New WiKI-Eve attack can steal numerical passwords over WiFi

IoT 9个月前 admin
132 0 0

New WiKI-Eve attack can steal numerical passwords over WiFi

A new attack dubbed ‘WiKI-Eve’ can intercept the cleartext transmissions of smartphones connected to modern WiFi routers and deduce individual numeric keystrokes at an accuracy rate of up to 90%, allowing numerical passwords to be stolen.

WiKI-Eve exploits BFI (beamforming feedback information), a feature introduced in 2013 with WiFi 5 (802.11ac), which allows devices to send feedback about their position to routers so the latter can direct their signal more accurately.
WiKI-Eve利用BFI(波束成形反馈信息),这是2013年WiFi 5(802.11ac)引入的一项功能,该功能允许设备向路由器发送有关其位置的反馈,以便后者可以更准确地引导信号。

The problem with BFI is that the information exchange contains data in cleartext form, meaning that this data can be intercepted and readily used without requiring hardware hacking or cracking an encryption key.


New WiKI-Eve attack can steal numerical passwords over WiFi
Overview of the WiKI-Eve attack (
WiKI-Eve 攻击概述 (

This security gap was discovered by a team of university researchers in China and Singapore, who tested the retrieval of potential secrets from these transmissions.

The team found that it’s reasonably easy to identify numeric keystrokes 90% of the time, decipher 6-digit numerical passwords with an accuracy of 85%, and work out complex app passwords at an accuracy of roughly 66%.

While this attack only works on numerical passwords, a study by NordPass showed that 16 out of 20 of the top passwords only used digits.

The WiKI-Eve attack WiKI-Eve 攻击

The WiKI-Eve attack is designed to intercept WiFi signals during password entry, so it’s a real-time attack that must be carried out while the target actively uses their smartphone and attempts to access a specific application.

New WiKI-Eve attack can steal numerical passwords over WiFi
Finger movement and taps creating BFI signal variations (
手指移动和敲击产生 BFI 信号变化 (

The attacker must identify the target using an identity indicator on the network, like a MAC address, so some preparatory work is required.
攻击者必须使用网络上的身份指示器(如 MAC 地址)识别目标,因此需要进行一些准备工作。

“In reality, Eve can acquire this information beforehand by conducting visual and traffic monitoring concurrently: correlating network traffic originating from various MAC addresses with users’ behaviors should allow Eve to link Bob’s physical device to his digital traffic, thereby identifying Bob’s MAC address,” explains the researchers.

In the main phase of the attack, the victim’s BFI time series during password entry is captured by the attacker using a traffic monitoring tool like Wireshark.

Each time the user presses a key, it impacts the WiFi antennas behind the screen, causing a distinct WiFi signal to be generated.

“Though they only account for part of the downlink CSIs concerning the AP side, the fact that on-screen typing directly impacts the Wi-Fi antennas (hence channels) right behind the screen (see Figure 1) allows BFIs to contain sufficient information about keystrokes,” reads the paper.

However, the paper emphasizes that the recorded BFI series might blur boundaries between keystrokes, so they developed an algorithm for parsing and restoring usable data.

New WiKI-Eve attack can steal numerical passwords over WiFi
Neural model to parse captured data (
用于解析捕获数据的神经模型 (

To tackle the challenge of filtering out factors that interfere with the results, like typing style, typing speed, adjacent keystrokes, etc. the researchers use machine learning called “1-D Convolutional Neural Network.”

The system is trained to consistently recognize keystrokes regardless of typing styles through the concept of “domain adaptation,” which comprises a feature extractor, a keystroke classifier, and a domain discriminator.

New WiKI-Eve attack can steal numerical passwords over WiFi
Training of ML framework for WiKI-Eve (

Finally, a “Gradient Reversal Layer” (GRL) is applied to suppress domain-specific features, helping the model learn consistent keystroke representations across domains.

New WiKI-Eve attack can steal numerical passwords over WiFi
WiKI-Eve attack steps (
WiKI-Eve 攻击步骤 (

Attack results 攻击结果

The researchers experimented with WiKI-Eve using a laptop and WireShark but also pointed out that a smartphone can also be used as an attacking device, although it might be more limited in the number of supported WiFi protocols.

The captured data was analyzed using Matlab and Python, and the segmentation parameters were set to values shown to produce the best results.

Twenty participants connected to the same WiFi access point used different phone models. They typed various passwords using a mix of active background apps and varying typing speeds while measurements were taken from six different locations.

The experiments showed that WiKI-Eve’s keystroke classification accuracy remains stable at 88.9% when sparse recovery algorithm and domain adaptation are used.

New WiKI-Eve attack can steal numerical passwords over WiFi
Overall accuracy of WiKI-Eve compared to CSI-targeting models (
WiKI-Eve 与 CSI 定位模型相比的总体准确性 (

For six-digit numerical passwords, WiKI-Eve could infer them with an 85% success rate in under a hundred attempts, remaining consistently above 75% in all tested environments.

However, the distance between the attacker and the access point is crucial to this performance. Increasing that distance from 1m to 10m resulted in a 23% successful guess rate drop.
但是,攻击者和接入点之间的距离对于此性能至关重要。将距离从 1m 增加到 10m 导致成功猜测率下降 23%。

New WiKI-Eve attack can steal numerical passwords over WiFi
Effect of distance in guessing performance (

The researchers also experimented with retrieving user passwords for WeChat Pay, emulating a realistic attack scenario, and found that WiKI-Eve deduced the passwords correctly at a rate of 65.8%.

The model consistently predicted the correct password within its top 5 guesses in over 50% of the 50 tests conducted. This means an attacker has a 50% chance of gaining access before hitting the security threshold of five incorrect password attempts, after which the app locks.
该模型在进行的 50 次测试中超过 50% 的测试中始终预测其前 5 次猜测中的正确密码。这意味着攻击者有 50% 的机会获得访问权限,然后达到五次错误密码尝试的安全阈值,之后应用程序锁定。

New WiKI-Eve attack can steal numerical passwords over WiFi
Attack on WeChat password (

In conclusion, the paper shows that adversaries can deduce secrets without hacking access points and by simply using network traffic monitoring tools and machine learning frameworks.

This calls for heightened security in WiFi access points and smartphone apps, like potentially keyboard randomization, encryption of data traffic, signal obfuscation, CSI scrambling, WiFi channel scrambling, and more.

Related Articles: 相关文章:

ASUS routers vulnerable to critical remote code execution flaws

France demands Apple pull iPhone 12 due to high RF radiation levels
法国要求苹果下架iPhone 12,因为射频辐射水平很高

How end-user phishing training works (and why it doesn’t)

Chrome extensions can steal plaintext passwords from websites
Chrome 扩展程序可以从网站窃取明文密码

Four common password mistakes hackers love to exploit

原文始发于Bill Toulas New WiKI-Eve attack can steal numerical passwords over WiFi

版权声明:admin 发表于 2023年9月18日 上午9:58。
转载请注明:New WiKI-Eve attack can steal numerical passwords over WiFi | CTF导航