much always installed? Does it mean
the whole city can be almost realistically observable by someone, even when no
video camera is there?

~~~
kevindqc
Reminds me of the system in Batman to find the Joker. It was using cell phones
and mapping the whole city I think?

~~~
aneidon
I think that was using the phone's microphones, not antennae. Same idea
though.

------
nickysielicki
People who are capable of writing side-channel attacks like this have an
intuition for radio and signal processing that must be completely overwhelming
during their day-to-day life.

~~~
wolfgke
> People who are capable of writing side-channel attacks like this have an
> intuition for radio and signal processing that must be completely
> overwhelming during their day-to-day life.

I might not be such a wizard :-( but still I know some things about how some
everyday objects such as computers/laptops (hidden features), mobile phones,
WiFi etc. can be used for surveillance. Even in a country such as Germany that
has seen two surveillance states in the 20th century and is thus a lot more
concerned about surveillance than, say, the US (as I observe it) I'm talking
about this topic till I am blue in the face.

So in other words: I don't believe you would consider such a person to be
overwhelming, but instead you would consider him as flat-out annoying and
paranoid.

~~~
gruturo
I don't think he implied that the _people_ with this knowledge must be
overwhelming. I think he means these people's intuition, and knowledge, about
radio/signal processing, must be overwhelming (to _them_ first and foremost)
during their day to day life.

As in, everywhere you go, you realize how much information a knowledgeable
evil actor could extract by simply analyzing what's being irradiated.

~~~
Jordrok
I'm imagining something like the brother in Better Call Saul, where it's
painful for him to be in the presence of cell phones or fluorescent lights,
etc.

[https://en.wikipedia.org/wiki/Electromagnetic_hypersensitivi...](https://en.wikipedia.org/wiki/Electromagnetic_hypersensitivity)

------
pmlnr
Many years ago I've seen this topic, and it suddenly vanished for a decade.

Now it's here again, and I'm even more frightened.

~~~
RankingMember
Analyzing just the sound of a keyboard being typed on can yield the typed
content as well:

[https://www.schneier.com/blog/archives/2005/09/snooping_on_t...](https://www.schneier.com/blog/archives/2005/09/snooping_on_tex.html)

~~~
et-al
Ha, this is amazing. Reminds me of movies using seemingly far-fetched premises
at their time.

Sneakers - in the beginning when they're spying on Dr. Janek, the team can't
see the entire password he types, but Whistler hears the missing keystroke.

And related to the original post, The Dark Knight has Batman using sonar from
everyone's mobile phones to detect where the Joker's henchmen were and here we
are with wifi routers (and potentially other 2.4 GHz devices).

~~~
ianferrel
That's not what happens in Sneakers.

They're all trying to figure out what the password is from the video, and
Whistler is paying attention to what they're saying, which is that he has an
answering service. And if he has an answering service, then the answering
machine on his desk is hiding something in plain sight.

~~~
et-al
Ah you're right. Wasn't there a scene where the keyboard was obstructed and
Whistler says "it's ___ key"? Maybe when they spy on Werner Brandes.

I'll have to re-watch this sometime soon.

[And if anyone reading hasn't watched Sneakers (1992), you _must_.]

~~~
ianferrel
Sneakers is one of my favorite movies.

I don't believe that the scene you're thinking of happens. Whistler is pretty
impressive, but even he can't hear the difference between keystrokes.

The other cool things that Whistler does are figure out where Martin was taken
by the sounds that Martin remembers, and figure out what the various rooms in
the building are via telescopic microphone ("Emergency exit stairwell." "How
can you tell" "I can hear the emergency exit light batteries recharging") :D

~~~
et-al
All of you folks were right.

I skimmed over the movie late last night and realised I completely
misremembered the two scenes mentioned, and exaggerated Whistler's hearing
abilities.

------
sanbor
I was thinking a way to avoid typing passwords in your keyboard. So I just
wrote this proof of concept of password input by doing hovering over the
letters that you want to enter as password. Every time the page loads and
every 2 seconds the dial changes position and rotation so two passwords never
should have the same mouse movements.
[http://codepen.io/anon/pen/yJdXoK](http://codepen.io/anon/pen/yJdXoK)

~~~
snowwrestler
Here's one way to avoid typing passwords: use a password manager to generate
and store them. Generating a new password is just a click of the mouse, and
using the password requires only the copy/paste key stroke combo, or less.

Using 2-factor authentication also helps. Even if the bad guys know the code,
it's only good for 60ish seconds. This provides a time dependency, similar to
your dial idea.

~~~
sanbor
That sounds like a good idea. You could use a private key to unlock your
password manager.

But the problems of both using 2FA and a private key is that they both rely in
something that only you have.

If someone figures out how to steal your phone/hard drive, then they also have
their way to all your accounts.

This dial tries to get back to the idea of "something that only you know".

Finally, you could also use a private key with a password, and you would even
reduce more the attack surface. But again, the dial is a way to make harder to
hear your secret when you're entering it in the computer.

Anyway, this dial is a PITA to enter long passwords, which is not good. Long
passwords are very important.

------
redblacktree
Is there anything on github that I can use with DD-WRT to play with any of
these effects? Maybe visualize the people my router can see?

~~~
gene-h
This may not be exactly what you are looking for, but check out the Linux
802.11n CSI Tool. A lot of this work is done with the channel state
information(CSI) which tells you how a signal propagates from transmitter to
receiver and vice versa. Unfortunately, it's hard to get access to this sort
of information and there are only drivers for one chipset.

[0]
[http://dhalperi.github.io/linux-80211n-csitool/](http://dhalperi.github.io/linux-80211n-csitool/)

~~~
redblacktree
Thanks! Looks like I may have to buy some hardware too.

~~~
JonnieCache
openWRT is a better platform for things like this today than DD-WRT.

------
nyqstna
So this concerns Wi-Fi, but why wouldn't it work with other terrestrial
broadcasts?

~~~
rrobukef
Frequency: WiFi has a high attenuation because it's easily absorbed by water.
There is a lot of water inside humans. It also has a short range, so there is
a lot less noise.

------
shostack
So if I have say, a Comcast could they theoretically use this to snoop and
uniquely identify the people using that router, as well as determine if
someone were watching TV when a given commercial ran? I can picture their
audience measurement team drooling over this.

------
redbeard0x0a
Does anybody know if they are talking about 2.4Ghz or 5Ghz wifi spectrum? I
would imagine that the 2.4Ghz spectrum would be the easiest to use to use for
detection since it penetrates walls, etc. better.

~~~
et-al
The paper mentioned in the article [0] and cannonpr's WiBreathe paper both
mention 2.4GHz. I would think 5GHz would provide more detail (at the cost of
range), but admittedly this isn't my forte at all.

[0] [http://arxiv.org/abs/1608.03430](http://arxiv.org/abs/1608.03430)

------
libeclipse
I feel this technique could have some substantial military applications.

~~~
roywiggins
Wall-penetrating radar is already a thing:

[https://www.youtube.com/watch?v=w4eret12KN0](https://www.youtube.com/watch?v=w4eret12KN0)

Probably a lot more accurate than (ab)using wifi routers for the purpose, but
the benefit of WiFi is that other people have already conveniently installed
the hardware inside their homes.

------
jtnews
I remember reading an article back when wifi was new about a company using
some of the same wireless technology for wall penetrating radar for
military/law enforcement applications. I don't remember if one was borrowing
from the other or if it was developed in parallel. I guess this is the next
evolution when you can do both with one box.

Does this mean I need to shred my tinfoil hat and blow it around the room as
chaff?

------
Cieplak
This is a great business opportunity for Wi-Fi-cancelling devices. No doubt
we'll see increased use of wired-only and line-of-sight networks.

Edit: s/WIFI/Wi-Fi/

~~~
akerro
Like paint

[http://www.informationweek.com/startup-markets-wireless-
secu...](http://www.informationweek.com/startup-markets-wireless-security-
paint/d/d-id/1029300)?

[http://news.bbc.co.uk/1/hi/technology/8279549.stm](http://news.bbc.co.uk/1/hi/technology/8279549.stm)

[http://shop.wireless-protection.org/blocpaint-wall-floor-
and...](http://shop.wireless-protection.org/blocpaint-wall-floor-and-ceiling-
shielding-191-p.asp)

------
EGreg
I remember when I was researchig motion detection systems a few years ago for
controlling software by natural movements, I found various technologies
including the Myo and infrared tracking. And then I saw this:

[http://news.mit.edu/2013/new-system-allows-for-high-
accuracy...](http://news.mit.edu/2013/new-system-allows-for-high-accuracy-
through-wall-3-d-motion-tracking-1211)

------
dsq
It sounds possible to detect what a voter chooses even within a voting booth.
Just knowing this was possible could be a serious threat to one of the last
bastions of democracy, namely voter privacy. If I think that my vote is
detectable by the powers that be, I might as well be in North Korea.

------
wfunction
Does anyone know how they measure Wi-Fi signal strength to such an accuracy?
Like, from a practical standpoint, I have no idea how to make my Wi-Fi card
tell me signal strength with such a high accuracy in any OS. Do they have
special Wi-Fi cards? (No, I haven't had the time to read the article yet
unfortunately, but hope to soon.)

------
guelo
I don't get it. A much more accurate sensor for detecting human movement is a
camera.

~~~
yannyu
Last I checked, most cameras can't see through walls.

"Something in the way? No problem. A pair of MIT researchers wrote in 2013
that they could use a router to detect the number of humans in a room and
identify some basic arm gestures, even through a wall. They could tell how
many people were in a room from behind a solid wooden door, a 6-inch hollow
wall supported by steel beams, or an 8-inch concrete wall—and detect messages
drawn in the air from a distance of five meters (but still in another room)
with 100 percent accuracy.

(Using more precise sensors, the same MIT researchers went on to develop
systems that can distinguish between different people standing behind walls,
and remotely monitor breathing and heart rates with 99 percent accuracy."

~~~
guelo
If you look at that paper you'll see they use some custom machine on the other
side of the wall to send and sense the wifi signals. And all they get is
relative movement away or towards the machine. I'm sure an infrared camera
would be much more accurate. Doesn't seem practical at all.

------
joshkpeterson
I'm a media artist who wants to do an implementation of this DSP algorithm for
a piece of installation art. Get in touch with me on twitter @joshypants if
you're an engineer who's interested in collaborating on the implementation.

------
cagey_vet
if one is a lone 'researcher' good luck weaponizing this.

------
Vexs
Chainfire of SuperSU/android fame has an app that does something to combat
this called pry-fi[1] that randomizes a bunch of data, and can appear to be
many devices at once. Requires root of course.

[https://play.google.com/store/apps/details?id=eu.chainfire.p...](https://play.google.com/store/apps/details?id=eu.chainfire.pryfi&hl=en)

~~~
drdaeman
Which, I believe, is completely irrelevant to the problem described in the
article. What they do is observe the electromagnetic spectrum, using WiFi
routers as signal sources. They don't really care what sort of data routers
are transmitting, they need the transmitter active at the moment you press the
key.

(It may even make it somewhat worse, as the router's transmitter is less
likely to idle. Although I'm not sure if it matters.)

