Skip to main content
  1. Home
  2. Emerging Tech
  3. News

Hackers could decode passwords by analyzing the shadows of your fingers

By
CCS 2016 - When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals
If we want to continue enjoying a world that contains Wi-Fi, we may want to address some security issues present in our wireless LAN technology.

One such issue is described in a new paper published by the Association of Computing Machinery. The result of a collaboration between researchers at Shanghai Jaio Tong University, the University of Massachusetts at Boston, and the University of South Florida, it reveals how a malicious Wi-Fi hot spot could trace your fingers to reveal your online passwords.

Recommended Videos

The technique is called WindTalker, and it lets hackers effectively read the finger movements of a user as they pass over their phone display, using what is referred to as channel state information (CSI).

Related

Exploiting the so-called “keystroke inference framework” technique, the researchers were able to successfully retrieve passwords being used on Chinese payment platform Aliplay on various smartphones.

At a high level, WindTalker works by analyzing the shadows created on a mobile device and then piecing these together to work out specific keystrokes which are being made. When enough training examples have been completed, the researchers suggest that passwords can be reverse-engineered with as much as 81.7 percent accuracy.

While the hack itself does require specific hardware to carry out, this only costs in the order of hundreds of dollars and is relatively easy to obtain.

So what, if anything, can be done about the risk?

“One possible defense strategies is to randomize the layouts of the PIN keypad,” Haojin Zhu, a computer science professor who worked on the paper, told Digital Trends. “Second, one of the common assumptions for different kinds of side-channel based keystroke inference attacks is that the users need to type the passwords in fixed gestures — so another defense strategy is changing the typing gestures from time to time to keep themselves safe. Third, the user can prevent the collection of CSI. For example, it is recommended to use network firewalls to block the abnormal Wi-Fi packets.”

A bit like the commonsense holiday safety advice about not waving your expensive camera around, the best suggestion may be the most obvious, though. “One simple recommendation for the public is not to connect to insecure public Wi-Fi,” Professor Zhu continued.

Zhu also said that the team is currently working to develop, “a comprehensive defending framework to defend the various side channel attacks via Wi-Fi signals.”

On balance, we liked WindTalker a whole lot more when it was a 2002 Nicolas Cage movie about U.S. Marines in World War II…

Editors’ Recommendations

Topics
Luke Dormehl
Luke Dormehl
Former Digital Trends Contributor
I'm a UK-based tech writer covering Cool Tech at Digital Trends. I've also written for Fast Company, Wired, the Guardian…
Hackers targeted 1Password after Okta breach, but your logins are safe
A dark mystery hand typing on a laptop computer at night.

Security credentials like usernames and passwords are a tempting target for hackers, and even the best password managers can come under threat from time to time. That was the case recently with the popular password manager 1Password, which recently disclosed (via Bleeping Computer) that its Okta support system was breached by malicious hackers.

Fortunately, it doesn’t appear that any customer data was stolen, so if you use 1Password, your login info should be safe for now. However, it’s always good to regularly update your passwords (or use passkeys) just in case they fall into the wrong hands.

Read more
Hackers are using this incredibly sneaky trick to hide malware
A hacker typing on an Apple MacBook laptop, which shows code on its screen.

One of the most important things you can do to protect your online security is install one of the best password managers, but a recent cyberattack proves that you have to be careful even when doing that. Thanks to some sneaky malware hidden in Google Ads, you could end up with viruses riddling your PC.

The issue affects popular password manager KeePass -- or rather, it attempts to impersonate KeePass by using misleading Google Ads. First spotted by Malwarebytes, the nefarious link appears at the top of search results, meaning you’ll likely see it before the legitimate websites that follow beneath it.

Read more
Google is killing your passwords, and security experts are (mostly) happy
Logging into a Google account with passkeys on an iPhone.

Google is inching closer to making passwords obsolete. The solution is called "Passkeys," a unique form of password that is stored locally on your phone or PC, just the way a physical security key works. The passkeys are protected behind a layer of authentication, which can be your fingerprint or face scan — or just an on-screen pattern or PIN.

Passkeys are faster, linked across platforms, and save you the hassle of remembering passwords for websites or services that you have subscribed to. There is a smaller scope for human error, and the risks of 2-factor authentication code interception are also reduced.

Read more