It is theoretically possible to accurately detect keystrokes using the Wi-Fi signals from a plain router, scientists from Michigan State University and the Nanjing University in China have discovered.
Researchers say that in environments with minimal signal interference, an attacker could use the disruptions in the router’s WiFi signals to detect the keys a man presses on his laptop and use this data to steal his passwords.
This is not a science fiction scenario because scientists have demoed technologies in the past where they used Wi-Fi signals to detect a person’s presence and movements in a room.
Wi-Fi signals have also been used to read hand gestures and lip movements in the past, so the accuracy of Wi-Fi signals is well established in scientific circles.
WiKey attack uses off-the-shelf equipment
For their experiment, called WiKey, researchers used off-the-shelf equipment, such as a TP-Link TL-WR1043ND WiFi router and a Lenovo X200 laptop.
In order to collect the tiny shifts in Wi-Fi signals, researchers used the router’s MIMO (Multiple-Input and Multiple-Output) capabilities, which refer to a set of functions that allow each of the antennas to send multiple Wi-Fi signals on the same radio channel.
Researchers used these multiple Wi-Fi signals like a scanner and swept the room to create a map of the environment. Because of this, WiKey only works in rooms with minimal movement and little to none human presence.
WiKey uses tiny shifts in Wi-Fi signals to detect key presses
When a person would stand in front of the laptop and start typing, WiKey would be able to pick up disruptions in the Wi-Fi signals caused by the tiny shift of the user’s hands, fingers and keys.
“[W]hile typing a certain key, the hands and fingers of a user move in a unique formation and direction and thus generate a unique pattern in the time-series of Channel State Information (CSI) values, which we call CSI-waveform for that key,” the researchers explained.
The team says that by training a special computer algorithm, their program would be able to detect which key presses are for what keys, and eventually be able to recover text entered on the laptop.
Accuracy varies from 77% to 97.5%
In an environment with little movement and a slow-typing user, the system’s accuracy was 97.5 percent. In a real world scenario, with Wi-Fi field disruptions and a faster-typing user, the system’s accuracy was between 77.43 percent (30 training samples) and 93.47 percent (80 training samples).
In spite of the lower precision, many threat actors would be more than happy to know three-quarters of your password.
Another downside of this attack is that in a real-world scenario, an attacker would need time to train WiKey before being able to steal a target’s passwords. Additionally, placing 2-3 persons with a laptop near each other renders the attack useless, WiKey not being able to distinguish between targets.
The research paper titled Keystroke Recognition Using WiFi Signals by Kamran Ali, Alex X. Liu, Wei Wang, and Muhammad Shahzad is available for download.
