Mobile devices and apps play a growing role in user identification, but password theft, resembling identity theft, invites diverse eavesdropping attacks, including stealthy indirect ones using side-channels.
Indirect attacks, like those using side channels (acoustic, electromagnetic, etc.), pose higher risks by stealthily inferring passwords without needing to see the target screen.
The following cybersecurity researchers from their respective universities recently unveiled a new exploit to steal WiFi passwords by eavesdropping on keystrokes, which is dubbed “WiKI-Eve”:-
Jingyang Hu (Hunan University, China)
Hongbo Wang (Nanyang Technological University, Singapore)
Jingzhi Hu (Nanyang Technological University, Singapore)
Zhe Chen (Fudan University, China)
Hongbo Jiang (Hunan University, China)
Jun Luo (Nanyang Technological University, Singapore)
Wi-Fi Passwords by Eavesdropping
Wi-Fi CSI, unique among side channels, can infer keystrokes for password theft, posing data deficit challenges. That’s why researchers proposed the WiKI-Eve to steal numerical passwords through BFI variations.
Cybersecurity analysts used BFI on Wi-Fi, avoiding hardware hacking, and employed deep learning with adversarial training for keystroke inference in WiKI-Eve, ensuring practicality with limited data and addressing data deficiency.
There are two CSI-based KI methods, and here we have mentioned them:-
In-band KI (IKI)
Out-of-band KI (OKI)
Security analysts used a laptop (Acer TravelMate with Intel AX210 Wi-Fi NIC) in experiments due to Android limitations. They captured BFIs with Wireshark in monitor mode, analyzed using Matlab and Python with PyTorch, and publicly shared their data and preprocessing code online.
Security analysts evaluate using keystroke classification accuracy and top-𝑁 password inference accuracy. Keystroke accuracy measures correct keystrokes, while top-𝑁 accuracy checks if a candidate password in the top-𝑁 probability matches the true one for inference.
Experts first demonstrate WiKI-Eve’s building blocks with micro-benchmarks, then evaluate overall performance and practical factors. Real-world experiments show WiKI-Eve stealing WeChat Pay passwords and their application to QWERTY keyboards.
To demonstrate WiKI-Eve’s practicality, they perform a real-world experiment where Eve stealthily steals Bob’s (victim) WeChat Pay password while he makes a transaction using an iPhone 13 in a 5m × 8m conference room, with Eve eavesdropping from 3m away.
Encrypting data traffic is a direct defense against WiKI-Eve, but it can complicate systems with high user dynamics. Keyboard randomization, an indirect defense, shifts the complexity to users but can inconvenience those relying on muscle memory for password entry.
WiKI-Eve, a versatile Wi-Fi KI attack, requires no hacking or specialized hardware, offering broad applicability. Its adversarial learning generalizes to unseen domains.