Skip to main content
  1. Home
  2. Emerging Tech
  3. News

Hackers could decode passwords by analyzing the shadows of your fingers

Luke Dormehl
By
CCS 2016 - When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals
If we want to continue enjoying a world that contains Wi-Fi, we may want to address some security issues present in our wireless LAN technology.

One such issue is described in a new paper published by the Association of Computing Machinery. The result of a collaboration between researchers at Shanghai Jaio Tong University, the University of Massachusetts at Boston, and the University of South Florida, it reveals how a malicious Wi-Fi hot spot could trace your fingers to reveal your online passwords.

Recommended Videos

The technique is called WindTalker, and it lets hackers effectively read the finger movements of a user as they pass over their phone display, using what is referred to as channel state information (CSI).

Related

Exploiting the so-called “keystroke inference framework” technique, the researchers were able to successfully retrieve passwords being used on Chinese payment platform Aliplay on various smartphones.

At a high level, WindTalker works by analyzing the shadows created on a mobile device and then piecing these together to work out specific keystrokes which are being made. When enough training examples have been completed, the researchers suggest that passwords can be reverse-engineered with as much as 81.7 percent accuracy.

While the hack itself does require specific hardware to carry out, this only costs in the order of hundreds of dollars and is relatively easy to obtain.

So what, if anything, can be done about the risk?

“One possible defense strategies is to randomize the layouts of the PIN keypad,” Haojin Zhu, a computer science professor who worked on the paper, told Digital Trends. “Second, one of the common assumptions for different kinds of side-channel based keystroke inference attacks is that the users need to type the passwords in fixed gestures — so another defense strategy is changing the typing gestures from time to time to keep themselves safe. Third, the user can prevent the collection of CSI. For example, it is recommended to use network firewalls to block the abnormal Wi-Fi packets.”

A bit like the commonsense holiday safety advice about not waving your expensive camera around, the best suggestion may be the most obvious, though. “One simple recommendation for the public is not to connect to insecure public Wi-Fi,” Professor Zhu continued.

Zhu also said that the team is currently working to develop, “a comprehensive defending framework to defend the various side channel attacks via Wi-Fi signals.”

On balance, we liked WindTalker a whole lot more when it was a 2002 Nicolas Cage movie about U.S. Marines in World War II…

Editors' Recommendations

Topics
Luke Dormehl
Luke Dormehl
Contributor
I'm a UK-based tech writer covering Cool Tech at Digital Trends. I've also written for Fast Company, Wired, the Guardian…
This PowerPoint ploy could help hackers empty your bank account
A hacker typing on an Apple MacBook laptop, which shows code on its screen.

 

With various cybersecurity threats on a constant rise, it certainly feels like dangerous malware is around every corner. This time, it found its way into PowerPoint presentations disguised as helpful guides on how to protect yourself against phishing. The irony of it all is strong, but the worst part is that this malware could help attackers empty your bank account.

Read more
Hackers are using AI to create vicious malware, says FBI
A hacker typing on an Apple MacBook laptop while holding a phone. Both devices show code on their screens.

The FBI has warned that hackers are running wild with generative artificial intelligence (AI) tools like ChatGPT, quickly creating malicious code and launching cybercrime sprees that would have taken far more effort in the past.

The FBI detailed its concerns on a call with journalists and explained that AI chatbots have fuelled all kinds of illicit activity, from scammers and fraudsters perfecting their techniques to terrorists consulting the tools on how to launch more damaging chemical attacks.

Read more
DOJ’s new NatSec Cyber unit to boost fight against state-backed hackers
A hacker typing on an Apple MacBook laptop while holding a phone. Both devices show code on their screens.

Eyeing the increasing threat of damaging cyberattacks by hackers backed by hostile foreign states, the U.S. Justice Department (DOJ) on Tuesday announced the creation of the National Security Cyber Section -- aka NatSec Cyber -- within its National Security Division (NSD).

Hackers operating out of countries like China, Russia, and North Korea seek to cause disruption across a wide range of sectors, steal government and trade secrets, spy on targets, and raise revenue via extortion. Such nefarious activities have long been a concern for those overseeing U.S. national security, and the DOJ’s new unit aims to improve the efficiency of tackling the perpetrators’ operations.

Read more