Stealing passwords still ranks high among cybercriminals as an easy way to grab user and corporate data. According to Help Net Security, researchers have developed a way to nab smartphone personal identification numbers (PINs) and passwords in real time called WindTalker.

While the concept sounds futuristic, it’s absolutely possible and more than a little frightening. Here’s how a new breed of breezy burglars could spirit away critical password data.

Blowing Away Smartphone Security

As noted by Bleeping Computer, the WindTalker attack leverages radio signals in the form of channel state information (CSI), which is provided by general Wi-Fi protocols to report on the overall status of the signal. As users move their hands across smartphone keypads to enter PINs and passwords, however, this CSI changes. Researchers captured this variance in CSI, applied basic signal analysis and processing, and obtained almost 70 percent accuracy identifying which characters users typed into their phones.

This doesn’t require physical access to a victim’s device, just a public Wi-Fi network. According to the research team, the test access point was created using a commercial laptop, one external directional antenna and two omnidirectional antennae. The laptop — running Ubuntu 14.04 LTS with a modified driver to collect CSI data — also served as the Wi-Fi access point.

When set up in a public cafeteria, researchers were able to sniff out a six-digit code required to finish mobile transactions using large online payment platforms. Success varied based on the distance and position of the user. The researchers found it difficult to detect the attack since Wi-Fi channels regularly provide CSI and analyzing it doesn’t raise any red flags.

The team also enjoyed improved success if users “trained” WindTalker by repeatedly entering password or PIN data, allowing more confidence in character recognition.

Preventing WindTalker Attacks

While it’s hard to detect WindTalker attacks, preventing them isn’t terribly complicated: Either randomize the layout of PIN keypads or prevent CSI data from being collected via obfuscation or prevention of needed high-frequency Internet Control Message Protocol (ICMP) protocol pings.

The problem? While closing the door on this attack takes one more public Wi-Fi worry off the table, passwords remain a valuable target for fraudsters. As noted by Dark Reading, four of the top five cybercriminal strategies involve stealing or exploiting passwords, while compromising software doesn’t even make the list.

The cybersecurity industry is looking the wrong direction. High-profile coverage of malware attacks and zero-day vulnerabilities gives the impression that malicious code is the most prevalent threat to corporate data. In reality, terrible passwords, public Wi-Fi and social credential theft are much easier routes to the valuable, data-driven heart of an organization.

WindTalker is just a proof of concept. But it’s also a futuristic take on grabbing passwords that reinforces the current IT reality that credentials — not code — remain the weakest link in the security chain.

More from

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

How Do Threat Hunters Keep Organizations Safe?

Neil Wyler started his job amid an ongoing cyberattack. As a threat hunter, he helped his client discover that millions of records had been stolen over four months. Even though his client used sophisticated tools, its threat-hunting technology did not detect the attack because the transactions looked normal. But with Wyler’s expertise, he was able to realize that data was leaving the environment as well as entering the system. His efforts saved the company from suffering even more damage and…

The White House on Quantum Encryption and IoT Labels

A recent White House Fact Sheet outlined the current and future U.S. cybersecurity priorities. While most of the topics covered were in line with expectations, others drew more attention. The emphasis on critical infrastructure protection is clearly a top national priority. However, the plan is to create a labeling system for IoT devices, identifying the ones with the highest cybersecurity standards. Few expected that news. The topic of quantum-resistant encryption reveals that such concerns may become a reality sooner than…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…