It is theoretically possible to accurately detect keystrokes using the Wi-Fi signals from a plain router, scientists from Michigan State University and the Nanjing University in China have discovered.
Researchers say that, in environments with minimal signal interference, an attacker could use the disruptions in the router's Wi-Fi signals to detect the keys an individual presses on their laptop and use this data to steal their passwords.
This is not a science fiction scenario because scientists did demo technologies in the past where they used Wi-Fi signals to detect a person's presence and movements in a room. Wi-Fi signals were also previously used to read hand gestures and lip movements, so the accuracy of Wi-Fi signals is well established in scientific circles. WiKey attack uses off-the-shelf equipment. For their experiment, called WiKey, researchers employed off-the-shelf equipment, such as a TP-Link TL-WR1043ND Wi-Fi router and a Lenovo X200 laptop.
In order to collect the tiny shifts in Wi-Fi signals, they used the router's MIMO (Multiple-Input and Multiple-Output) capabilities, which refer to a set of functions that allow each of the antennas to send multiple Wi-Fi signals on the same radio channel. Researchers used these multiple Wi-Fi signals like a scanner and swept the room to create a map of the environment. Because of this, WiKey only works in rooms with minimal movement and little to no human presence.
"WiKey uses tiny shifts in Wi-Fi signals to detect key presses"
When a person stands in front of the laptop and starts typing, WiKey is able to pick up disruptions in the Wi-Fi signals caused by the tiny shift of the user's hands, fingers and keys. "While typing a certain key, the hands and fingers of a user move in a unique formation and direction and thus generate a unique pattern in the time-series of Channel State Information (CSI) values, which we call CSI-waveform for that key," the researchers explain. The team says that, by training a special computer algorithm, their program would be able to detect which key presses are for what keys, and eventually manage to recover text entered on the laptop.
"Accuracy varies from 77% to 97.5%"
In an environment with little movement and a slow-typing user, the system's accuracy was 97.5 percent. In a real-world scenario, with Wi-Fi field disruptions and a faster-typing user, the system's accuracy was between 77.43 percent (30 training samples) and 93.47 percent (80 training samples). In spite of the lower precision, many threat actors would be more than happy to know three-quarters of your password.
Another downside of this attack is that, in a real-world scenario, an attacker would need time to train WiKey before being able to steal a target's passwords. Additionally, placing 2-3 persons with a laptop near each other renders the attack useless, with WiKey unable to distinguish between targets. The research paper titled Keystroke Recognition Using Wi-Fi Signals by Kamran Ali, Alex X. Liu, Wei Wang, and Muhammad Shahzad is available for download.