WiKI-Eve attack: stealing passwords from WiFi routers

A new attack, called WiKI-Eve, has the ability to intercept unencrypted transmissions from smartphones connected to modern WiFi routers. This attack can infer individual numeric keystrokes with an accuracy rate of up to 90%, thus enabling the theft of numeric passwords. WiKI-Eve takes advantage of beamforming feedback information (BFI), a feature introduced with WiFi 5 (802.11ac) in 2013. BFI allows devices to send information about their location to routers, making it easier to precisely direct signals. However, the vulnerability lies in the fact that BFI data is exchanged in the clear, making it susceptible to interception and immediate use, without the need to hack the hardware or decipher the encryption keys. This security flaw was discovered by a group of researchers from universities in China and Singapore. They conducted tests to recover potential secrets from these transmissions. Their results showed that it is relatively easy to identify numeric keystrokes with an accuracy rate of 90%, decode 6-digit numeric passwords with an accuracy of 85%, and crack strong app passwords with an accuracy rate of approximately 66%.

The WiKI-Eve attack

The WiKI-Eve attack operates in real time, intercepting WiFi signals as you enter your password. To carry out this attack, the attacker must actively monitor the target as they use their smartphone and try to access a specific application. Identifying the target is critical, and the attacker can use an identity indicator in the network, such as a MAC address, which requires some preparatory work. In the main phase of the attack, the attacker captures the time series of the victim's BFI during password entry using a traffic monitoring tool such as Wireshark. Every time the user presses a key, it affects the WiFi antennas behind the screen, generating a distinct WiFi signal. However, the recorded BFI series can blur the boundaries between typings. To address this problem, researchers developed an algorithm to analyze and restore usable data.

Results of the attack

In experiments with WiKI-Eve using a laptop and Wireshark, the researchers also observed that a smartphone could be used as an attack device, although it may have limitations regarding the number of WiFi protocols supported. The experiments, involving 20 participants using different phone models and typing different passwords, showed that WiKI-Eve's typing classification accuracy remained stable at 88.9% when using dispersed recovery and data adaptation algorithms. domain. For six-digit numeric passwords, WiKI-Eve managed to guess them with an 85% success rate in less than one hundred attempts, maintaining a success rate above 75% in all tested environments. However, the distance between the attacker and the access point is critical. Increasing the distance from 1 meter to 10 meters resulted in a 23% decrease in success rate.

In conclusion

The research highlights adversaries' ability to infer secrets without hacking access points, simply by using network traffic monitoring tools and machine learning frameworks. This highlights the need for improved security measures in WiFi access points and smartphone apps, including features such as keyboard randomization, data traffic encryption, signal obscuration, CSI scramble, channel scramble WiFi and more.