back to article How to snoop on passwords with this one weird trick (involving public Wi-Fi signals)

Some smart cookies at institutions in China and Singapore have devised a technique for reading keystrokes and pilfering passwords or passcodes from Wi-Fi-connected mobile devices on public networks, without any hardware hacking. The technique is made possible thanks to beamforming feedback information (BFI), which consists of …

  1. Anonymous Coward
    Anonymous Coward

    So, this is a fancier version of what is acheived by using a microphone to listen to the noise of your target's keyboard, and using the differing keysounds to infer the keys pressed. I've got to say, I'm impressed.

    1. Anonymous Coward
      Anonymous Coward

      In one respect impressive in another..... they've got an 85% chance of correctly getting your pass code if it's numeric and if you're on an unencrypted connection and if you're close enough to the AP and of course they've got to know that you're typing is a pass code and not playing a game or typing a note or....

      Or have I missed something?

      1. Blazde Silver badge

        Guessing a password serves as a proof-of-concept. It's creepy enough that the beam information can tell anyone in range of the AP where your finger is at all. I wonder what the chance is of correctly guessing whether someone's picking their nose?

  2. b0llchit Silver badge

    Famous last words

    Will this research result in actual practical attacks? We're willing to bet no...

    These are the famous last words when somebody uses it in a practical setting, probably combined with other practises, and causes a world-wide panic.

    1. DS999 Silver badge

      Re: Famous last words

      The definition of practical attack for some criminal trying to steal from people in an airport or Starbucks is different from that of the CIA, FSB, Mossad, whatever China's equivalent is called and so forth. It may be wildly impractical and unreliable, but if they can get it to work just once to help reveal some critical state secret of a foreign national it is still worth it to them.

      1. martinusher Silver badge

        Re: Famous last words

        >but if they can get it to work just once to help reveal some critical state secret of a foreign national it is still worth it to them.

        I suppose that officials are always sending a "critical state secret" using their smartphone over an unsecured WiFi connection? (Hint -- if someone was then the quality of the information would be doubtful at best)(Another hint -- "Pegasus")

        1. DS999 Silver badge

          Re: Famous last words

          You don't get the secret directly that way, but most intelligence isn't getting secrets directly. They gain scraps of information that can be leveraged to gain other scraps, and so forth. Maybe they communicate with someone with the code name of a double agent they are handling and it is someone your country really wants to stop because he's giving away all your secrets. Now you know that guy and the spy are linked so if you follow him long enough you find out who the double agent is and you can give him a polonium cocktail.

        2. Claptrap314 Silver badge
          Facepalm

          Re: Famous last words

          Depends. Is their last name "Clinton"? "Trump"? I'm not remembering the others very well.

  3. katrinab Silver badge
    Meh

    Surely passwords usually get transmitted as a single packet when you tap the login button rather than as indivitual keystrokes? Which would make this technique useless?

    And most of the time, you don't actually type them in, you load them in from your keychain / password manager?

    1. Anonymous Coward
      Anonymous Coward

      This attack isn't listening for that packet. It's looking for interference in other packets caused by your fingers on the phone screen, then making an educated guess at where on the screen your finger is.

    2. Graham Cobb

      And most of the time, you don't actually type them in, you load them in from your keychain / password manager?

      My first thought as well. If I am actually typing a password in an airport I am likely to be taking a lot more precautions. I will add "waving my phone about and moving around while doing it" to the list.

      I guess that it does apply to the password for the password manager, though. Although that would require the hacker to then steal the phone as well in order to be able to use it.

      1. katrinab Silver badge
        Gimp

        Apple Keychain uses TouchID/FaceID, so I don't need to worry about that. I'm pretty sure Google's password manager is the same on Android.

  4. IGotOut Silver badge

    So 85% accuracy..

    .... probably in a very controlled and quiet lab.

    Chuck in noise and different key layout (after all a iPhone keypad layout, is different to a Samsung, a Samsung different to Motorola, Motorola different to Huawei.Daves Huawei different to Bob's Huawei...and on and on. Throw in typos, corrections and autocomplete.

    Add all this in your're going to be somewhere around 0%

    1. Peter Gathercole Silver badge

      Re: So 85% accuracy..

      And me using Grafiti (it's in the Google Play store, for all you ex-Palm users) will probably confuse it greatly!

      1. MatthewSt Silver badge

        Re: So 85% accuracy..

        Or Dvorak...

    2. Version 1.0 Silver badge
      Pirate

      Re: So 85% accuracy..

      So maybe try a password like M E R D E and then delete, delete, delete, delete, delete, S H I T - see how that gets recorded and if they think you are using a 14 character password.

  5. Charlie Clark Silver badge

    Just another reason not to use unencrypted wifi.

    In many countries it's now also illegal to provide unencrypted wifi services for customers. In your own home, of course, you can do whatever you want.

    1. PRR Silver badge

      Re: Just another reason not to use unencrypted wifi.

      > ....unencrypted wifi services for customers. In your own home, of course, you can do whatever you want.

      Yes, you'd think. And living way out in the woods with a big dog to announce/attack visitors, I prefer no login/encryption.

      (yes, Jimmi could rig a Pringles-cantenna and eavesdrop, but no he can't-- I know my neighbors.)

      In fact the off-brand (Sagemcom) WiFi that Spectrum gaveXXX rents me does not have any no-encrypt option.

  6. Anonymous Coward
    Anonymous Coward

    Mitigations

    So it's detecting the movement of your finger to try to infer the password. Easy mitigations:

    1. Use a password manager that's unlocked via fingerprint. At best, they can see what you typed into the search box to guess what you're trying to connect to.

    2. Wave your finger around a bit more when entering passwords.

    3. Don't use public wifi to connect to anything secure. Like we've been told for years.

  7. Anonymous Coward
    Anonymous Coward

    Security cameras

    I don't type passwords in public places anyway, because I've always been worried the security cameras can see too much stuff.

    I do let my phone browser store passwords. If someone physically steals the phone, I'm going to know, and I know how to get any important accounts locked out fast. I guess they could steal the phone and also incapacitate me, but if someone's prepared to go that far, I have bigger problems. So I believe the security risk of having the phone auto-fill the password is in practice lower than the security risk of having a security camera watch me type it in.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like