ABSTRACT
In this study, we present WindTalker, a novel and practical keystroke inference framework that allows an attacker to infer the sensitive keystrokes on a mobile device through WiFi-based side-channel information. WindTalker is motivated from the observation that keystrokes on mobile devices will lead to different hand coverage and the finger motions, which will introduce a unique interference to the multi-path signals and can be reflected by the channel state information (CSI). The adversary can exploit the strong correlation between the CSI fluctuation and the keystrokes to infer the user's number input. WindTalker presents a novel approach to collect the target's CSI data by deploying a public WiFi hotspot. Compared with the previous keystroke inference approach, WindTalker neither deploys external devices close to the target device nor compromises the target device. Instead, it utilizes the public WiFi to collect user's CSI data, which is easy-to-deploy and difficult-to-detect. In addition, it jointly analyzes the traffic and the CSI to launch the keystroke inference only for the sensitive period where password entering occurs. WindTalker can be launched without the requirement of visually seeing the smart phone user's input process, backside motion, or installing any malware on the tablet. We implemented Windtalker on several mobile phones and performed a detailed case study to evaluate the practicality of the password inference towards Alipay, the largest mobile payment platform in the world. The evaluation results show that the attacker can recover the key with a high successful rate.
- IEEE Std. 802.11n-2009: Enhancements for higher throughput. http://www.ieee802.org, 2009.Google Scholar
- Ali, K., Liu, A. X., Wang, W., and Shahzad, M. Keystroke recognition using wifi signals. In Proceedings of the 21st Annual International Conference on Mobile Computing and Networking (2015), ACM, pp. 90--102. Google ScholarDigital Library
- Balzarotti, D., Cova, M., and Vigna, G. Clearshot: Eavesdropping on keyboard input from video. In Security and Privacy, 2008. SP 2008. IEEE Symposium on (2008), IEEE, pp. 170--183. Google ScholarDigital Library
- Benko, H., Wilson, A. D., and Baudisch, P. Precise selection techniques for multi-touch screens. In Proceedings of the SIGCHI conference on Human Factors in computing systems (2006), ACM, pp. 1263--1272. Google ScholarDigital Library
- Cheng, N., Wang, X., Cheng, W., Mohapatra, P., and Seneviratne, A. Characterizing privacy leakage of public wifi networks for users on travel. In INFOCOM, 2013 Proceedings IEEE (2013), IEEE, pp. 2769--2777.Google ScholarCross Ref
- Fan, Y., Jiang, Y., Zhu, H., and Shen, X. S. An efficient privacy-preserving scheme against traffic analysis attacks in network coding. In INFOCOM 2009, IEEE (2009), IEEE, pp. 2213--2221.Google ScholarCross Ref
- Forlines, C., Wigdor, D., Shen, C., and Balakrishnan, R. Direct-touch vs. mouse input for tabletop displays. In Proceedings of the SIGCHI conference on Human factors in computing systems (2007), ACM, pp. 647--656. Google ScholarDigital Library
- Halperin, D., Hu, W., Sheth, A., and Wetherall, D. Tool release: gathering 802.11 n traces with channel state information. ACM SIGCOMM Computer Communication Review 41, 1 (2011), 53--53. Google ScholarDigital Library
- Hamed, K. H., and Rao, A. R. A modified mann-kendall trend test for autocorrelated data. Journal of Hydrology 204, 1 (1998), 182--196.Google ScholarCross Ref
- Holt,C.C. Forecasting seasonals and trends by exponentially weighted moving averages. International journal of forecasting 20, 1 (2004), 5--10.Google Scholar
- Konings, B., Bachmaier, C., Schaub, F., and Weber, M. Device names in the wild: Investigating privacy risks of zero configuration networking. In Mobile Data Management (MDM), 2013 IEEE 14th International Conference on (2013), vol. 2, IEEE, pp. 51--56. Google ScholarDigital Library
- Liu,J.,Wang,Y.,Kar,G.,Chen,Y.,Yang,J.,and Gruteser, M. Snooping keystrokes with mm-level audio ranging on a single phone. In Proceedings of the 21st Annual International Conference on Mobile Computing and Networking (2015), ACM, pp. 142--154. Google ScholarDigital Library
- Liu, X., Zhou, Z., Diao, W., Li, Z., and Zhang, K. When good becomes evil: Keystroke inference with smartwatch. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (2015), ACM, pp. 1273--1285. Google ScholarDigital Library
- Lozowski, E., Charlton, R., Nguyen, C., and Wilson, J. The use of cumulative monthly mean temperature anomalies in the analysis of local interannual climate variability. Journal of Climate 2, 9 (1989), 1059--1068.Google ScholarCross Ref
- Marquardt, P., Verma, A., Carter, H., and Traynor, P. (sp) iphone: decoding vibrations from nearby keyboards using mobile phone accelerometers. In Proceedings of the 18th ACM conference on Computer and communications security (2011), ACM, pp. 551--562. Google ScholarDigital Library
- Owusu, E., Han, J., Das, S., Perrig, A., and Zhang, J. Accessory: password inference using accelerometers on smartphones. In Proceedings of the Twelfth Workshop on Mobile Computing Systems & Applications (2012), pp. 1--6. Google ScholarDigital Library
- Sen, S., Lee, J., Kim, K.-H., and Congdon, P. Avoiding multipath to revive inbuilding wifi localization. In Proceeding of the 11th annual international conference on Mobile systems, applications, and services (2013), ACM, pp. 249--262. Google ScholarDigital Library
- Shukla, D., Kumar, R., Serwadda, A., and Phoha, V. V. Beware, your hands reveal your secrets! In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (2014), ACM, pp. 904--917. Google ScholarDigital Library
- Sun, J., Jin, X., Chen, Y., Zhang, J., Zhang, R., and Zhang, Y. Visible: Video-assisted keystroke inference from tablet backside motion.Google Scholar
- Wang,F.,Cao,X.,Ren,X.,andIrani,P. Detecting and leveraging finger orientation for interaction with direct-touch surfaces. In Proceedings of the 22nd annual ACM symposium on User interface software and technology (2009), ACM, pp. 23--32. Google ScholarDigital Library
- Xia, N., Song, H. H., Liao, Y., Iliofotou, M., Nucci, A., Zhang, Z.-L., and Kuzmanovic, A. Mosaic: Quantifying privacy leakage in mobile networks. In ACM SIGCOMM Computer Communication Review (2013), vol. 43, ACM, pp. 279--290. Google ScholarDigital Library
- Xie,Y.,Li,Z.,andLi,M. Precise power delay profiling with commodity wifi. In Proceedings of the 21st Annual International Conference on Mobile Computing and Networking (New York, NY, USA, 2015), MobiCom '15, ACM, pp. 53--64. Google ScholarDigital Library
- Yue, Q., Ling, Z., Fu, X., Liu, B., Ren, K., and Zhao, W. Blind recognition of touched keys on mobile devices. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (2014), ACM, pp. 1403--1414. Google ScholarDigital Library
- Zhang, J., Zheng, X., Tang, Z., Xing, T., Chen, X., Fang, D., Li, R., Gong, X., and Chen, F. Privacy leakage in mobile sensing: your unlock passwords can be leaked through wireless hotspot functionality.Google Scholar
- Zhu, T., Ma, Q., Zhang, S., and Liu, Y. Context-free attacks using keyboard acoustic emanations. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (2014), ACM, pp. 453--464. Google ScholarDigital Library
Index Terms
- When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals
Recommendations
Keystroke Recognition Using WiFi Signals
MobiCom '15: Proceedings of the 21st Annual International Conference on Mobile Computing and NetworkingKeystroke privacy is critical for ensuring the security of computer systems and the privacy of human users as what being typed could be passwords or privacy sensitive information. In this paper, we show for the first time that WiFi signals can also be ...
A comparison of linear and non-linear transmitter and receiver antenna array processing for interference nulling and diversity with non-zero CSI feedback delay
IWCMC '09: Proceedings of the 2009 International Conference on Wireless Communications and Mobile Computing: Connecting the World WirelesslyThe performance of receiver, transmitter, and joint transmitter/receiver antenna array processing for interference nulling and diversity over fading radio links are compared and contrasted in this paper. Specific examples of linear and non-linear ...
The Feasibility of Launching Reduction of Quality (RoQ) Attacks in 802.11 Wireless Networks
ICPADS '08: Proceedings of the 2008 14th IEEE International Conference on Parallel and Distributed SystemsIn this paper, we discuss wireless Reduction of Quality (RoQ) attacks against the transmission control protocol (TCP). RoQ attacks can dramatically degrade the TCP performance with a less number of wireless jamming attacking packets, which makes them ...
Comments