Dubbed as WindTalker, this kind of attack is only possible when the attacker controls a rogue Wi-Fi access point to collect Wi-Fi signal instabilities. In order to capture the exact moment when the victim enters a PIN or password, the attacker must know when to collect Wi-Fi signals from the victim, as control over the Wi-Fi access point is also imperial. By using the access over the Wi-Fi access point, the attacker can attain this to find out the user’s traffic and discover when he’s accessing pages with authentication forms. While the attack sounds ahead of time, it is actually leveraging radio signals called CSI (Channel State Information). CSI is part of the Wi-Fi protocol, and it offers general information about the status of the Wi-Fi signal. Because the user’s finger moves across the smartphone when he types text, his hand makes changes to the CSI properties for the phone’s outgoing Wi-Fi signals, which the attacker can accumulate and log on the rogue access point. WindTalker attack has a 68%+ accuracy An attacker can isolate desired portions of the CSI signal by carrying out basic signal analysis and signal processing, and guess the characters a user has typed with an average accuracy of 68.3%. Depending on the smartphone models, WindTalker’s accuracy is different. However, the more the user types and the more data the attacker collects, it can be enhanced accordingly. WindTalker was tested in a real-world scenario by the researchers. They could recover the transaction PIN users require to enter to authenticate AliPay mobile transactions, which are in most cases sent to a fixed range of IPs that the attacker can identify and use to start the PIN Wi-Fi signal collection process. The research paper titled “When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via Wi-Fi Signals” includes information about the real-world attack and WindTalker, in general. At the end of October, the WindTalker attack was also presented at the 23rd ACM Conference on Computer and Communications Security, held in Vienna, Austria. The ACM CCS presentation is also available on YouTube (check out below).
Similar password inference attacks have been carried out by security researchers in the past. Scientists have created attacks that collect passwords or keystrokes via a smartphone or computer’s microphone, motion sensors, via electromagnetic signals, and embedded cameras. Source: Bleeping Computer