What is the technology "WindTalker" that personal information such as password and PIN code is stolen just by connecting to the Wi-Fi spot?

ByJeremy Brooks

A joint research group of Shanghai Jiao Tong University, University of South Florida, Massachusetts, Boston University demonstrates new technologies that can obtain personal information such as passwords, PIN codes, keystrokes, etc. of users connected to Wi-Fi hotspots did.

Wi-Fi Signal Interference Can Leak Your Passwords and Keystrokes
http://thehackernews.com/2016/11/hack-wifi-password.html

The technology demonstrated by a collaborative research group named "WindTalker" is that the touch screen of the smartphone and the typing of the keyboard can be read from the pattern of the radio signal called "CSI (Channel State Information)". CSI is part of the Wi - Fi protocol and serves to provide the status of Wi - Fi signals. If this technology is exploited by a hacker, there is a possibility that personal information may be stolen from the device connected to the fake Wi-Fi spot prepared by the hacker.

When a user inputs a PIN number or a password on a smartphone application, a lock screen or the like, the Wi-Fi signal emitted from the smartphone changes according to the movement of the user's finger, the finger movement data is stamped on the Wi-Fi signal I will. If a hacker who can control the public Wi - Fi spot intercepts, analyzes, reverse - engineers these signals, he can accurately grasp personal information such as passwords entered on the smartphone.


Attacks by WindTalker do not require access to the victim's smartphone itself, and hackers can attack using common smartphones. WindTalkerMIMOBecause it depends on the technology called, it seems that it can not be used with an old home Internet router with only one Wi - Fi antenna, but the latest type equipped with multiple antennasMIMO compatible routerIf it is, you can get information from the connected device.


In addition, researchers have completed WindTalker's attack test according to the real scenario, and China's settlement serviceAlipayI succeeded in stealing the 6 digit PIN code necessary for settlement of Alipay.

It is also possible that an attacker could improve the analysis accuracy of swiping and typing connected users by displaying specific information. For example, in providing free Wi-Fi access, letting you enter a specific number by imitating Text Captchas, you can train the user and more accurately guess information when typing personal information That's it. Also, WindTalker seems to be able to read keystrokes with accuracy of 68.3%, even with only training data "letting you enter only one key".

The accuracy of these analyzes will vary depending on the terminal, but as hackers continue to gather user information, accuracy will improve.