Hacker News new | past | comments | ask | show | jobs | submit login
Ways Your Wi-Fi Router Can Spy on You (theatlantic.com)
352 points by secfirstmd on Aug 24, 2016 | hide | past | favorite | 81 comments

Jesus, I wasn't even going to read this article, but holy shit, am I glad I did.

  Using more precise sensors, the same MIT 
  researchers went on to develop systems that 
  can distinguish between different people 
  standing behind walls, and remotely
  monitor breathing and heart rates with 99 
  percent accuracy.

  A system called “WiKey” presented at a 
  conference last year could tell what keys 
  a user was pressing on a keyboard by 
  monitoring minute finger movements. 

  And a group of researchers led by a Berkeley 
  Ph.D. student presented technology at a 2014 
  conference that could “hear” what people were 
  saying by analyzing the distortions and 
  reflections in wi-fi signals created by their 
  moving mouths. 
Man, I was about to blow this off as yet another MAC address sob story. I totally was not anticipating doppler effects and radar-style reflection/signal strength analysis.

A system called “WiKey” presented at a conference last year could tell what keys a user was pressing on a keyboard by monitoring minute finger movements. Once trained, WiKey could recognize a sentence as it was typed with 93.5 percent accuracy—all using nothing but a commercially available router and some custom code created by the researchers.

Ok that's pretty cool. But incredibly concerning.

The actual abstract of that paper mentions much higher figures for individual keys:

WiKey achieves more than 97.5\% detection rate for detecting the keystroke and 96.4% recognition accuracy for classifying single keys. In real-world experiments, WiKey can recognize keystrokes in a continuously typed sentence with an accuracy of 93.5%.


That link goes to the ACM Digital Library, where the paper is behind a paywall. Oddly, it is also available on the ACM SIGMOBILE site without a paywall: https://www.sigmobile.org/mobicom/2015/papers/p90-aliA.pdf

If I am understanding this thing correctly, WTF...they are figuring out keystrokes by looking at the variations on a WiFi signal caused by the movement of human fingers during typing, which change how the signal propagates!?

Note that the computer you are typing on does not even have to be using WiFi. Heck, you would not even need to be using a computer. This should work if you are using an old manual non-electric typewriter.

People are mostly water, and the 2.4Ghz frequency is absorbed by water (the molecule makes a convenient antenna). That is why it is used in microwaves and why microwaves don't heat dry things well.

So people are really good attenuators of the 2.4Ghz signal and mimo routers in particular are pretty good at localizing where attenuation is happening. That combination makes a WiFi base station a good hardware platform for tracking humans.

As soon as my LimeSDR system arrives I'm looking at trying to replicate some of these results.

Has anyone replicated them yet?

Is each antenna directional, or do routers only gain directionality with multiple antennas? I'm amazed that they can get such precise beamforming with only four or six antennas (maybe they didn't even have that many antennas in 2013.) Admittedly I'm more familiar with beamforming as a sonar concept than as radar.

edit: I just read the MIT paper, and it's using ISAR. My advisor would be ashamed of me for not realizing that... Still, as the number of antennas continue to increase for better directionality, the wifi radar could even become effective on stationary targets. Soon we'll all be dressed like F-35s to hide from our routers.

I like the idea of 'stealth ware', although recognize it would be something of a tin-foil hat type fashion.

I'd be happy if I can add a 'human motion / location detector' I've got ideas for a spotlight system that provides light for you when you walk up to a dark porch.

I watched the video but it's really weirding me out that the CEO paints his fingernails black

It's actually stealth paint to protect him from these kinds of attacks ;)

1994 called, it wants its The Crow T-shirt back.

It can be done with a sound recording of the tapping of the keys too: http://www.cs.utexas.edu/~shmat/courses/cs6431/zhuang.pdf

I wonder if it makes any assumptions about layout and keyboard shape (for example, it might not know that I was using Dvorak, or that I had an ergo keyboard where my fingers were in atypical places).

I'm sure it uses some kind of Markov chain statistical analysis technique that would have to be programmed to assume you were typing on a particular keyboard layout in a particular language. On the other hand, there's nothing stopping them from trying to decode the raw data with several different configurations and seeing which one sticks. The IBM Selectric bugs the Soviets planted [1] did a similar thing, where they only transmitted four bits per character, but the messages could be rehydrated knowing letter and word frequencies from the English language.

[1] http://www.cryptomuseum.com/covert/bugs/selectric/

"Once trained..."

It needs to know what keyboard/layout and also the person.

I'd guess that the position of the keyboard in the room needs to stay constant too.

Doesn't mean they couldn't get enough data to do it in general.

i wonder if there's a way to delay each keystroke to make the time between pressing more uniform to beat this

I think the primary countermeasure would be adding white noise to the system, e.g. a nearby robot arm flailing around a conductor or a piece of meat.

A rare example of a misleading title that is actually too underwhelming: No, they are not talking about spying on your internet traffic but using the router to observe your real-world movements...

There are a lot of interesting things you can do with wifi signals, human bodies show up with a lot of accuracy in them. Such as breathing rate detection, and heart rate.


Wait, so in a building full of wifi signals, you could theoretically detect a body with no heartbeat or breathing and alert someone automatically?

Possibly, better get a startup going

Seriously, you can do this

A more interesting question is who might be already doing this, and could you write a passive receiver for this to utilise ambient signals versus on purpose emitted ones. Considering it's utility in several scenarios, I can see why some money might be invested in developing this capacity without commercialising it.

Does this have anything to do with the 2.4 GHz band being selected for microwave ovens (and thus, wifi) in the first place, as it apparently has a special effect on water?

Yes it's the same frequency as water molecule's resonance frequency.

I wonder how accurately you can determine the location of individuals across a house?

I remember WiSee (http://wisee.cs.washington.edu/) a while back and ever since then I thought it would make for a fantastic home security system. You plot out your perimeter and when armed it goes off whenever a person crosses the threshold.

With some of the improvements from this system, it could even be possible to have it always armed but excluded certain people from tripping the alarm.

I wish I had the knowledge and experience to implement such a system (radio-wise).

Hello radar... Is it any surprise that MMIO technology, designed to work around problems caused by different signal return paths can make a really nice 3d radar?

Google for "SDR passive radar" for some really cool projects.

This is pretty frightening all by itself, but I'm thinking: if this is possible with a router, should't a simple smartphone be capable of the same, since it can be used as hot-spot, and covers even more signal ranges? A device owned by everyone, everywhere, generally less secure and more carelessly used, with loads of proprietary software pretty much always installed? Does it mean the whole city can be almost realistically observable by someone, even when no video camera is there?

Reminds me of the system in Batman to find the Joker. It was using cell phones and mapping the whole city I think?

I think that was using the phone's microphones, not antennae. Same idea though.

Exactly. And I never thought it's actually possible.

People who are capable of writing side-channel attacks like this have an intuition for radio and signal processing that must be completely overwhelming during their day-to-day life.

> People who are capable of writing side-channel attacks like this have an intuition for radio and signal processing that must be completely overwhelming during their day-to-day life.

I might not be such a wizard :-( but still I know some things about how some everyday objects such as computers/laptops (hidden features), mobile phones, WiFi etc. can be used for surveillance. Even in a country such as Germany that has seen two surveillance states in the 20th century and is thus a lot more concerned about surveillance than, say, the US (as I observe it) I'm talking about this topic till I am blue in the face.

So in other words: I don't believe you would consider such a person to be overwhelming, but instead you would consider him as flat-out annoying and paranoid.

I don't think he implied that the _people_ with this knowledge must be overwhelming. I think he means these people's intuition, and knowledge, about radio/signal processing, must be overwhelming (to _them_ first and foremost) during their day to day life.

As in, everywhere you go, you realize how much information a knowledgeable evil actor could extract by simply analyzing what's being irradiated.

I'm imagining something like the brother in Better Call Saul, where it's painful for him to be in the presence of cell phones or fluorescent lights, etc.


Not just the practical considerations of someone extracting the information, but just that studying this and reasoning about it to the extent that you can extract information out implies such a deep understanding of another part of the electromagnetic spectrum.

I would liken it to having the ability to imagine another color. They probably don't have an exact idea of the information flowing around them, but they know it is there and they have an ability to reason about it better than others. I can't imagine that's something that is easy to simply leave at the office.

Many years ago I've seen this topic, and it suddenly vanished for a decade.

Now it's here again, and I'm even more frightened.

Analyzing just the sound of a keyboard being typed on can yield the typed content as well:


Ha, this is amazing. Reminds me of movies using seemingly far-fetched premises at their time.

Sneakers - in the beginning when they're spying on Dr. Janek, the team can't see the entire password he types, but Whistler hears the missing keystroke.

And related to the original post, The Dark Knight has Batman using sonar from everyone's mobile phones to detect where the Joker's henchmen were and here we are with wifi routers (and potentially other 2.4 GHz devices).

That's not what happens in Sneakers.

They're all trying to figure out what the password is from the video, and Whistler is paying attention to what they're saying, which is that he has an answering service. And if he has an answering service, then the answering machine on his desk is hiding something in plain sight.

Ah you're right. Wasn't there a scene where the keyboard was obstructed and Whistler says "it's ___ key"? Maybe when they spy on Werner Brandes.

I'll have to re-watch this sometime soon.

[And if anyone reading hasn't watched Sneakers (1992), you _must_.]

Sneakers is one of my favorite movies.

I don't believe that the scene you're thinking of happens. Whistler is pretty impressive, but even he can't hear the difference between keystrokes.

The other cool things that Whistler does are figure out where Martin was taken by the sounds that Martin remembers, and figure out what the various rooms in the building are via telescopic microphone ("Emergency exit stairwell." "How can you tell" "I can hear the emergency exit light batteries recharging") :D

All of you folks were right.

I skimmed over the movie late last night and realised I completely misremembered the two scenes mentioned, and exaggerated Whistler's hearing abilities.

I only remember him identifying the bridge by sound.

That wasn't far fetched at the time, apart from using a human to do the listening. There has been intense interest in audio processing for many years. This was to identify submarines; morse key operators; and to tell what's being typed on a type writer.

My concerns about surveillance and privacy are all more about the principle than the practical. I really don't care if some murderer can use my wifi to figure out where I'm sitting, but in general I'd prefer that it not be possible to co-opt a router and use it to spy on people.

I was thinking a way to avoid typing passwords in your keyboard. So I just wrote this proof of concept of password input by doing hovering over the letters that you want to enter as password. Every time the page loads and every 2 seconds the dial changes position and rotation so two passwords never should have the same mouse movements. http://codepen.io/anon/pen/yJdXoK

Here's one way to avoid typing passwords: use a password manager to generate and store them. Generating a new password is just a click of the mouse, and using the password requires only the copy/paste key stroke combo, or less.

Using 2-factor authentication also helps. Even if the bad guys know the code, it's only good for 60ish seconds. This provides a time dependency, similar to your dial idea.

That sounds like a good idea. You could use a private key to unlock your password manager.

But the problems of both using 2FA and a private key is that they both rely in something that only you have.

If someone figures out how to steal your phone/hard drive, then they also have their way to all your accounts.

This dial tries to get back to the idea of "something that only you know".

Finally, you could also use a private key with a password, and you would even reduce more the attack surface. But again, the dial is a way to make harder to hear your secret when you're entering it in the computer.

Anyway, this dial is a PITA to enter long passwords, which is not good. Long passwords are very important.

Is there anything on github that I can use with DD-WRT to play with any of these effects? Maybe visualize the people my router can see?

This may not be exactly what you are looking for, but check out the Linux 802.11n CSI Tool. A lot of this work is done with the channel state information(CSI) which tells you how a signal propagates from transmitter to receiver and vice versa. Unfortunately, it's hard to get access to this sort of information and there are only drivers for one chipset.

[0] http://dhalperi.github.io/linux-80211n-csitool/

Thanks! Looks like I may have to buy some hardware too.

openWRT is a better platform for things like this today than DD-WRT.

So this concerns Wi-Fi, but why wouldn't it work with other terrestrial broadcasts?

Frequency: WiFi has a high attenuation because it's easily absorbed by water. There is a lot of water inside humans. It also has a short range, so there is a lot less noise.

So if I have say, a Comcast could they theoretically use this to snoop and uniquely identify the people using that router, as well as determine if someone were watching TV when a given commercial ran? I can picture their audience measurement team drooling over this.

Does anybody know if they are talking about 2.4Ghz or 5Ghz wifi spectrum? I would imagine that the 2.4Ghz spectrum would be the easiest to use to use for detection since it penetrates walls, etc. better.

The paper mentioned in the article [0] and cannonpr's WiBreathe paper both mention 2.4GHz. I would think 5GHz would provide more detail (at the cost of range), but admittedly this isn't my forte at all.

[0] http://arxiv.org/abs/1608.03430

I feel this technique could have some substantial military applications.

Wall-penetrating radar is already a thing:


Probably a lot more accurate than (ab)using wifi routers for the purpose, but the benefit of WiFi is that other people have already conveniently installed the hardware inside their homes.

I remember reading an article back when wifi was new about a company using some of the same wireless technology for wall penetrating radar for military/law enforcement applications. I don't remember if one was borrowing from the other or if it was developed in parallel. I guess this is the next evolution when you can do both with one box.

Does this mean I need to shred my tinfoil hat and blow it around the room as chaff?

This is a great business opportunity for Wi-Fi-cancelling devices. No doubt we'll see increased use of wired-only and line-of-sight networks.

Edit: s/WIFI/Wi-Fi/

I remember when I was researchig motion detection systems a few years ago for controlling software by natural movements, I found various technologies including the Myo and infrared tracking. And then I saw this:


It sounds possible to detect what a voter chooses even within a voting booth. Just knowing this was possible could be a serious threat to one of the last bastions of democracy, namely voter privacy. If I think that my vote is detectable by the powers that be, I might as well be in North Korea.

Does anyone know how they measure Wi-Fi signal strength to such an accuracy? Like, from a practical standpoint, I have no idea how to make my Wi-Fi card tell me signal strength with such a high accuracy in any OS. Do they have special Wi-Fi cards? (No, I haven't had the time to read the article yet unfortunately, but hope to soon.)

I don't get it. A much more accurate sensor for detecting human movement is a camera.

Last I checked, most cameras can't see through walls.

"Something in the way? No problem. A pair of MIT researchers wrote in 2013 that they could use a router to detect the number of humans in a room and identify some basic arm gestures, even through a wall. They could tell how many people were in a room from behind a solid wooden door, a 6-inch hollow wall supported by steel beams, or an 8-inch concrete wall—and detect messages drawn in the air from a distance of five meters (but still in another room) with 100 percent accuracy.

(Using more precise sensors, the same MIT researchers went on to develop systems that can distinguish between different people standing behind walls, and remotely monitor breathing and heart rates with 99 percent accuracy."

If you look at that paper you'll see they use some custom machine on the other side of the wall to send and sense the wifi signals. And all they get is relative movement away or towards the machine. I'm sure an infrared camera would be much more accurate. Doesn't seem practical at all.

But how well do cameras work through walls?

Like Bart Simpson said "No one suspects the butterfly." In this case, no one would suspect their router to be watching where they physically are. Imagine a SWAT team being able to detect where people are within a room before they enter the place - all by snooping through a router.

And they don't even need to snoop through your router. They could bring their own and just place it outside the door.

They also don't need to bring a router, just a special microwave.

I think the point of the article is that there is potential for Wifi routers to be used to monitor people without their knowledge. An attacker could potentially penetrate your router and install malicious code on it to monitor certain things, where it would be too obvious/not viable for them to put a camera in the room. (and also the walls thing that others have mentioned)

And you might not even need to penetrate the router.

Sitting here at home (in an apartment building), I can currently count 5 Wifi networks to connect to, and only one of them is mine.

Everyone has a WiFi router in their home. Webcams give you great data in a particular frame, but laptops aren't always open, they move around, they only look in one direction at a time.

WiFi routers just look like passive boxes. Heck, in an unfamiliar house you might have to go on an expedition to even find the thing, and a router shoved behind a cabinet can track you too.

Line of sight, or the lack of. Pretty soon the cell phone in my pocket can use its wifi to detect the pins you typed on the ATM terminal. Wifi jammer will be popular.

I'm a media artist who wants to do an implementation of this DSP algorithm for a piece of installation art. Get in touch with me on twitter @joshypants if you're an engineer who's interested in collaborating on the implementation.

if one is a lone 'researcher' good luck weaponizing this.

Chainfire of SuperSU/android fame has an app that does something to combat this called pry-fi[1] that randomizes a bunch of data, and can appear to be many devices at once. Requires root of course.


Which, I believe, is completely irrelevant to the problem described in the article. What they do is observe the electromagnetic spectrum, using WiFi routers as signal sources. They don't really care what sort of data routers are transmitting, they need the transmitter active at the moment you press the key.

(It may even make it somewhat worse, as the router's transmitter is less likely to idle. Although I'm not sure if it matters.)

Did you read the article? This isn't about spying on your device, it's about spying on you.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact