Stealing passwords still ranks high among cybercriminals as an easy way to grab user and corporate data. According to Help Net Security, researchers have developed a way to nab smartphone personal identification numbers (PINs) and passwords in real time called WindTalker.

While the concept sounds futuristic, it’s absolutely possible and more than a little frightening. Here’s how a new breed of breezy burglars could spirit away critical password data.

Blowing Away Smartphone Security

As noted by Bleeping Computer, the WindTalker attack leverages radio signals in the form of channel state information (CSI), which is provided by general Wi-Fi protocols to report on the overall status of the signal. As users move their hands across smartphone keypads to enter PINs and passwords, however, this CSI changes. Researchers captured this variance in CSI, applied basic signal analysis and processing, and obtained almost 70 percent accuracy identifying which characters users typed into their phones.

This doesn’t require physical access to a victim’s device, just a public Wi-Fi network. According to the research team, the test access point was created using a commercial laptop, one external directional antenna and two omnidirectional antennae. The laptop — running Ubuntu 14.04 LTS with a modified driver to collect CSI data — also served as the Wi-Fi access point.

When set up in a public cafeteria, researchers were able to sniff out a six-digit code required to finish mobile transactions using large online payment platforms. Success varied based on the distance and position of the user. The researchers found it difficult to detect the attack since Wi-Fi channels regularly provide CSI and analyzing it doesn’t raise any red flags.

The team also enjoyed improved success if users “trained” WindTalker by repeatedly entering password or PIN data, allowing more confidence in character recognition.

Preventing WindTalker Attacks

While it’s hard to detect WindTalker attacks, preventing them isn’t terribly complicated: Either randomize the layout of PIN keypads or prevent CSI data from being collected via obfuscation or prevention of needed high-frequency Internet Control Message Protocol (ICMP) protocol pings.

The problem? While closing the door on this attack takes one more public Wi-Fi worry off the table, passwords remain a valuable target for fraudsters. As noted by Dark Reading, four of the top five cybercriminal strategies involve stealing or exploiting passwords, while compromising software doesn’t even make the list.

The cybersecurity industry is looking the wrong direction. High-profile coverage of malware attacks and zero-day vulnerabilities gives the impression that malicious code is the most prevalent threat to corporate data. In reality, terrible passwords, public Wi-Fi and social credential theft are much easier routes to the valuable, data-driven heart of an organization.

WindTalker is just a proof of concept. But it’s also a futuristic take on grabbing passwords that reinforces the current IT reality that credentials — not code — remain the weakest link in the security chain.