- Jan 24, 2011
- 9,378
The way users move fingers across a phone's touchscreen alters the WiFi signals transmitted by a mobile phone, causing interruptions that an attacker can intercept, analyze, and reverse engineer to accurately guess what the user has typed on his phone or in password input fields.
This type of attack, nicknamed WindTalker, is only possible when the attacker controls a rogue WiFi access point to collect WiFi signal disturbances.
Control over the WiFi access point is also imperial since the attacker must also know when to collect WiFi signals from the victim, in order to capture the exact moment when the target enters a PIN or password.
The attacker can achieve this by using the access over the WiFi access point to sniff the user's traffic and detect when he's accessing pages with authentication forms.
The attack sounds futuristic, but it's actually leveraging radio signals called CSI (Channel State Information). CSI is part of the WiFi protocol, and it provides general information about the status of the WiFi signal.
Because the user's finger moves across the smartphone when he types text, his hand alters CSI properties for the phone's outgoing WiFi signals, which the attacker can collect and log on the rogue access point.
WindTalker attack has a 68%+ accuracy
By performing basic signal analysis and signal processing, an attacker can separate desired portions of the CSI signal and guess with an average accuracy of 68.3% the characters a user has typed.
WindTalker's accuracy is different based on smartphone models, but it can be improved the more the user types and the more data the attacker collects.
Read more: Smartphone WiFi Signals Can Leak Your Keystrokes, Passwords, and PINs