WindTalker Attack Leaks User Data Using Smartphone’s WiFi Signals

November 16, 2016

3 minute read

Researchers have identified an attack known as WindTalker that leaks password, PINs and keystrokes using your smartphone’s WiFi signals.

In a combined research conducted by researchers from Shanghai Jiao Tong University, the University of Massachusetts at Boston and University of South Florida, it has been identified that our smartphones’ Wi-Fi signals can expose critically important private data including passwords, PINs and keystrokes due to a critical vulnerability.

The research is titled: “When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via Wi-Fi Signals” while the attack has been labeled as WindTalker.

The research was covered by Bleeping Computer who noted that it happens because of the way “users move fingers across a phone’s touchscreen.” Researchers have explained that this movement “alters the WiFi signals transmitted by a mobile phone, causing interruptions that an attacker can intercept, analyze, and reverse engineer to accurately guess what the user has typed on his phone or in password input fields.”

It is also revealed that WindTalker can work only if and when an attacker is able to gain control of a rogue Wi-Fi access point. That’s because it enables the attacker to collect WiFi signals’ instabilities.

The attacker can identify the exact same PIN or password entered by the victim by understanding when to collect WiFi signals from the target mobile phone. Along with this, full control over the WiFi access point is also important. To accomplish this task, the attacker must know the exact moment when a PIN or password is entered by the victim.

Controlling of WiFi access point can also help an attacker to monitor user’s traffic and discover the time when a user accesses pages that require authentication information. The WindTalker attacks are usually about 68.3% accurate; however, their accuracy level may vary with the model of the smartphones. The accuracy can be enhanced by continued monitoring of what the user types; the more data collected by the attacker, the higher will be the attack’s accuracy.

Also Read: Watch out for this USB Charger, it could be Keystroke Logger

All of this is made possible by leveraging CSI/Channel State Information, which is a part of the Wi-Fi protocol that provides general information about the Wi-Fi signal’s status. When the user uses the phone’s touch screen to type text, the hand movement modifies the CSI properties of the outgoing Wi-Fi signals of the phone. The attacks can easily accumulate the changes in CSI pattern and log on to the rogue access point.

It is also possible to isolate chosen portions of CSI signal. The attacker only needs to carry out a standard signal analysis and signal processing along with guessing the characters typed by the user.

Researchers also tested WindTalker’s successfulness in a real-life situation by attempting to recover the required transaction PIN user enters to verify Alipay mobile transactions. In a majority of cases, these PINs are sent to a fixed range of IP addresses. If the attacker is able to identify it accurately, then it will be possible to start the PIN Wi-Fi signal collection procedure.

WindTalker attack was demonstrated at the 23rd ACM Conference on Computer and Communications Security in October. The conference was held in Vienna, Austria.