Keystroke Recognition from Wi-Fi Distortion

This is interesting research: "Keystroke Recognition Using WiFi Signals." Basically, the user's hand positions as they type distorts the Wi-Fi signal in predictable ways.

Abstract: Keystroke privacy is critical for ensuring the security of computer systems and the privacy of human users as what being typed could be passwords or privacy sensitive information. In this paper, we show for the first time that WiFi signals can also be exploited to recognize keystrokes. The intuition is that while typing a certain key, the hands and fingers of a user move in a unique formation and direction and thus generate a unique pattern in the time-series of Channel State Information (CSI) values, which we call CSI-waveform for that key. In this paper, we propose a WiFi signal based keystroke recognition system called WiKey. WiKey consists of two Commercial Off-The-Shelf (COTS) WiFi devices, a sender (such as a router) and a receiver (such as a laptop). The sender continuously emits signals and the receiver continuously receives signals. When a human subject types on a keyboard, WiKey recognizes the typed keys based on how the CSI values at the WiFi signal receiver end. We implemented the WiKey system using a TP-Link TL-WR1043ND WiFi router and a Lenovo X200 laptop. WiKey achieves more than 97.5% detection rate for detecting the keystroke and 96.4% recognition accuracy for classifying single keys. In real-world experiments, WiKey can recognize keystrokes in a continuously typed sentence with an accuracy of 93.5%.

News article.

Posted on August 30, 2016 at 6:04 AM • 24 Comments

Comments

SteveAugust 30, 2016 6:11 AM

Interesting but not news, and not "new research" as the article states. The underlying paper was published a year ago.

M@August 30, 2016 6:33 AM

It takes time for published work to get traction, journal inclusion, etc. This is fairly fresh.

r0b0August 30, 2016 8:27 AM

Whoa! So typing passwords (or any sensitive information) on a keyboard is considered harmful?

TatütataAugust 30, 2016 8:33 AM

The paper might be one year old, but I read about it for the first time here. I knew of mapping systems deducing spatial information from the MIMO vectors.

I'm must say I'm impressed, but it is mostly a stunt --- at this stage:

9. LIMITATIONS

[...]

Currently WiKey works well only under relatively stable and controlled environments. The accuracy of our current scheme is affected by variations in the environment such as human motion in surrounding areas, changes in orientation and distance of transceivers, typing speeds, and keyboard layout and size. Next, we elaborate some limitations of our current implementation of WiKey.

If people move about their chairs or in the room then the thing is essentially defeated. One could imagine some kind of mode disperser placed in the vicinity of the access point or the device. It would be something of a cross between chaff (for the randomness) and a microwave oven (with a motor drive).

The authors suggest that lip movements could be detected in the same fashion.

Could low power, ultrawideband radar constitute a 21st century version of the 1950's Soviet passive bug placed in the US Embassy in Moscow?

Clive RobinsonAugust 30, 2016 9:26 AM

@ r0b0,

Whoa! So typing passwords (or any sensitive information) on a keyboard is considered harmful?

Yup has been for quite some time.

Must be four years or so ago that what people were typing was recognisable from the individual sound each key makes.

Then there was the accelerometers in smart devices with touch screen keypads.

Then there were the various interferometers for extending "room present" sound detection to "through the window but out of sight" sound detection off of the likes os crisp packets.

There had been previous "reflector" attacks where the keyboard electronics or connection cable get illuminated and the signal gets re-radiated with the serial data going back to being mentioned academicaly 1990's. But that I and others had played with a decade or so before as a side show from van Eck attacks.

So yes for a long long time.

It needs to be said that the more emmiters and recivers you have in a Multi Input Multi Output (MIMO) configuration the easier it is going to be to detect this.

As I've said on this blog before a good old fashioned "desk fan" can be your friend if you set things up right...
https://www.schneier.com/blog/archives/2015/07/friday_squid_bl_486.html#c6700762

Clive RobinsonAugust 30, 2016 9:38 AM

@ Tatütata,

It would be something of a cross between chaff (for the randomness) and a microwave oven (with a motor drive).

Why go for "a cross" if you use a fan it will break up thermal imaging and some MIMO techniques with just the fan blades.

However I'm sure most of us have seen fans with "colourd streamers" attached through to those "fake flames" systems using pices of coloured cloth lights and a fan.

WHilst the movment is not random it tends to be chaotic which is almost as good. Thus get that very thin alumanized plastic film in lengths of aproximately 1/4 of a wavelength and multiples there of, at WiFi frequencies and attach to the front of the fan. Thus it's real chaff working almost as intended but nicely held where you need it when you need it, oh and a cooling breeze as well :-)

MaryAugust 30, 2016 9:46 AM

@Tatütata: Poopoo-ing it because there are easy ways to defeat it are we? You know further filtering to fix many kinds of interference problems is just an update away....

TatütataAugust 30, 2016 10:38 AM

Clive, yes, using a fan did occur to me, but all the ones I can think of have plastic blades, and are often encased in a metal cage. The effect would also be too deterministic.

The last desk ventilators with aluminium blades I can remember were produced in the 1930s and early 1960s... Both had insulation faults in their motor, and I had to be careful when I picked them up. They also had almost no finger protection. I eventually got rid of them.

Maybe leave the microwave door open with the interlock disabled? ;-)

I remember a piece of modern art consisting of many little mirrors mounted on springs, each with its own natural resonating frequency, gently moving with the air disturbance. Something like that, but with dipole reflectors could do the trick.

The attack is impressive, but doesn't really sound practical -- yet (?). How do you get a non-cooperating target to type a given text for calibration?

TatütataAugust 30, 2016 10:45 AM

After I clicked "submit" I saw this:

However I'm sure most of us have seen fans with "colourd streamers" attached through to those "fake flames" systems using pices of coloured cloth lights and a fan.

Nice idea.

One more thing:

A smallish fan (40W motor) might consume, say, 1kWh daily.

At ~10p/kWh, a continuously turned on scrambling device would cost around £40/year. In a country like Germany you would end up paying almost twice as much, especially at the current exchange rates.

It all adds up quickly.

gerAugust 30, 2016 11:31 AM

Another reason, but certainly not the most motivating, to use a password manager that not only handles passwords, but ALL personal info, which I do:-)

Anonymous CowAugust 30, 2016 12:09 PM

@Tatütata

using a fan did occur to me, but all the ones I can think of have plastic blades, and are often encased in a metal cage.

I think fans with plastic safety cages are quite common. As for the plastic blades, you can put aluminum tape on them.

ab praeceptisAugust 30, 2016 12:23 PM

I think there is a rather obvious mitigating factor that is often "forgotten": value - effort.

There is a critical relation. A potential terrorist or a billionaire are of a radically different value for certain groups than Joe, Marry, and their family dog.

Normal everyday people can reasonably limit their worries to about the level of "what is the local judicial police capable of?". They won't be listened to by lasers and their keystrokes won't be mimo radar-ed.

Plus evidently, I think Clive Robinson brought it up, adequate OpSec and Joe, Marry, you and me should be quite safe. Kindly note the term "adequate" (which also means "no post its with passwords").

More generally, this "game" never fails to attract people and to keep them fascinated for a simple reason: We all love the idea of 100% security - but, alas, it doesn't exist. Even worse, just think about modern sigint and elint; the variant installed on e.g. warships. Pretty every police department would gladly give away their first-borns for that kind of devices.

But there is a good side to that, too: I keeps us awake and it makes us - or so I seriously hope - think about and take care in terms of adequate OpSec.

PalindromedaryAugust 30, 2016 2:26 PM

@Tatütata

How do you get a non-cooperating target to type a given text for calibration?

Most hotspots only require a click-through, but some places require some textual response before permitting access, perhaps a password of the day; setting up surveillance in such a place over the course of several passwords would permit training for environmental noise, for same-keys-multiple-typists, and for same-keys-specific-typist.

In the workplace, e.g., my software development job, there are build or test environment setup phrases that are necessary and used at least once per day. Their sequence varies enough that putting them in a script doesn't make sense, but are individually consistent enough to provide decent training over a sufficiently long time line.

@ab praeceptis

I think there is a rather obvious mitigating factor that is often "forgotten": value - effort.

There is a critical relation. A potential terrorist or a billionaire are of a radically different value for certain groups than Joe, Marry, and their family dog.

Absolutely true, and of some reassurance. Unfortunately, attackers don't always target people for the obvious reasons. Some of the most compelling fictional dramas target "little" people because their access can be leveraged, and real bad guys are already used to using chains of levers to achieve their ends.

Being only one of a million rocks on the beach is small comfort when you find out that you were the diamond they were looking for all along.

Lance ==)------------
Milliner in fine tin foil since 1974

Marcos MaloAugust 30, 2016 9:14 PM

So far, this has been one of the most enjoyable comment threads I've read in a while.

I'm curious if a two fan oscillating set up (with tinsel tassels) would improve things. I've not taken apart a desk fan, but there is probably a way to tweak one to give it a different oscillation period to generate more chaos-flage.

WhiskersInMenloAugust 30, 2016 9:24 PM

In the early days of stealth some noted that a stealth aircraft would perturb the broadcast
of analog TV.

At that time is was common to see weak TV signals wiggle and wobble as commercial aircraft passed
by. Stealth aircraft at that time did much the same to these week signals.

Radar could not see these stealth aircrafts because returns did not return but the aircraft
would still disrupt other transmissions in passing.

Since WiFi is digital WiFi users do not see these disturbances in the data but
a clever analog view of the traffic can 'see' things with unexpected clarity.
Antennas are important....

NIck PAugust 31, 2016 10:55 AM

@ RonK

"> Normal everyday people

don't read this blog."

Good point. Some do but most don't. Blog is a diverse array of people interested in going above and beyond a bit on these issues.

GweihirSeptember 1, 2016 6:35 AM

Pretty cool research! Of course, the countermeasures are easy and well-known: Make sure there is no correlation between keys pressed and passwords (or other secrets) entered, e.g. by use of a virtual keyboard.

Incidentally, guessing keys from their acoustics works about as well and is a little older.

DormanSeptember 3, 2016 4:36 PM

I don't know why people believe bold statements such as "97.5% detection rate", everyone who has measured WiFi signal strengths themselves will know that WiFi signal strengths can naturally vary a lot from one second to another second, even when you are not typing or moving, these noisy signal strengths are unreliable, which would make such high detection rates under normal circumstances impossible!

Clive RobinsonSeptember 3, 2016 5:42 PM

@ Dorman,

... everyone who has measured WiFi signal strengths themselves will know that WiFi signal strengths can naturally vary a lot from one second to another second...

Yes they do but it's not relevant.

When you use MIMO systems you are often looking at the differential in amplitude and phase not the absolute values (which is all you can get with a single TX and single RX antenna setup and no additional path differential).

DormanSeptember 4, 2016 3:40 PM

@Clive Robinson: In their testing they only type one key a second and have no interference from other access points and calibrate every key first and check which key corresponds to which change in the signal and never move the keyboard, which would be very impractical in practice. No interference from other access points in cities is very unlikely with the high WiFi penetrations.
When you already have access to the keyboard to do the calibration, a keylogger would be a lot more practical.

PointyOintmentSeptember 11, 2016 6:27 PM

@Tatütata,

How do you get a non-cooperating target to type a given text for calibration?

CAPTCHA.

Alternatively: Monitor traffic and wait for the target to type in a URL. Monitor traffic and wait for the target to submit a form on a non-HTTPS website. Monitor DNS traffic and wait for the target to submit a form on an HTTPS website that results in the contents of the form being publicly available (such as this comment form).

You don't need the target to type a specific text. You just need the target to type a text that you can obtain another way. You also don't need the text to contain all of the letters you want to be able to read. You can work outward from those letters you know and make guesses at the other letters, and you can also work on things the target typed previously (the Wi-Fi perturbations of which you stored for future analysis, obviously).

Also, frequency analysis. No need for a known text at all. E is the most commonly used letter in English (and so on). It should also be the most commonly typed letter (and so on). (And if typed-letter frequencies are known to differ from general usage frequencies, then typed-letter frequencies must be available (and are easily obtained for yourself if you want to). They shouldn't differ in general, but your target may have different frequencies, but in any case, those shouldn't differ too much.)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.