Researchers have devised a system that can recognize a user's keystrokes by exploiting available WiFi signals.
The research team, which is made up of computer scientists from Michigan State University and Nanjing University in China, explain in their paper (PDF) that their "WiKey" system works because most WiFi devices (including routers) come with multiple-input and multiple-output (MIMO) capabilities:
"Each MIMO channel between each transmit-receive (TX-RX) antenna pair of a transmitter and receiver comprises of multiple sub-carriers. These WiFi devices continuously monitor the state of the wireless channel to effectively perform transmit power allocations and rate adaptations for each individual MIMOstream such that the available capacity of the wireless channel is maximally utilized...."
In other words, most routers have the ability to monitor a wireless channel's behavior and pick up on its channel state information (CSI). Those CSI values, in turn, characterize something that's known as Channel Frequency Response (CFR), or fluctuations in signal exhibited between each antenna pair for a subcarrier.
Those fluctuations reveal a lot about a WiFi channel. As it turns out, they can even reveal hand and finger movements--that is, a user's keystrokes.
In their experiment, the researchers used a TP-Link TL-WR1043ND WiFi router and a Lenovo X200 laptop. While a subject typed on the laptop, the researcher used the router's antennas to pick up all existing CSI values. They then passed that data through several different types of filtering to eliminate other sources of noise and to isolate the keystrokes.
Using a specially designed algorithm, the researchers were able to identify that each keystroke had a start- and endpoint and that it rose and fell like a wave. This information proved instrumental in extracting the actual keystrokes themselves.
Overall, WiKey registered a 96.4 percent success rate in classifying single keystrokes. That accuracy fell slightly to 93.5 percent when researchers adjusted the experiment so that the subject typed keys in a continuous sentence.
Computer criminals and researchers have looking at keyboard security for years now. Through their combined efforts, they've not only demonstrated that malware can intercept keystrokes in the form of FM radio signals from an isolated computer; they've also proven that a user can be identified and tracked based upon how they type. Clearly, WiKey builds upon that existing body of research.
That's not to say the system is without limitations. For the experiment, researchers set a number of controls, such as an environment with very little noise, a close device proximity of two meters between the router and the keyboard, and training requirements that spanned only over the course of one day and which required the subjects to not move their heads or other parts of their body. In the real world, everything is a lot more dynamic.
The researchers know that, and they're hoping to improve on their system so that it accounts for such factors:
"...[I]n future we plan to address the problem of mitigating the effects of more harsh wireless en-vironments by building on our micro-gesture extraction and recognition techniques proposed in this paper."
For more information about WiKey, check out the researchers' paper here.
Comments
JDCybersec - 1 year ago
Good write-up but the title is a little sensational. This was tested in a controlled environment with a specialized algorithm designed by the research team. This attack would most likely be utilized by a nation state actor, not your average run of the mill hacker.
DMBisson - 1 year ago
It could be an even smaller pool of actors, given the experiment's limits of proximity. But point taken.
DodoIso - 1 year ago
Good luck on a SSH channel... but perhaps one day. For the time being, NSA hidden or long range microphones will do the job. ;-)
bjornsturluson - 1 year ago
Even if the chances are small, this kind of tech is seriously worrying.
cheb - 1 year ago
good grief charlie brown! ;) only truly secure format is pencil and paper ;)
DodoIso - 1 year ago
No so, cheb! The time it takes for you to write each letter can be measured, then analyzed, perhaps more accurately than keystrokes sound. ;-)