November 15, 2016 By Douglas Bonderud 2 min read

Stealing passwords still ranks high among cybercriminals as an easy way to grab user and corporate data. According to Help Net Security, researchers have developed a way to nab smartphone personal identification numbers (PINs) and passwords in real time called WindTalker.

While the concept sounds futuristic, it’s absolutely possible and more than a little frightening. Here’s how a new breed of breezy burglars could spirit away critical password data.

Blowing Away Smartphone Security

As noted by Bleeping Computer, the WindTalker attack leverages radio signals in the form of channel state information (CSI), which is provided by general Wi-Fi protocols to report on the overall status of the signal. As users move their hands across smartphone keypads to enter PINs and passwords, however, this CSI changes. Researchers captured this variance in CSI, applied basic signal analysis and processing, and obtained almost 70 percent accuracy identifying which characters users typed into their phones.

This doesn’t require physical access to a victim’s device, just a public Wi-Fi network. According to the research team, the test access point was created using a commercial laptop, one external directional antenna and two omnidirectional antennae. The laptop — running Ubuntu 14.04 LTS with a modified driver to collect CSI data — also served as the Wi-Fi access point.

When set up in a public cafeteria, researchers were able to sniff out a six-digit code required to finish mobile transactions using large online payment platforms. Success varied based on the distance and position of the user. The researchers found it difficult to detect the attack since Wi-Fi channels regularly provide CSI and analyzing it doesn’t raise any red flags.

The team also enjoyed improved success if users “trained” WindTalker by repeatedly entering password or PIN data, allowing more confidence in character recognition.

Preventing WindTalker Attacks

While it’s hard to detect WindTalker attacks, preventing them isn’t terribly complicated: Either randomize the layout of PIN keypads or prevent CSI data from being collected via obfuscation or prevention of needed high-frequency Internet Control Message Protocol (ICMP) protocol pings.

The problem? While closing the door on this attack takes one more public Wi-Fi worry off the table, passwords remain a valuable target for fraudsters. As noted by Dark Reading, four of the top five cybercriminal strategies involve stealing or exploiting passwords, while compromising software doesn’t even make the list.

The cybersecurity industry is looking the wrong direction. High-profile coverage of malware attacks and zero-day vulnerabilities gives the impression that malicious code is the most prevalent threat to corporate data. In reality, terrible passwords, public Wi-Fi and social credential theft are much easier routes to the valuable, data-driven heart of an organization.

WindTalker is just a proof of concept. But it’s also a futuristic take on grabbing passwords that reinforces the current IT reality that credentials — not code — remain the weakest link in the security chain.

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today