Hacker News new | past | comments | ask | show | jobs | submit login
Inferring Your Mobile Phone Password via WiFi Signals (fermatslibrary.com)
340 points by pogba101 on Feb 14, 2017 | hide | past | web | favorite | 64 comments

For those who want more information on CSI (Channel State Information):


This allows you to use a custom firmware developed for the Intel 5300 wireless adapter and read the CSI values with each packet.

Every 802.11n implementation that I am aware of keeps a CSI vector (IQ values, typically as integers) within the wifi chip. Both the Wifi AP and STA do this. The CSI vector is updated with every packet, using the training data at the beginning of the packet. (802.11 is CSMA [2] so there is a fixed transmission to start the packet)

In other words, Intel has this nice tool for one of their (now somewhat dated) chips. But CSI is not restricted to Intel chips. Atheros chips have a decent but limited CSI readback method, not quite as nice as Intel's [3]. But CSI has been used for experiments on all major wifi chips out there.

With 802.11n this is used to determine the quality of signal likely to be received on each sub-carrier within the signal.

CSI is useful for many other things: RF experiments, indoor position sensing, and now apparently also password cracking.

[2] https://en.wikipedia.org/wiki/Carrier_sense_multiple_access_...

[3] http://pdcc.ntu.edu.sg/wands/Atheros/

Holy shit. From a brief scan it looks like the paper concentrates on recovering a numeric pin, but these attacks never get worse, only better, so I assume full keyboard access is not too far off. What's the defense? Have your phone manage the passwords and unlock via fingerprint?

Well if one modifies the channel state information in an unpredictable manner while performing sensitive operations, it becomes very difficult to extract any information. The simplest way to do this might be to fidget. Use one hand to type and another hand to fidget with something.

A more high tech method would be to use a modulated wifi reflector that is randomly modulated.

One should also watch out for wifi hotspots with ominously pointed directional antenna

The defence is definitely to not use public wifi. This technology works because they can identify small target windows (e.g. you just accessed a URL to login to your bank account) in which to make and process these measurements. Any kind of abnormal obfuscation of your device should introduce enough noise to prevent this attack from generating any meaningful data from the victim, but I'm running on assumption.

Couldn't this work against any wifi? Impersonating a public access point gives you some extra unencrypted information so you know the server IP and can more easily infer when a password is being entered, the same things you conceal by using a VPN over public wifi.

But what stops a passive wifi observer who can guess those things or already knows them?

I think this is pretty hand-wavey and requires a lot assumptions to be true.

Also: "We collected training and testing data from 10 volunteers." Not a statistically useful sample set.

Under very controlled environments, measuring signal deltas may be possible- but I would like to see sample data that suggests high success rates before I think this is worthy of concern.

Finally- Self tuning antennas are a thing. This is going to get harder over time. https://www.qualcomm.com/videos/qualcomm-rf360-dynamic-anten...

The easiest defence is to temporarily kill all the radios (wifi, bluetooth, LTE) while someone is entering a password.

Or scramble the numeric keypad on every try, but that would get annoying fast.

Anybody who plays Runescape will recognize this. They have a pin you can set to gain access to your in game bank. It has a fair few security features to combat keyloggers which were (and still can be) a major issue.

Some security features I can recall.

Random layout of the numbers on both the button itself and which button has which number. This is shuffled on every click.

Upon clicking all numbers and the mouse pointer vanish. This prevents screenshots taken on clicks by some keyloggers from working.

No keyboard input. Annoying but needed to combat keyloggers.


My bank did that with a JavaScript number pad. They went back to a standard password field with the new design of the site a couple of years ago. That made me feel less safe because I understood why the were complicating the input.

Another strategy I've seen is to ask some random digits of a longer PIN, with a mask to fill out.

Some banks (e.g. Barclays) use a card reader that generates a unique key each time. Since this also requires that you have your card to log in, it's my understanding that this offers massively improved security.

I've seen some secure financial sites that already do that.

Convenient option on Cyanogenmod. Been using it for about 2 years and it's surprisingly easy to get used-to.

Touch typing? Should present significantly different to one finger key hunting.

Fingerprints and never using public WiFi would both be good strategies. (I use my fingerprint to log into my banking app when on mobile.)

Touch typing on a flat, featureless surface? Best of luck with that. I tried, and tended to drift off-center within a few tens of keystrokes. The F and J nubs on physical keyboard are there for Good Reasons - but even without, feeling where exactly you are striking the key (center or corner) gives you feedback to reposition. Touchscreen gives you nothing.

Ah, you're completely right - for some reason I had it in my head it was about laptops. Even the title was a big reveal.. Oh well.

> Have your phone manage the passwords and unlock via fingerprint?

Yes, that would defeat this particular attack.

Never use public wifi. I don't.

That is a large cost to pay.

It isn't really. Mobile data is a must from a security point of view. Combine it with a VPN and you have your out and about internet access sorted.

How is a VPN on mobile data safer than a VPN on public internet?

Also, what safety does a VPN add if you are already using https?

The process of connecting to public wifi is risk. Most public wifi networks have a landing page that you have to click through before proceeding/granting you access. That page could have a malicious script.

Last year after a trip in Germany, my older iPhone had a random password saved in Safari settings. On top of that, every time I tried to delete the password, it would reappear when I went back (iCloud sync was off, etc.). I don't remember browsing anything out of the ordinary, but did connect to a bunch of public wifi spots. Here's to hoping it was just a really persistent ad-tracking method.

Do you browse the web expecting sites not to have malicious scripts?

For my use case, I hope so.

I generally don't browse on my phone, so if I'm opening up Safari on a public network, it's to a known site or bookmark to quickly reference something (e.g. transit map, exchange rate). It's totally possible an ad on the NYT or Bloomberg has some malicious Javascript, but currently I'm naively assuming otherwise.

Also, I think many people on their phones will connect to a public hotspot just to check Facebook / Instagram / Snapchat these days and not much else.

For the second one, I believe you can still ID what sites a user is likely using if you're in the middle, regardless of https, via eg reverse IP lookups- just not what they're sending to that site. A VPN covers that.

Mobile data is often slow or unavailable depending on what room of a building you're in etc. outside of cities.

Mobile data is expensive and slower than WIFI. There is a reason people connect to a WIFI with their phones.

In many (most?) countries mobile data is cheaper than wired connections, but obviously with worse latency.

Slower too maybe, but we're long past the point it really matters, except for latency sensitive applications. 50+ Mbps is just plenty for most applications.

Only real need of wifi to save some battery power and maybe to get better latency and jitter for VoIP and interactive applications.

AFAIK, US and UK are still pretty bad. I guess they have to limit bandwidth and data volume to be able to, ahem, listen to their customer.

> mobile data is cheaper than wired connections

In which countries is that true? Certainly not any that I visit.

Is it really? The biggest bandwidth user is cloud apps and if you care about privacy you wouldn't be using them anyway.

As far as I understood, this attack vector has nothing to do with using public wifi.

The attack presented in this paper relies on the user connecting to the wifi hotspot. This is necessary so that they can figure when a sensitive operation is happening.

Without this information, it is difficult to determine if the user is inputting a password. In addition, if we know the user is using the bank of america app, and we know that the app uses a specific key lay out, it becomes a lot easier to figure out what keys they are pressing.

There is no reason that the other technique they discussed, which does not require the target to connect to a specific wifi hotspot, could not be improved though.

If you want to be really secure, just never use the internet.

This paper is available through Google scholar if you search for "CCS 16 password WiFi" or click here: https://www.a51.nl/sites/default/files/pdf/p1068-li.pdf

I've been a part of a similar paper that detected exact keystrokes. This one seems to build on a similar idea. The thing to keep in mind is that these systems need user and environment specific training. That is if the user is changed or the user or something in the environment moves, the system needs to retrain.

Direct link to PDF without the (infuriating) popups/overlays: http://delivery.acm.org/10.1145/2980000/2978397/p1068-li.pdf

NoScript prevented any popups/overlays from appearing for me.

popped by the comments just to find something like this (but the link doesnt work)! thanks anyway!

See also: detecting and motion tracking people behind walls, with the ability to recognise specific people ( also using wifi ).


Of particular interest: It can determine breathing patterns and heart rate.

Or the 2013 discussion of Wi-Fi signals enable gesture recognition throughout entire home here on Hacker News with links to other related ideas in the comments.

[1] https://news.ycombinator.com/item?id=5824286

Some weeks back I read a post here about detecting people in rooms by measuring how the physical body interferes with the wifi signals. I wouldn't have imagined someone could extract useful information at this small of a scale. wow!

This one!


It can detect people and track their movements behind walls, and tell different people apart.

It can also measure breathing patterns and heart rate.

I clearly did not read into this enough as it is more impressive than I had remembered. It's quite the eye-opener on how much unique data there is out in the wild...

Read the section "limitations". Only works on 10 users right now, must be trained for the pattern "per user", phone must be sitting on stable surface, gesture must be performed as close to "the same" every time. This is just clickbait and "please fund our research" IMO.

What did you expect — a turn-key solution for sale? They claim no such thing.

This is great research. They've demonstrated that it is in fact possible to obtain a passcode at a distance, at least in contrived conditions. The fact it's possible whatsoever is a significant result. Even without being able to obtain the exact passcode, this would yield the ability to guess a passcode in much better time than just random selection.

Ok I think my issue with this is that its akin to saying: Given the same users, in the same position, with the same hardware, performing the same gestures, we discovered the signals are consistent enough that a NNet can figure out a pattern. However, if the users, the hardware, the wifi router, the positions, the orientations, the conditions, or the gestures used change, you would need to retrain your NNet for that situation.

After working on a couple of "ambitious" projects that tried to use wifi or bluetooth signals to mine data, it turns out its not super reliable in real-world situations.

Remember: Attacks never get worse, only better. What you've read is the new lower bound of what's possible.

Throw in the fact that mobile phones adjust their radio power output based on battery and AP signal strength and any signal strength measurements become completely unreliable

LTE and HSDPA (and maybe older gens) have Channel Quality Indicator, which afaik has the same role as CSI. So I wonder if the same trick can be achieved with LTE signalling? To pull that off you would need access to a BTS, but today with open source stacks, like OpenBTS or OpenAirInterface,you could roll out your own.

RELATED: "Keystroke Recognition Using WiFi Signals"


It looks like they're inferring the right 6-digit password about 20% of the time on their first try, presumably using the Xiaomi phone. But if they can try 20 candidates before getting locked out, they can guess the 6-digit password about 50% of the time.

With the Samsung phone, which has a much lower 1-digit recovery rate, it seems that it would be closer to 6% on the first try, and 20% by the twentieth try.

I like this Fermat thing but it would be cooler if it could add a date to the papers who, for some reason, do not have a date.

Following DOI: http://dx.doi.org/10.1145/2976749.2978397 we find the paper was presented in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria.

Date: 2016-10-24

Also never enter a password in any location where a hidden video camera could be observing you. Or where a hidden microphone could be listening to your typing. Or where ruffians holding crowbars could be lurking in the next room.

Moral of this (and every other) story: Never, ever connect to a free, public wifi.

ETA: This was meant to be glib, given the frequency of such stories seen on HN, and the many children below are quite correctly pointing out that the real moral is https://news.ycombinator.com/item?id=13645694

It would seem that that's not the moral of the story: it looks like your device doesn't even have to connect to the wifi. It appears that this is more like using wifi as radar to detect finger movements.

Real moral of the story: Read the article before commenting.

Yes, I think a passive listener in promiscuous mode would work. And more listeners located around the room would be even better, if their signals could be very precisely correlated in time.

In more detail: CSI is available to the _receiver_ of the wifi packet. In other words:

• Your phone can determine CSI for all AP broadcasts. (Useful for indoor positioning)

• The AP can determine CSI for any packet sent to it. Thus your phone would have to be associated. (Or, at least trying to associate.)

• A passive listener in promiscuous mode should still work -- maybe -- though I couldn't say for certain. The CSI value would not be identical to what the AP receives since the listener is in a different physical location and is not synchronized to the AP. The CSI data is In-phase and Quadrature values which can only be interpreted in relation to the clock that is being used to sample the radio signal. But maybe this approach manages to get around clock sync issues somehow.

• If your finger locations change without any wifi packet transmission, there is no way to detect that.

I'd say the best mitigation is to turn off wifi while typing your password. Then turn it on just before hitting "Submit" or "Enter" or whatever.

So then its probably a pretty good idea to randomize the number keypad for the lock screen, which I do. Does this defeat that, I can't think of a way it does..

The paper focused on an attack against a payment system, not the lock screen, so you'd need to randomize every password input keyboard at the system level.

Probably not a bad idea...

Another option would be to use thumbprints for all authorizations after the device is unlocked.

How do you randomize the keypad? Is it possible on iPhone?

I think that wifi devices only send a sounding packet when requested from the AP. You need to know you are capturing a sounding packet to determine CSI (or have it send explicitly by the receiver aka explicit beamforming).

If you're that paranoid, you might want to also keep in mind that it would be far more reliable to shoulder surf via video surveillance. As a bonus, it even works with radios disabled.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact