A newly identified cyber threat known as the “WiKI-Eve” attack has raised significant concerns by exploiting vulnerabilities in modern WiFi routers, allowing malicious actors to intercept smartphone transmissions and accurately deduce numerical keystrokes, with success rates reaching up to 90%.
This security breach hinges on the exploitation of Beamforming Feedback Information (BFI), a feature introduced with WiFi 5 (802.11ac) in 2013. BFI enables devices to provide feedback on their positions to routers, enhancing signal accuracy.
The critical issue with BFI is that this data exchange occurs in cleartext, making it susceptible to interception and immediate exploitation, without the need for hardware tampering or encryption key cracking.
This vulnerability was discovered by a team of researchers from universities in China and Singapore, who conducted experiments to assess the retrieval of sensitive information from these transmissions.
Their findings reveal that identifying numeric keystrokes is achievable with a remarkable 90% accuracy, while deciphering 6-digit numerical passwords attains an 85% accuracy rate.
Even complex app passwords can be discerned with roughly 66% accuracy. Notably, this attack exclusively targets numerical passwords, a finding aligned with a study by NordPass, which revealed that 16 out of the top 20 passwords consisted solely of digits.
The WiKI-Eve attack unfolds in real-time during password entry, necessitating the attacker’s presence while the target interacts with their smartphone and attempts to access specific applications.
The attacker must first identify the target through a network identity indicator, such as a MAC address, necessitating preparatory groundwork.
To acquire this information, the researchers explain that “Eve can acquire this information beforehand by conducting visual and traffic monitoring concurrently: correlating network traffic originating from various MAC addresses with users’ behaviors should allow Eve to link Bob’s physical device to his digital traffic, thereby identifying Bob’s MAC address.”
In the primary phase of the attack, the attacker captures the victim’s BFI time series during password entry using a traffic monitoring tool like Wireshark. Each keystroke by the user generates a distinct WiFi signal as it impacts the WiFi antennas behind the screen.
However, challenges arise as the recorded BFI series may blur boundaries between keystrokes. To address this, the researchers developed an algorithm to parse and restore usable data.
Machine learning in the form of a “1-D Convolutional Neural Network” is employed to recognize keystrokes consistently, irrespective of typing styles.
A “Gradient Reversal Layer” (GRL) is subsequently applied to suppress domain-specific features, aiding the model in learning consistent keystroke representations across various domains.
The researchers experimented with WiKI-Eve using a laptop and Wireshark. They noted that a smartphone could also serve as an attacking device, albeit with potential limitations in the number of supported WiFi protocols.
Data collected was analyzed using Matlab and Python, with segmentation parameters optimized for the best results.
Their experiments with twenty participants, utilizing different phone models, various passwords, active background apps, and typing speeds from six different locations connected to the same WiFi access point, yielded concerning results.
WiKI-Eve maintained an 88.9% keystroke classification accuracy when employing sparse recovery algorithms and domain adaptation. For six-digit numeric passwords, WiKI-Eve successfully inferred them with an 85% success rate in fewer than a hundred attempts, consistently exceeding 75% accuracy in all test environments.
The distance between the attacker and the access point proved crucial to performance. Increasing this distance from 1m to 10m resulted in a 23% reduction in successful guesses.
Additionally, the researchers conducted experiments involving user passwords for WeChat Pay, simulating a realistic attack scenario. WiKI-Eve accurately deduced these passwords at a rate of 65.8%.
In conclusion, the research underscores the ease with which adversaries can uncover sensitive information without breaching access points. This calls for heightened security measures in WiFi access points and smartphone apps.
Suggestions include keyboard randomization, data traffic encryption, signal obfuscation, CSI scrambling, WiFi channel scrambling, and more to safeguard against such threats