Cybercriminals can't ascertain your phone password just from a Wi-Fi signal, but they can come close according to a method described in a recent research paper. Researchers have demonstrated a method that uses Wi-Fi signals to infer numerical passwords, and the mechanics behind it are nothing short of intriguing.
Side-channel attacks often remind me of James Bond-like espionage. So does a research paper that is to appear at ACM CCS later this year. The attack leverages something called Beamforming Information (BFI), which are essentially navigation instructions that guide your phone in sending data to an access point. These instructions are updated periodically to account for the phone moving or obstacles appearing.
Here is the kicker: when you type on your phone's screen, it directly affects the Wifi antenna located behind the screen. It is the way you hold your phone. As a result, the BFI signal contains enough information that depends on your way of holding the phone and typing to capture your keystrokes. So what is the best part? Attackers do not even need to hack into your Wifi, which is increasingly protected by evolving hardware and software configurations.
Inferring passwords is not straightforward. Unlike natural languages, which have a linguistic structure that generative AI like ChatGPT can analyze, passwords lack such structure. The inference relies on independent keystroke features or transition features between two keystrokes (e.g., the time it took to move from one key to another). BFI signals are also sparse and sporadic, making the task even more challenging.
After extensive evaluations, the researchers found that their method, dubbed WiKI-Eve, achieves an 88.9% accuracy rate for identifying single numerical keys and an 85.0% top-100 accuracy for inferring a six-digit numerical password. While this may not be a realistic attack vector at the moment, it is worth noting that six-digit codes are often used in multi-factor authentication (MFA).
This WiFi-based attack is not an isolated case. Researchers are aware of other side channel attacks involving: Radio-frequency, Acoustic, Vision, Motion sensors, Electromagnetic emission. However, few are as covert and easily executable as this Wi-Fi-based method. Attackers could simply sit in a café somewhere near you and run the attack from their smartphone.
Of course, a six-digit password is nothing people should be using. And, your organization’s password policy should not allow these kinds of passwords in the first place. We recommend using passphrases or preferably password managers that give you randomized passwords with at least eight characters. On top of that, you should also use phishing resistant MFA.
Security awareness training plays a crucial role in educating your employees about password best practices. It educates staff on the risks of weak passwords and provides guidelines for creating strong, complex passwords. The training also covers the use of password managers, multi-factor authentication for added security, and how to spot password phishing attempts.