Tuesday, December 13, 2016

Security Alert : Credit Card & CSV sniffed when using public WIFI, as well as all keyboards strokes on laptops

Paper (paywalled by ACM)

Digestable Article - http://thehackernews.com/2016/11/hack-wifi-password.html


Essentially your fingers moves in a 3d space on your phone, crossing the radial 3D WIFI signal emitted by the public WIFI base station. The hacker app can detect these minor spacial disturbances and ascertain your keystrokes, specifically your PIN and Credit Card number, with a great degree of accuracy. All the hacker needs is to be  on same public WIFI as you.

Mobile Solution:

Don't use public WIFI (Starbucks, Seattle's Best, Duncan Donuts, McDonalds, Tim Hortons, Indigo) when make a payment. Switch it off.

2nd Technical Article - https://blog.acolyer.org/2016/11/10/when-csi-meets-public-wifi-inferring-your-mobile-phone-password-via-wifi-signals/

CSI in this case stands for channel state information, which represents the state of a wireless channel in a signal transmission process.
Brief Technical Summary - How it's done

Now, hackers gain control of any unsecure public wireless networks WIFI hotspot, your device is connected to the WIFI, hackers can intercept, analysis and reverse engineering of these signals. Hackers can accurately guess the sensitive data you enter or enter your password field.
Because no direct access to the victim handset, WindTalker app  attack was quite effective, and non-smart phones can achieve the same effect of the attack.
This attack requires the control of hackers WIFI hotspot connection target, the focus can be collected WIFI signal. Below picturre is data collected and keystrokes infered. 

Alert 2: Keyboard Sniffing

Any tablet/laptop with a keyboard will also fall prey to this attack.

The above mobile attack was derived from previous research on "keyboard sniffing" which applies to any device with keyboard like a tablet (with an attachable keyboard) or laptop. This key paper "Keystroke Recognition Using WiFi Signals".pdf (Sep 7, 2015) thoroughly describes using software app WiKey to infer keystrokes. In the conclusion of the paper, we learn "WiKey can recognize keystrokes in a continuously typed sentence with an accuracy of 93.5%." 

Digestable Article

Laptop Solution:

You can use the built-in On-Screen Keyboard  when typing in sensitive passwords:
1. Windows 7,8,8.1,10 : Search for "On-Screen Keyboard" or  Run->type osk
2. Windows XP :  Run->type osk

No comments:

Post a Comment