
Inferring Your Mobile Phone Password via WiFi Signals - pogba101
http://fermatslibrary.com/s/when-csi-meets-public-wifi-inferring-your-mobile-phone-password-via-wifi-signals
======
sounds
For those who want more information on CSI (Channel State Information):

[http://dhalperi.github.io/linux-80211n-csitool/](http://dhalperi.github.io/linux-80211n-csitool/)

This allows you to use a custom firmware developed for the Intel 5300 wireless
adapter and read the CSI values with each packet.

Every 802.11n implementation that I am aware of keeps a CSI vector (IQ values,
typically as integers) within the wifi chip. Both the Wifi AP and STA do this.
The CSI vector is updated with every packet, using the training data at the
beginning of the packet. (802.11 is CSMA [2] so there is a fixed transmission
to start the packet)

In other words, Intel has this nice tool for one of their (now somewhat dated)
chips. But CSI is not restricted to Intel chips. Atheros chips have a decent
but limited CSI readback method, not quite as nice as Intel's [3]. But CSI has
been used for experiments on all major wifi chips out there.

With 802.11n this is used to determine the quality of signal likely to be
received on each sub-carrier within the signal.

CSI is useful for many other things: RF experiments, indoor position sensing,
and now apparently also password cracking.

[2]
[https://en.wikipedia.org/wiki/Carrier_sense_multiple_access_...](https://en.wikipedia.org/wiki/Carrier_sense_multiple_access_with_collision_avoidance)

[3]
[http://pdcc.ntu.edu.sg/wands/Atheros/](http://pdcc.ntu.edu.sg/wands/Atheros/)

------
gefh
Holy shit. From a brief scan it looks like the paper concentrates on
recovering a numeric pin, but these attacks never get worse, only better, so I
assume full keyboard access is not too far off. What's the defense? Have your
phone manage the passwords and unlock via fingerprint?

~~~
frandroid
Or scramble the numeric keypad on every try, but that would get annoying fast.

~~~
pmontra
My bank did that with a JavaScript number pad. They went back to a standard
password field with the new design of the site a couple of years ago. That
made me feel less safe because I understood why the were complicating the
input.

Another strategy I've seen is to ask some random digits of a longer PIN, with
a mask to fill out.

~~~
dTal
Some banks (e.g. Barclays) use a card reader that generates a unique key each
time. Since this also requires that you have your card to log in, it's my
understanding that this offers massively improved security.

------
user659
This paper is available through Google scholar if you search for "CCS 16
password WiFi" or click here:
[https://www.a51.nl/sites/default/files/pdf/p1068-li.pdf](https://www.a51.nl/sites/default/files/pdf/p1068-li.pdf)

I've been a part of a similar paper that detected exact keystrokes. This one
seems to build on a similar idea. The thing to keep in mind is that these
systems need user and environment specific training. That is if the user is
changed or the user or something in the environment moves, the system needs to
retrain.

------
kardos
Direct link to PDF without the (infuriating) popups/overlays:
[http://delivery.acm.org/10.1145/2980000/2978397/p1068-li.pdf](http://delivery.acm.org/10.1145/2980000/2978397/p1068-li.pdf)

~~~
orliesaurus
popped by the comments just to find something like this (but the link doesnt
work)! thanks anyway!

~~~
technologywon
Here is the ACM link:
[http://dl.acm.org/citation.cfm?id=2978397](http://dl.acm.org/citation.cfm?id=2978397)

------
andai
See also: detecting and motion tracking people behind walls, with the ability
to recognise specific people ( also using wifi ).

[http://www.theverge.com/2015/10/28/9625636/rf-capture-mit-
wi...](http://www.theverge.com/2015/10/28/9625636/rf-capture-mit-wifi-
tracking-surveillance-technology)

Of particular interest: It can determine breathing patterns and heart rate.

~~~
danbruc
Or the 2013 discussion of _Wi-Fi signals enable gesture recognition throughout
entire home_ here on Hacker News with links to other related ideas in the
comments.

[1]
[https://news.ycombinator.com/item?id=5824286](https://news.ycombinator.com/item?id=5824286)

------
danielhooper
Some weeks back I read a post here about detecting people in rooms by
measuring how the physical body interferes with the wifi signals. I wouldn't
have imagined someone could extract useful information at this small of a
scale. wow!

~~~
andai
This one!

[http://www.theverge.com/2015/10/28/9625636/rf-capture-mit-
wi...](http://www.theverge.com/2015/10/28/9625636/rf-capture-mit-wifi-
tracking-surveillance-technology)

It can detect people and track their movements _behind walls_ , and tell
different people apart.

It can also measure breathing patterns and heart rate.

~~~
danielhooper
I clearly did not read into this enough as it is more impressive than I had
remembered. It's quite the eye-opener on how much unique data there is out in
the wild...

------
program_whiz
Read the section "limitations". Only works on 10 users right now, must be
trained for the pattern "per user", phone must be sitting on stable surface,
gesture must be performed as close to "the same" every time. This is just
clickbait and "please fund our research" IMO.

~~~
pslam
What did you expect — a turn-key solution for sale? They claim no such thing.

This is great research. They've demonstrated that it is in fact possible to
obtain a passcode at a distance, at least in contrived conditions. The fact
it's possible whatsoever is a significant result. Even without being able to
obtain the exact passcode, this would yield the ability to guess a passcode in
much better time than just random selection.

~~~
program_whiz
Ok I think my issue with this is that its akin to saying: Given the same
users, in the same position, with the same hardware, performing the same
gestures, we discovered the signals are consistent enough that a NNet can
figure out a pattern. However, if the users, the hardware, the wifi router,
the positions, the orientations, the conditions, or the gestures used change,
you would need to retrain your NNet for that situation.

After working on a couple of "ambitious" projects that tried to use wifi or
bluetooth signals to mine data, it turns out its not super reliable in real-
world situations.

------
adynatos
LTE and HSDPA (and maybe older gens) have Channel Quality Indicator, which
afaik has the same role as CSI. So I wonder if the same trick can be achieved
with LTE signalling? To pull that off you would need access to a BTS, but
today with open source stacks, like OpenBTS or OpenAirInterface,you could roll
out your own.

------
saycheese
RELATED: "Keystroke Recognition Using WiFi Signals"

[https://www.cse.msu.edu/~alexliu/publications/KamranWiKey/Ka...](https://www.cse.msu.edu/~alexliu/publications/KamranWiKey/KamranWiKey_MOBICOM15.pdf)

------
freyr
It looks like they're inferring the right 6-digit password about 20% of the
time on their first try, presumably using the Xiaomi phone. But if they can
try 20 candidates before getting locked out, they can guess the 6-digit
password about 50% of the time.

With the Samsung phone, which has a much lower 1-digit recovery rate, it seems
that it would be closer to 6% on the first try, and 20% by the twentieth try.

------
baby
I like this Fermat thing but it would be cooler if it could add a date to the
papers who, for some reason, do not have a date.

~~~
ominous
Following DOI:
[http://dx.doi.org/10.1145/2976749.2978397](http://dx.doi.org/10.1145/2976749.2978397)
we find the paper was presented in Proceedings of the 2016 ACM SIGSAC
Conference on Computer and Communications Security, Vienna, Austria.

Date: 2016-10-24

------
leejoramo
Also never enter a password in any location where a hidden video camera could
be observing you. Or where a hidden microphone could be listening to your
typing. Or where ruffians holding crowbars could be lurking in the next room.

------
Amorymeltzer
Moral of this (and every other) story: Never, ever connect to a free, public
wifi.

ETA: This was meant to be glib, given the frequency of such stories seen on
HN, and the many children below are quite correctly pointing out that the
_real_ moral is
[https://news.ycombinator.com/item?id=13645694](https://news.ycombinator.com/item?id=13645694)

~~~
swsieber
It would seem that that's not the moral of the story: it looks like your
device doesn't even have to connect to the wifi. It appears that this is more
like using wifi as radar to detect finger movements.

~~~
xenithorb
So then its probably a pretty good idea to randomize the number keypad for the
lock screen, which I do. Does this defeat that, I can't think of a way it
does..

~~~
djrogers
The paper focused on an attack against a payment system, not the lock screen,
so you'd need to randomize every password input keyboard at the system level.

Probably not a bad idea...

~~~
DennisP
Another option would be to use thumbprints for all authorizations after the
device is unlocked.

