Can Someone Guess My Password From the Wi-Fi Signal On My Phone?

Someone Guess Password from WiFi SignalCybercriminals can't ascertain your phone password just from a Wi-Fi signal, but they can come close according to a method described in a recent research paper. Researchers have demonstrated a method that uses Wi-Fi signals to infer numerical passwords, and the mechanics behind it are nothing short of intriguing.

Side-channel attacks often remind me of James Bond-like espionage. So does a research paper that is to appear at ACM CCS later this year. The attack leverages something called Beamforming Information (BFI), which are essentially navigation instructions that guide your phone in sending data to an access point. These instructions are updated periodically to account for the phone moving or obstacles appearing.

Here is the kicker: when you type on your phone's screen, it directly affects the Wifi antenna located behind the screen. It is the way you hold your phone. As a result, the BFI signal contains enough information that depends on your way of holding the phone and typing to capture your keystrokes. So what is the best part? Attackers do not even need to hack into your Wifi, which is increasingly protected by evolving hardware and software configurations.

Inferring passwords is not straightforward. Unlike natural languages, which have a linguistic structure that generative AI like ChatGPT can analyze, passwords lack such structure. The inference relies on independent keystroke features or transition features between two keystrokes (e.g., the time it took to move from one key to another). BFI signals are also sparse and sporadic, making the task even more challenging.

The Results

After extensive evaluations, the researchers found that their method, dubbed WiKI-Eve, achieves an 88.9% accuracy rate for identifying single numerical keys and an 85.0% top-100 accuracy for inferring a six-digit numerical password. While this may not be a realistic attack vector at the moment, it is worth noting that six-digit codes are often used in multi-factor authentication (MFA).

This WiFi-based attack is not an isolated case. Researchers are aware of other side channel attacks involving: Radio-frequency, Acoustic, Vision, Motion sensors, Electromagnetic emission. However, few are as covert and easily executable as this Wi-Fi-based method. Attackers could simply sit in a café somewhere near you and run the attack from their smartphone.

The Takeaway

Of course, a six-digit password is nothing people should be using. And, your organization’s password policy should not allow these kinds of passwords in the first place. We recommend using passphrases or preferably password managers that give you randomized passwords with at least eight characters. On top of that, you should also use phishing resistant MFA.

Security awareness training plays a crucial role in educating your employees about password best practices. It educates staff on the risks of weak passwords and provides guidelines for creating strong, complex passwords. The training also covers the use of password managers, multi-factor authentication for added security, and how to spot password phishing attempts.

E-Book: What Your Password Policy Should Be

E-Book: What Your Password Policy Should Be

In this e-book, Roger A. Grimes, KnowBe4’s Data-Driven Defense Evangelist, details the pros and cons of password use. Roger explains how the implementation of supporting frameworks, such as MFA and password managers, can help you keep your organization locked down.

Download this e-book to learn:

  • What tactics bad actors use to hack passwords (and how to avoid them)
  • The pros and cons of password managers and multi-factor authentication and how they impact your risk
  • How to craft a secure password policy that addresses the most common methods of password attack
  • How to empower your end users to become your best last line of defense

Download Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews