inferring your mobile phone password via wi-fi signalscis.csuohio.edu/~sschung/cis601/when csi meets...
TRANSCRIPT
![Page 1: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/1.jpg)
When CSI Meets Public Wi-Fi:
Inferring Your Mobile Phone Password via Wi-Fi Signals
Presented By:
Keshav Yerra
![Page 2: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/2.jpg)
IntroductionSmart Mobile Devices are everywhere.
Rise of Mobile Payment Applications
![Page 3: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/3.jpg)
Online Mobile Payment
In Year 2015
900 Million Users100 million transactions per day1 trillion dollars transactions.
![Page 4: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/4.jpg)
Payment Protections
Protections for mobile payment security
The Packets are encrypted
Transport Protocol: TLS/SSL
6-Digit Password
Limited Password attempts
![Page 5: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/5.jpg)
Password Inference
Keystroke Inference Methods:
Accelerometer based method – 2015 Acoustic based method – 2014 Camera based method – 2014
Their assumption cannot hold in mobile payment scenario.
![Page 6: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/6.jpg)
Channel State Information
CSI : Channel State Information
CSI reflects the state of its transmission channel
![Page 7: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/7.jpg)
Wind Talker
■ WindTalker aims to find out what your password is by analyzing the interference with the multipath Wi-Fi signals caused by your hands as you type.
Features
Only one device required to attack
Identifying the sensitive time input window( ex: Password input) by considering the SSL traffic and CSI flow.
Successfully attacks Alipay mobile payment app on several mobile devices.
![Page 8: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/8.jpg)
OUTLINE
■Motivation
■ Attack Scenario
■ System Design
■ Evaluation
■ Conclusion
![Page 9: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/9.jpg)
OUTLINE
■Motivation
■ Attack Scenario
■ System Design
■ Evaluation
■ Conclusion
![Page 10: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/10.jpg)
CSI Collection
■ Change CSI collection method to get a valid CSI data
Out-of-band Keystroke inference(OKI) model
![Page 11: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/11.jpg)
IKI model
In-band Keystroke Inference model (IKI)
![Page 12: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/12.jpg)
CSI- Hand Motion
■ Factors Inferences CSI during typing in mobile devices.
Finger Motion
![Page 13: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/13.jpg)
CSI- Hand Motion
■ Factors Inferences CSI during typing in mobile devices.
![Page 14: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/14.jpg)
CSI – Hand Coverage
■ Hand Coverage Inference on CSI
CSI Stream
• Continuous press of number 1-0 each for 5 times
![Page 15: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/15.jpg)
CSI – Hand Coverage
■ Hand Coverage Inference on CSI
CSI Stream
• Continuous press of number 1-0 each for 5 times
![Page 16: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/16.jpg)
CSI – Finger Motion
■ Fingers click’s inference on CSI – Sharp Convex
Quick click’s influence on multi – path propagation
![Page 17: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/17.jpg)
CSI – Finger Motion
■ Fingers click’s inference on CSI – Sharp Convex
Quick click’s influence on multi – path propagation
![Page 18: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/18.jpg)
CSI – Finger Motion
■ Fingers click’s inference on CSI – Sharp Convex
Quick click’s influence on multi – path propagation
![Page 19: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/19.jpg)
CSI – Finger Motion
Possible to find Finger Motion
Possible to IdentifyFinger Motion
![Page 20: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/20.jpg)
OUTLINE
■Motivation
■ Attack Scenario
■ System Design
■ Evaluation
■ Conclusion
![Page 21: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/21.jpg)
Attack Scenario
![Page 22: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/22.jpg)
OUTLINE
■Motivation
■ Attack Scenario
■ System Design
■ Evaluation
■ Conclusion
![Page 23: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/23.jpg)
CHALLENGES
■ How to enforce victim’s device to be a Wi-Fi sender?
■ How to locate CSI segments generated by password input?
■ How to reduce Noise in raw CSI Data?
■ How to infer password using CSI?
![Page 24: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/24.jpg)
System Design
■ Wind Talker system model
■ Four modules Four challenges
![Page 25: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/25.jpg)
First Challenge
■ How to enforce victim’s device to be a Wi-Fi sender?
■ CSI collection module
![Page 26: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/26.jpg)
ICMP based CSI Collection module
CSI can be extracted from Wi-Fi packet’s preamble
![Page 27: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/27.jpg)
ICMP based CSI Acquirement module
• Attacker sending ICMP request in 800Hz, getting CSI data in 800Hz
• Can be done without the victim’s knowledge
![Page 28: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/28.jpg)
Second Challenge
■ How to locate CSI segments generated by password input?
![Page 29: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/29.jpg)
Sensitive Input Module
■ How to locate CSI segments generated by password input?
![Page 30: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/30.jpg)
Third Challenge
■ How to reduce Noise in raw CSI Data?
![Page 31: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/31.jpg)
Signal Processing Methods
■ By using Directional Antenna’s instead of Omni- directional Antenna’s
■ Reducing Noise
1. Low Pass Filtering
2. Dimension Reduction
![Page 32: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/32.jpg)
Forth Challenge
■ How to infer password using CSI?
■ Data Preprocessing Module
![Page 33: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/33.jpg)
Password Inference Module
![Page 34: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/34.jpg)
Password Inference Module
![Page 35: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/35.jpg)
OUTLINE
■Motivation
■ Attack Scenario
■ System Design
■ Evaluation
■ Conclusion
![Page 36: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/36.jpg)
Classification between different numbers
10 Volunteers 3 types of phones
Each Volunteer:press 10 loops
Each loop:from 1-2-3…0
![Page 37: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/37.jpg)
Classification between different numbersClassification Results:
82% in Xiaomi, 73% in Nexus, 64% in Samsung
![Page 38: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/38.jpg)
OUTLINE
■Motivation
■ Attack Scenario
■ System Design
■ Evaluation
■ Conclusion
![Page 39: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/39.jpg)
Limitations■ Hardware Limitation
■ Fixed Typing Gesture
![Page 40: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/40.jpg)
Countermeasure
■ Random Layouts of Keyboard
■ Changing typing gestures
■ Preventing the collection of CSI
![Page 41: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/41.jpg)
Conclusion and Future Work
■ WindTalker an interesting attack that uses the information from the physical layer to attack applications in the upper layers.
■ It is expected to have a broad potential application for password inference in mobile devices.
■ Major issue is the CSI collection module is not that reliable.
■ Due to the limitation of Intel 5300 NIC, the current WindTalker cannot work for IOS devices, which will be a part of future work.
![Page 42: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/42.jpg)
References
[1] IEEE Std. 802.11n-2009: Enhancements for higher throughput. http://www.ieee802.org, 2009.
[2] Ali, K., Liu, A. X., Wang, W., and Shahzad, M. Keystroke recognition using wifisignals. In Proceedings of the 21st Annual International Conference on Mobile Computing and Networking (2015), ACM, pp. 90–102.
[3] Balzarotti, D., Cova, M., and Vigna, G. Clearshot: Eavesdropping on keyboard input from video. In Security and Privacy, 2008. SP 2008. IEEE Symposium on (2008), IEEE, pp. 170–183.
[4] Benko, H., Wilson, A. D., and Baudisch, P. Precise selection techniques for multi-touch screens. In Proceedings of the SIGCHI conference on Human Factors in computing systems (2006), ACM, pp. 1263–1272.
[5] Cheng, N., Wang, X., Cheng, W., Mohapatra, P., and Seneviratne, A. Characterizing privacy leakage of public wifi networks for users on travel. In INFOCOM, 2013 Proceedings IEEE (2013), IEEE, pp. 2769–2777.
![Page 43: Inferring Your Mobile Phone Password via Wi-Fi Signalscis.csuohio.edu/~sschung/CIS601/When CSI meets public WiFi- KY.pdf · Camera based method ... Successfully attacks Alipay mobile](https://reader030.vdocuments.net/reader030/viewer/2022020412/5acc9c607f8b9ab10a8cb0d2/html5/thumbnails/43.jpg)