When CSI Meets Public Wi-Fi:

Inferring Your Mobile Phone Password via Wi-Fi Signals

Presented By:

Keshav Yerra

IntroductionSmart Mobile Devices are everywhere.

Rise of Mobile Payment Applications

Online Mobile Payment

In Year 2015

900 Million Users100 million transactions per day1 trillion dollars transactions.

Payment Protections

Protections for mobile payment security

The Packets are encrypted

Transport Protocol: TLS/SSL

6-Digit Password

Limited Password attempts

Password Inference

Keystroke Inference Methods:

Accelerometer based method – 2015 Acoustic based method – 2014 Camera based method – 2014

Their assumption cannot hold in mobile payment scenario.

Channel State Information

CSI : Channel State Information

CSI reflects the state of its transmission channel

Wind Talker

■ WindTalker aims to find out what your password is by analyzing the interference with the multipath Wi-Fi signals caused by your hands as you type.

Features

Only one device required to attack

Identifying the sensitive time input window( ex: Password input) by considering the SSL traffic and CSI flow.

Successfully attacks Alipay mobile payment app on several mobile devices.

OUTLINE

■Motivation

■ Attack Scenario

■ System Design

■ Evaluation

■ Conclusion

OUTLINE

■Motivation

■ Attack Scenario

■ System Design

■ Evaluation

■ Conclusion

CSI Collection

■ Change CSI collection method to get a valid CSI data

Out-of-band Keystroke inference(OKI) model

IKI model

In-band Keystroke Inference model (IKI)

CSI- Hand Motion

■ Factors Inferences CSI during typing in mobile devices.

Finger Motion

CSI- Hand Motion

■ Factors Inferences CSI during typing in mobile devices.

CSI – Hand Coverage

■ Hand Coverage Inference on CSI

CSI Stream

• Continuous press of number 1-0 each for 5 times

CSI – Hand Coverage

■ Hand Coverage Inference on CSI

CSI Stream

• Continuous press of number 1-0 each for 5 times

CSI – Finger Motion

■ Fingers click’s inference on CSI – Sharp Convex

Quick click’s influence on multi – path propagation

CSI – Finger Motion

■ Fingers click’s inference on CSI – Sharp Convex

Quick click’s influence on multi – path propagation

CSI – Finger Motion

■ Fingers click’s inference on CSI – Sharp Convex

Quick click’s influence on multi – path propagation

CSI – Finger Motion

Possible to find Finger Motion

Possible to IdentifyFinger Motion

OUTLINE

■Motivation

■ Attack Scenario

■ System Design

■ Evaluation

■ Conclusion

Attack Scenario

OUTLINE

■Motivation

■ Attack Scenario

■ System Design

■ Evaluation

■ Conclusion

CHALLENGES

■ How to enforce victim’s device to be a Wi-Fi sender?

■ How to locate CSI segments generated by password input?

■ How to reduce Noise in raw CSI Data?

■ How to infer password using CSI?

System Design

■ Wind Talker system model

■ Four modules Four challenges

First Challenge

■ How to enforce victim’s device to be a Wi-Fi sender?

■ CSI collection module

ICMP based CSI Collection module

CSI can be extracted from Wi-Fi packet’s preamble

ICMP based CSI Acquirement module

• Attacker sending ICMP request in 800Hz, getting CSI data in 800Hz

• Can be done without the victim’s knowledge

Second Challenge

■ How to locate CSI segments generated by password input?

Sensitive Input Module

■ How to locate CSI segments generated by password input?

Third Challenge

■ How to reduce Noise in raw CSI Data?

Signal Processing Methods

■ By using Directional Antenna’s instead of Omni- directional Antenna’s

■ Reducing Noise

1. Low Pass Filtering

2. Dimension Reduction

Forth Challenge

■ How to infer password using CSI?

■ Data Preprocessing Module

Password Inference Module

Password Inference Module

OUTLINE

■Motivation

■ Attack Scenario

■ System Design

■ Evaluation

■ Conclusion

Classification between different numbers

10 Volunteers 3 types of phones

Each Volunteer:press 10 loops

Each loop:from 1-2-3…0

Classification between different numbersClassification Results:

82% in Xiaomi, 73% in Nexus, 64% in Samsung

OUTLINE

■Motivation

■ Attack Scenario

■ System Design

■ Evaluation

■ Conclusion

Limitations■ Hardware Limitation

■ Fixed Typing Gesture

Countermeasure

■ Random Layouts of Keyboard

■ Changing typing gestures

■ Preventing the collection of CSI

Conclusion and Future Work

■ WindTalker an interesting attack that uses the information from the physical layer to attack applications in the upper layers.

■ It is expected to have a broad potential application for password inference in mobile devices.

■ Major issue is the CSI collection module is not that reliable.

■ Due to the limitation of Intel 5300 NIC, the current WindTalker cannot work for IOS devices, which will be a part of future work.

References

[1] IEEE Std. 802.11n-2009: Enhancements for higher throughput. http://www.ieee802.org, 2009.

[2] Ali, K., Liu, A. X., Wang, W., and Shahzad, M. Keystroke recognition using wifisignals. In Proceedings of the 21st Annual International Conference on Mobile Computing and Networking (2015), ACM, pp. 90–102.

[3] Balzarotti, D., Cova, M., and Vigna, G. Clearshot: Eavesdropping on keyboard input from video. In Security and Privacy, 2008. SP 2008. IEEE Symposium on (2008), IEEE, pp. 170–183.

[4] Benko, H., Wilson, A. D., and Baudisch, P. Precise selection techniques for multi-touch screens. In Proceedings of the SIGCHI conference on Human Factors in computing systems (2006), ACM, pp. 1263–1272.

[5] Cheng, N., Wang, X., Cheng, W., Mohapatra, P., and Seneviratne, A. Characterizing privacy leakage of public wifi networks for users on travel. In INFOCOM, 2013 Proceedings IEEE (2013), IEEE, pp. 2769–2777.