Hacking Without Hacking

Side-channel attacks are a class of security threats that exploit unintentional information leakage from digital devices to extract sensitive data, such as passwords and cryptographic keys. These attacks do not typically target software vulnerabilities or attempt to break encryption directly. Instead, they focus on analyzing the physical or electromagnetic side-effects of a device's operation.

This means that even devices with strong encryption and software security can be compromised through side-channel techniques. What makes them especially insidious is their stealthy nature; they often leave no trace of intrusion and are difficult to detect using conventional security mechanisms.

One of the most notable side-channel attacks to be discovered in recent years is the channel state information (CSI) exploit of Wi-Fi networks. This attack leverages the fact that the channel state is impacted when the Wi-Fi antenna is disturbed by the vibrations induced by a user’s fingers as they type on the screen of a smartphone or the keyboard of a laptop. However, this attack has one major issue that has allowed most networks to remain safe — CSI exploits require the attacker to introduce a rogue Wi-Fi router into the network.

For better or worse, a similar exploit has recently been described by a team of security researchers at Nanyang Technological University and Hunan University. But unlike the CSI exploit, this time no compromised Wi-Fi router is required. The attack is completely transparent, and has been demonstrated to be capable of stealing passwords with a fairly high degree of accuracy — as long as the passwords are numeric, that is.

Called WiKI-Eve, the attack leverages the beamforming feedback information (BFI) packets that were introduced with the Wi-Fi 5 standard. These packets, designed to help the access point direct its signal in the direction of a connected device, do not contain all of the information that is in a CSI packet. But they do contain enough information to help determine the ways in which the antenna of a connected device is disturbed. That makes it a prime data source for deciphering keystrokes.

Best of all (from the perspective of an attacker, at least), BFI packets are transmitted in clear text. Accordingly, one only needs to put a device in monitor mode to sniff out these packets. By filtering the packets by IP address, a specific user can be targeted. Of course that leaves the nontrivial matter of deciphering this data to be dealt with.

Recognizing that the problem of deciphering any possible keystroke was a huge challenge, the team decided to start smaller. Focusing on decoding only numeric passwords to reduce the scope of the problem, the team built a deep learning model and trained it to recognize the distinct signature associated with tapping each digit on a smartphone screen.

To test their methods, the researchers put the Wi-Fi radio on a laptop into monitor mode, then used the WireShark packet analyzer to capture BFI packets. A neural network constructed with PyTorch then analyzed the data to predict keystrokes. A cohort of 20 individuals was recruited to type predefined password sequences (of four to eight digits) into a variety of smartphone models. WiKI-Eve was shown to predict the correct keystroke 88.9% of the time, on average. The top-10 accuracy rate for recovering full passwords was found to be 65.8%.

While the accuracy of WiKI-Eve leaves something to be desired, and on a constrained problem at that, the attack is still very concerning. This is the first reported exploit that can capture keystrokes with no need for specialized hardware or any other hacking. And since it is likely that these techniques will improve over time, perhaps by training machine learning models on larger datasets, WiKI-Eve is something that we should all be aware of.