November 15, 2016 By Douglas Bonderud 2 min read

Stealing passwords still ranks high among cybercriminals as an easy way to grab user and corporate data. According to Help Net Security, researchers have developed a way to nab smartphone personal identification numbers (PINs) and passwords in real time called WindTalker.

While the concept sounds futuristic, it’s absolutely possible and more than a little frightening. Here’s how a new breed of breezy burglars could spirit away critical password data.

Blowing Away Smartphone Security

As noted by Bleeping Computer, the WindTalker attack leverages radio signals in the form of channel state information (CSI), which is provided by general Wi-Fi protocols to report on the overall status of the signal. As users move their hands across smartphone keypads to enter PINs and passwords, however, this CSI changes. Researchers captured this variance in CSI, applied basic signal analysis and processing, and obtained almost 70 percent accuracy identifying which characters users typed into their phones.

This doesn’t require physical access to a victim’s device, just a public Wi-Fi network. According to the research team, the test access point was created using a commercial laptop, one external directional antenna and two omnidirectional antennae. The laptop — running Ubuntu 14.04 LTS with a modified driver to collect CSI data — also served as the Wi-Fi access point.

When set up in a public cafeteria, researchers were able to sniff out a six-digit code required to finish mobile transactions using large online payment platforms. Success varied based on the distance and position of the user. The researchers found it difficult to detect the attack since Wi-Fi channels regularly provide CSI and analyzing it doesn’t raise any red flags.

The team also enjoyed improved success if users “trained” WindTalker by repeatedly entering password or PIN data, allowing more confidence in character recognition.

Preventing WindTalker Attacks

While it’s hard to detect WindTalker attacks, preventing them isn’t terribly complicated: Either randomize the layout of PIN keypads or prevent CSI data from being collected via obfuscation or prevention of needed high-frequency Internet Control Message Protocol (ICMP) protocol pings.

The problem? While closing the door on this attack takes one more public Wi-Fi worry off the table, passwords remain a valuable target for fraudsters. As noted by Dark Reading, four of the top five cybercriminal strategies involve stealing or exploiting passwords, while compromising software doesn’t even make the list.

The cybersecurity industry is looking the wrong direction. High-profile coverage of malware attacks and zero-day vulnerabilities gives the impression that malicious code is the most prevalent threat to corporate data. In reality, terrible passwords, public Wi-Fi and social credential theft are much easier routes to the valuable, data-driven heart of an organization.

WindTalker is just a proof of concept. But it’s also a futuristic take on grabbing passwords that reinforces the current IT reality that credentials — not code — remain the weakest link in the security chain.

More from

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Cybersecurity Awareness Month: 5 new AI skills cyber pros need

4 min read - The rapid integration of artificial intelligence (AI) across industries, including cybersecurity, has sparked a sense of urgency among professionals. As organizations increasingly adopt AI tools to bolster security defenses, cyber professionals now face a pivotal question: What new skills do I need to stay relevant?October is Cybersecurity Awareness Month, which makes it the perfect time to address this pressing issue. With AI transforming threat detection, prevention and response, what better moment to explore the essential skills professionals might require?Whether you're…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today