Stealing passwords still ranks high among cybercriminals as an easy way to grab user and corporate data. According to Help Net Security, researchers have developed a way to nab smartphone personal identification numbers (PINs) and passwords in real time called WindTalker.

While the concept sounds futuristic, it’s absolutely possible and more than a little frightening. Here’s how a new breed of breezy burglars could spirit away critical password data.

Blowing Away Smartphone Security

As noted by Bleeping Computer, the WindTalker attack leverages radio signals in the form of channel state information (CSI), which is provided by general Wi-Fi protocols to report on the overall status of the signal. As users move their hands across smartphone keypads to enter PINs and passwords, however, this CSI changes. Researchers captured this variance in CSI, applied basic signal analysis and processing, and obtained almost 70 percent accuracy identifying which characters users typed into their phones.

This doesn’t require physical access to a victim’s device, just a public Wi-Fi network. According to the research team, the test access point was created using a commercial laptop, one external directional antenna and two omnidirectional antennae. The laptop — running Ubuntu 14.04 LTS with a modified driver to collect CSI data — also served as the Wi-Fi access point.

When set up in a public cafeteria, researchers were able to sniff out a six-digit code required to finish mobile transactions using large online payment platforms. Success varied based on the distance and position of the user. The researchers found it difficult to detect the attack since Wi-Fi channels regularly provide CSI and analyzing it doesn’t raise any red flags.

The team also enjoyed improved success if users “trained” WindTalker by repeatedly entering password or PIN data, allowing more confidence in character recognition.

Preventing WindTalker Attacks

While it’s hard to detect WindTalker attacks, preventing them isn’t terribly complicated: Either randomize the layout of PIN keypads or prevent CSI data from being collected via obfuscation or prevention of needed high-frequency Internet Control Message Protocol (ICMP) protocol pings.

The problem? While closing the door on this attack takes one more public Wi-Fi worry off the table, passwords remain a valuable target for fraudsters. As noted by Dark Reading, four of the top five cybercriminal strategies involve stealing or exploiting passwords, while compromising software doesn’t even make the list.

The cybersecurity industry is looking the wrong direction. High-profile coverage of malware attacks and zero-day vulnerabilities gives the impression that malicious code is the most prevalent threat to corporate data. In reality, terrible passwords, public Wi-Fi and social credential theft are much easier routes to the valuable, data-driven heart of an organization.

WindTalker is just a proof of concept. But it’s also a futuristic take on grabbing passwords that reinforces the current IT reality that credentials — not code — remain the weakest link in the security chain.

More from

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging.We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically.For this reason, 75% of organizations seek to…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

How the FBI Fights Back Against Worldwide Cyberattacks

5 min read - In the worldwide battle against malicious cyberattacks, there is no organization more central to the fight than the Federal Bureau of Investigation (FBI). And recent years have proven that the bureau still has some surprises up its sleeve. In early May, the U.S. Department of Justice announced the conclusion of a U.S. government operation called MEDUSA. The operation disrupted a global peer-to-peer network of computers compromised by malware called Snake. Attributed to a unit of the Russian government Security Service,…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…