Using Wi-Fi to Detect Hand Motions and Steal Passwords

This is impressive research: "When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals":

Abstract: In this study, we present WindTalker, a novel and practical keystroke inference framework that allows an attacker to infer the sensitive keystrokes on a mobile device through WiFi-based side-channel information. WindTalker is motivated from the observation that keystrokes on mobile devices will lead to different hand coverage and the finger motions, which will introduce a unique interference to the multi-path signals and can be reflected by the channel state information (CSI). The adversary can exploit the strong correlation between the CSI fluctuation and the keystrokes to infer the user's number input. WindTalker presents a novel approach to collect the target's CSI data by deploying a public WiFi hotspot. Compared with the previous keystroke inference approach, WindTalker neither deploys external devices close to the target device nor compromises the target device. Instead, it utilizes the public WiFi to collect user's CSI data, which is easy-to-deploy and difficult-to-detect. In addition, it jointly analyzes the traffic and the CSI to launch the keystroke inference only for the sensitive period where password entering occurs. WindTalker can be launched without the requirement of visually seeing the smart phone user's input process, backside motion, or installing any malware on the tablet. We implemented Windtalker on several mobile phones and performed a detailed case study to evaluate the practicality of the password inference towards Alipay, the largest mobile payment platform in the world. The evaluation results show that the attacker can recover the key with a high successful rate.

That "high successful rate" is 81.7%.

News article.

Posted on November 18, 2016 at 6:40 AM • 22 Comments


john doeNovember 18, 2016 7:33 AM

I believe the first link does not work, also it contains an ip address and some sort of key and a token.

Clive RobinsonNovember 18, 2016 8:29 AM


A randomised key position displayed input pad should make the attack more or less defunct.

oliverNovember 18, 2016 8:49 AM

I call BS on this "research". this is nothing more than a movie-plot-threat. Kinda like that classic M$-style FUD!

Bill StoutNovember 18, 2016 10:35 AM

Wow, this takes me back to my 1990s experience in working for a signal collection and analysis gov contractor.

We would get a ton of information (who, where, when, etc.) just analyzing signals, and by linking together multiple collection systems, we could track and intercept the message in a weak link (cleartext, person, etc.) without having to send the recordings off for decryption. With old equipment we'd triangulate the physical location within 3 seconds, and identify the specific operator by the characteristics of the message.

TedNovember 18, 2016 11:27 AM

Researchers and policymakers gathered in August to discuss spectrum forensics and explore questions about possible spectrum/signal misuse and potential consequences.


International Symposium on Advanced Radio Technologies (ISART) 2016: Spectrum Forensics

Panel topics covered “Prequel Tutorial: Spectrum Forensics Case Studies”, “Policy Considerations”, “Spectrum Monitoring – Purposeful Data Collection”, “Enabling Technologies and Standards”, and “Data Analytics”.

The "Policy Considerations" panel has a brief description that touches upon the increasing availability of inexpensive radios and code repositories, the existence of FCC and NTIA frameworks that could reduce harmful interference through legal and technical channels, and the development of new disciplines to identify interference and possibly prosecute offenders.

Article 19November 18, 2016 11:45 AM

They seem to be sincerely treating Mohan Nirala as an espionage case and not an information-freedom rights defender. There may be a couple layers of indirection here, or else other foreign powers are taking Russia's line and publicizing evidence of US government wrongdoing.

Blue BrotherNovember 18, 2016 1:29 PM


Safe as in the 60's definition of not getting her pregnant, yes.

Safe as in the 80s/90s definition of not catching an STD, probably.

Safe as in the 21st century definition of not infecting your computer with malware, being tracked by your ISP/FBI/NSA/CosyBear, etc., probably not.

Remember, if your not paying for it, YOU are the product.

albertNovember 18, 2016 1:35 PM

Another snore-fest from academia.

I gotta ask, what if, some day, someone comes up with a 99.999% accurate and undetectable way of stealing passwords from wi-fi?

What then? How much effort will be expended to mitigate it? How many endless discussions will dominate the tech media? Aside from keeping 'computer security' experts employed (and generating lots of traffic on associated website), what does all of this accomplish?

We started with an inherently insecure networking system (for inherently insecure computers and operating systems), which relied on the basic honesty of the academic community. The system just grew to the point where businesses saw the advantages. Internet connectivity became an absolute requirement in the business world*. The 'let's do everything online' had replaced the 'let's put computers in everything' mantra.
The monetization of information was the last straw, because now, -everyone- 'contributes' to the money pool. It's easy to see how the system came to be abused. I'm first to adm

...then the Gates of Hell opened, and behold, demons appeared, and plagues descended upon the Earth. There came Wi-fi, a beast with myriad heads and many poisonous teeth, Flash, a fish that scrapes the sea bottom, along with its enabler, the poisonous Java. There came Facebook and Twitter, Google and Safari, and their brothers, all appearing in sheeps clothing, but inside, ravenous wolves. These plagues caused great destruction upon the Earth, upon which Humans roamed. Savage and ignorant they are, like unreasoning and injurious wild beasts, obsessed with their pads and mobiles, incapable of rational thought. Beholden to the hoards of blood-sucking parasites which control their every thought, they stumble blind and aimless, upon the desolate landscape of destruction...

Sorry, I kinda lost it there for a moment.

Don't use Wifi for serious communication. Better yet, don't use your phone, either. You can sit around Starbucks and look cool without doing your banking there.


I gotta go.

* It has always been an established fact that the business world (particularly the banking sector, non-productive parasites that they are) has no moral or ethical compass.
. .. . .. --- ....

Ross SniderNovember 18, 2016 2:23 PM

80+% accuracy is enough to reduce the entropy of a password down to brute force levels (presuming there were a hash). If the password can not be gathered, multiple attempts may be attempted, and I'm assuming that the accuracy grows geometrically (error = .2 * .2 or 96% accurate with two tries).

I would call that a highly successful rate. The approach is only going to get better with time.

I like Clive Robinson's idea for password and key protection. But in any case, my feeling is we're only starting to see the scope of attacks available with wireless monitoring.

TatütataNovember 18, 2016 2:35 PM

Judging by the number of articles posted on this topic in the last year, Bruce seems to be impressed by these RF-based side channel attacks.

I'm still rather sceptical about the practicality of these in general, but I'm softening up.

That "high successful rate" is 81.7%.

What definition do they use?

In 81.7% of cases a password is guessed with zero errors? (i.e.: correct number of keystrokes, and correct keys are guessed).

Or each individual keystroke is guessed with 81.7% accuracy?

That would make a big difference: in the latter case case there would be only a (0.817^8)~20% probability of guessing an 8-position password.

But I do see that in either case the search space for performing a subsidiary brute-force attack is significantly reduced, especially if coupled with a dictionary or mere tables of N-gram statistics.

Clive RobinsonNovember 18, 2016 3:28 PM

@ Blue Brother,

I think you will find @Myfreecams is not a comment but unsolicited "link spam"...

AnuraNovember 18, 2016 4:35 PM

@Ross Snider

80+% accuracy is enough to reduce the entropy of a password down to brute force levels (presuming there were a hash)

Given that this requires physical proximity to the users, it is unlikely to be used with offline attacks. That said, for most actual passwords, knowing each character with an 80% probability makes simple dictionary attacks a lot easier (ideally, you would know the probability for each possible character at each possible position). You will still catch a lot of passwords with simple dictionary attacks, just not as many as with advanced dictionary attacks.

Modern dictionary attacks are a lot more complicated than just simple lookups, of course, and while it may be doable, I'm not sure how easy it would be to do fuzzy matching with the compound words, character substitutions, etc. that modern password crackers use (in fact, I'm quite sure it would get extremely complicated to do efficiently). But if all you are looking to do is steal money from targets of opportunity, a simple dictionary attack will get you plenty as long as you have a target-rich environment.

anonymousNovember 19, 2016 4:59 PM

Related not just to Wi-Fi but also coaxial and cell networks;
The PATRIOT Act (Persecuting Americans That Read I.T. Oriented Tabloids Act) violates 1st and 4th amendments of the Bill of rights;,nsa230.html
Violating the Bill of Rights is insurrection, which is a form of treason. The death penalty is often advocated towards traitors. Rule 41 changes set for Dec.1 2016 are far more radical and extreme than the human rights abuses of the PATRIOT Act.
Call your senator and leave a message asking him or her to support the "stop mass hacking act".

JenifferNovember 20, 2016 4:04 AM

A majority of people still use weak passwords. Only once have I had to ask the owner for a password again when repairing something, the rest were not what I'd call strong passwords.

JenniferNovember 20, 2016 4:11 AM

Combined weak security and WIFI info should give pretty high odds for accessing at least one terminal one the network.

PalmerNovember 24, 2016 6:54 AM

One of my banks introduced the solution suggested by Clive Robinson in 2014.
It put me off in the real beginning.

You expect the classic numpad matrix
and not an ever changing position for the number keys.
Was the application programmer a visionary ? :-)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.