when csi meets public wifi: inferring your mobile phone password … 2016.pdf · 2016-11-04 ·...

When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via

WiFi SignalsMengyuan Li1, Yan Meng1, Junyi Liu1, Haojin Zhu1, Xiaohui Liang2,

Yao Liu3 and Na Ruan1

1Shanghai Jiao Tong University, China2University of Massachusetts at Boston

3University of South Florida

October, 2016

1

Background

The rise of mobile payment

Alipay WeChat Bank APP2

Smart mobile devices are everywhere

Online Mobile Payment

3

Money transfer Online paymentQuick Pay

900 million users

1 trillion dollars transactions100 million transactions per day

In 2015

Alipay

Payment ProtectionsProtections of mobile payment security

Transport protocol: TLS/SSL

The packets payloads are encrypted

6-digit PasswordTrust

encryption

4

Limited password attempt times

Payment ProtectionsProtections of mobile payment security

Transport protocol: TLS/SSL

The packets payloads are encrypted

6-digit Password

Danger！encryption

5

Limited password attempt times

Password Inference

Keystroke Inference methods:Accelerometer based method: CCS 2015Acoustic based method: CCS 2014Camera based method: CCS 2014

6

ExtractDifficultTraffic

Side channel Practical！Keystroke

Their assumption cannot hold in mobile paymentscenario.

PASSWORD INFERENCE

Keystroke Inference Models:Accelerometer based method: CCS 2015Acoustic based method: CCS 2014Camera based method: CCS 2014

7

ExtractDifficultTraffic

Side channel Practical！Keystroke

Their assumption cannot hold in mobile paymentscenario.

Propose Wi-Fi based method

Channel State Information (CSI) from Wi-Fi

Specifically:

Channel State Information

CSI(Channel State Information)CSI was the channel frequency response of Wireless signals.

8

9

Wi-Fi senderWi-Fi receiver

Channel state

IEEE 802.11n/ac

Channel State Information

CSI(Channel State Information)CSI reflects the state of its transmission channel.

10

Person IndentificationWiWho Y Zeng, P Pathak, P Mohapatra (IPNS 2016)

Activity RecognitionCARM W Wang, A Liu, M Shahzad, K Ling, S Lu

(MobiCom 2015)Keystroke Recognition

WiKey K Ali, A Liu, W Wang, M Shahzad (MobiCom 2015)

Advantage: device-free, commercial equipment

Centimeters-level LocalizationChronos D Vasisht, S Kumar, D Kataba (NSDI 2016)

Existing Works about CSI Based Recognition

11

Keystroke RecognitionWiKey K Ali, A Liu, W Wang, M Shahzad (MobiCom 2015)



Centimeters-level LocalizationChronos D Vasisht, S Kumar, D Katabi (NSDI 2016)

12






Can existing works be applied to inferpayment passwords in mobile devices?



13





These works have the following shortcomings:1 Need a sender and receiver Wi-Fi devices2 Just recognize input, but have no idea what the input is.



14





These works have the following shortcomings:1 Need a sender and receiver Wi-Fi devices2 Just recognize input, but have no idea what the input is.

Not Practical


Our Design -- WindTalker

15

Feature:• One device to attack - no requirement of victim locating

between two WiFi devices;

• Identifying the sensitive input time window (e.g., passwordinput) by considering the SSL traffic and CSI flow together;

• Successfully attack AliPay, the most popular mobile paymentsystem in the world, on several smart phones.

WindTalker, a novel keystroke inference framework towards Smart Phones through WiFi Channel State Information(CSI).

OUTLINE

MotivationAttack ScenarioSystem DesignEvaluationCase StudyConclusion

16

OUTLINE


17

Change CSI collection method to get valid CSI data

Out-of-band keystroke inference(OKI) model

18

CSI COLLECTION

RX

TX

WiFi RouterKeyboard

Need deploy two Wi-Fi devices

Target locating between two devices


Out-of-band keystroke inference(OKI) model

19

CSI COLLECTION

RX

TX

WiFi RouterKeyboard

Distance is too short (e.g. 30cm)

Target locating between two devices

In-band keystroke inference(IKI) model 20

Public WiFi meets CSI – IKI model

Establish Wi-Fi connection


Hand influence– direct influence

21

Public WiFi meets CSI – IKI model

CSI - Hand motion

22

Base Station

Mobile Phone

Finger Motion

Strong Signal Weak Signal

Finger MotionAntenna

Antenna

Factors inference CSI during typing in mobile devices

WiFi signals have a similar condition.

CSI - Hand motionFactors inference CSI during typing in mobile devices

Hand coverage

Finger motion23Type in soft keyboard

CSI – Hand coverage Hand Coverage’s inference on CSI

Continuous press number 1-0 each for 5 times24

Click ‘1’ for 5 times



A CSI stream

Finger click’s inference on CSI– sharp convex

CSI – Finger motion

25

Same numbersSimilarity

Different numbersDissimilarity

Quick click’s influence on multi-path propagation

Possible


26

Possible to findfinger motion

Possible to identify finger motion

Possible


27

Possible to inferkeystroke (even

password)!

OUTLINE


28

Attack Scenario

29

Target

Hidden Devices

1m

Antennas

A public WiFi provided by attacker’s computer• OS: Linux• CPU: Inter(R) Core(TM)

i5-3317U 1.70GHz CPU

Attack Scenario

30

Target

Antennas ($20)• TDJ-2400BKC antenna

working in 2.4GHz

Attack Scenario

31

Target

Intel 5300 NIC ($5)• CSI Tools

OUTLINE


32

How to infer password using CSI?

How to enforce victim’s device to be a WiFisender?

33

Challenges

How to locate CSI segments generated by password input?

How to reduce noise in raw CSI data?

System Design

Existing system modelWindTalker System model

CSIHotspot

VictimOutput

Four Modules Four Challenges

WindTalker Schematic

34

First Challenge

CSIHotspot

VictimOutput


CSI Collection Module

35

How to enforce victim’s device to be a WiFisender?

Attacker Victim's device

ICMP based CSI Collection Module

HotspotWi-Fi Connection

36

Wi-Fi packets


ICMP based CSI Collection Module

Hotspot

37

packets Collect CSI need

enough Wi-Fi

Wi-Fi packets

CSI can be extracted from Wi-Fi packets’ preamble

ICMP Request

ICMP ReplyAttacker Victim's device

Attacker sending ICMP request in 800Hz, getting CSI data in 800Hz

ICMP based CSI Acquirement Module


38

ICMP Request

ICMP ReplyAttacker Victim's device

Can be done without victim’s awareness

ICMP based CSI Acquirement Module


39

Attacker sending ICMP request in 800Hz, getting CSI data in 800Hz

Second Challenge

CSIHotspot

VictimOutput


Sensitive Input Module

40



41


There are many keystrokes! Which 6 keystrokes are

password?


Make the system more efficient

42


Malicious WiFi hotspot


43


Malicious WiFi hotspot

Construct Sensitive IP Pool Wireshark

Third Challenge

CSIHotspot

VictimOutput


Data Preprocessing Module

44

How to reduce noise in raw CSI data?


Reducing NoiseUsing Directional Antenna

Using Omni-directional Antenna

Using Directional Antenna

Dizzy Obvious

45

Reducing NoiseLow Pass Filtering

Dimension Reduction

Principal Component Analysis (PCA) on subcarriers

Select top few projections of CSI data

Remove the noisy projections of CSI data

46

Signal Processing methods

Fourth Challenge

CSIHotspot

VictimOutput



47

How to infer password using CSI?

Password Inference Module

Keystroke Extraction

Low-pass Filter

Original Data

Smooth Data

48



Variance

Smooth Data

Choose Segments

49



Variance

Smooth Data

Extraction

50


Keystroke Recognition

Dynamic Time WarpingClassifier TrainingRecognition

51



Same NumberDTW Distance

52



Different NumberDTW Distance

53

OUTLINE


54

Classification between Different Numbers

10 Volunteers3 Types of Phone

55

Each Volunteer:Press 10 Loops

Each Loop:from 1-2-3-…-0



56





57



58

Classification Results:


Cross validation accuracy. Each times, 1loop for testing and 9 loops for training.

82% in Xiaomi, 73% in Nexus and 64% in Samsung59

Classification Results:


Possible candidates for “123456”125484215487123456……

60

* * * * * *

6-digit password is a fixed password format for Alipay, Wechat pay and many other online banks.

Use Password Candidates

Infer 6-digit password

Possible candidates for “123456”125484215487123456

……

3 Loops for training 200 passwords from ten volunteers 61

* * * * * *




Possible candidates for “123456”125484215487123456

……

3 Loops for training 200 passwords from ten volunteers 62

* * * * * *




Influence factors

Evaluation on Different Distance

63

Evaluation on Different Direction

OUTLINE


64

Case Study

65

Simulate Real-world Scenario

Click Demo to See Details

Combine Four Technical Modules

Case Study

66

Simulate Real-world Scenario

Click Demo to See Details

Combine Four Technical Modules

Case Study Results

Carry out case study 10 times:

Candidates Number

Successfully Inference

51050

100

2479

OUTLINE


67

Hardware Limitations

68

Fixed Typing GestureUser Specific Training

Limitations


69

Limitations


Hotspot

Intel 5300 NIC

Wi-Fi Connection


70

Limitations


Hotspot

Intel 5300 NIC

Wi-Fi Connection

Wi-Fi NIC Crashed!


71

Limitations

Fixed Typing GestureToo quick typeStrange hand motionDisturbance nearby


72

Limitation

Fixed Typing GestureUser Specific TrainingText CaptchasPlain content analysis

Random Layouts of Keyboard

73

Countermeasure

1 2 34 5 67 8 9

0

After typing 1 2 34 5 67 8 9

0

Random Layouts of KeyboardChange Typing Gesture

74

Countermeasure

NextClick

Random Layouts of KeyboardChange Typing GesturePreventing the collection of CSI

75

Countermeasure


Hotspot

76

Conclusion and Future WorkWe present WindTalker, a novel attack that usesphysical layer information to attack applications inthe upper layers (Encryption may not work).

It is expected to have a broad potential applicationfor password inference in mobile devices (encryptedtraffic analysis + CSI analysis should be cool).

Major issue is the CSI collection module is notreliable: using advanced tools to enhance it.

Thank you!

77

Haojin [email protected]

when csi meets public wifi: inferring your mobile phone password … 2016.pdf · 2016-11-04 ·...

Documents