A team of university researchers in China and Singapore have discovered a new attack method called “WiKI-Eve”, which allows the theft of Wi-Fi passwords through keystroke eavesdropping without the need for hacking.
The WiKI-Eve attack intercepts the cleartext transmissions of smartphones that connect to modern Wi-Fi routers and deduces individual numeric keystrokes, thus detecting the password.
This attack only works on numerical passwords. According to the security researchers who have discovered this threat, the WiKI-Eve has an accuracy rate of up to 90%, allowing numerical passwords to be stolen.
WiKI-Eve exploits a new feature, BFI (beamforming feedback information), which debuted in Wi-Fi 5 (802.11ac) in 2013. BFI allows Wi-Fi devices to send feedback about their position to routers so that they can improve their signal accuracy to that location.
However, the drawback is that BFI sends information from a smartphone to an access point (AP) in clear text, which can easily be intercepted and collected by any other Wi-Fi devices in monitor mode without the need for hardware hacking or cracking an encryption key.
The WiKI-Eve attack is devised to intercept Wi-Fi signals during password entry in real time. The attacker needs to identify the target using an identity indicator, such as a MAC address, which can be done by monitoring network traffic and correlating it with the user’s behavior.
After this, while the victim is actively using the smartphone, the attacker intercepts the victim’s BFI time series during password entry using a monitoring tool and launches the WiKi-Eve attack. Each keystroke impacts the Wi-Fi antennas, creating a unique Wi-Fi signal that can be analyzed.
To conduct an extensive evaluation of WiKI-Eve, researchers tested the method on various smartphone models and in different environments and got impressive results. They found that the WiKI-Eve attack can decipher 6-digit numerical passwords with an accuracy of 85% in less than 100 attempts. However, the success rate of password inference accuracy decreases by about 23% when the distance between the attacker and the access point increases from 1m to 10m.
The researchers also found that WiKI-Eve achieved a keystroke classification accuracy of 88.9% for individual keystrokes and up to 65.8% top-10 accuracy for stealing passwords of mobile applications (e.g., WeChat).
In order to protect yourself from a possible WiKI-Eve attack, the researchers have suggested potential solutions such as keyboard randomization, signal obfuscation, encryption of data traffic, CSI scrambling, Wi-Fi channel scrambling, and more.
