revealing your mobile password via wifi signals: …naruan/publications/journal/revealing...2.1...

1536-1233 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMC.2019.2893338, IEEETransactions on Mobile Computing

IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 14, NO. 8, AUGUST 2015 1

Revealing Your Mobile Password via WiFiSignals: Attacks and CountermeasuresYan Meng, Jinlei Li, Haojin Zhu, Senior Member, IEEE, Xiaohui Liang, Member, IEEE,

Yao Liu, Member, IEEE, and Na Ruan, Member, IEEE,

Abstract—In this study, we present WindTalker, a novel and practical keystroke inference framework that can be used to infer thesensitive keystrokes on a mobile device through WiFi-based side-channel information. WindTalker is motivated from an observationthat keystrokes on mobile devices will lead to different hand coverage and the finger motions, which will introduce a unique interferenceto the multi-path signals and can be reflected by the channel state information (CSI). An attacker can exploit the strong correlationbetween the CSI fluctuation and the keystrokes to infer the user’s password input. Compared with the previous keystroke inferenceapproaches, WindTalker neither deploys external equipment physically close to the target device nor compromises the target device.Instead, it employs a more practical setting by deploying a free public WiFi hotspot and collects the CSI data from the target device aslong as the device is connected to the hotspot. In addition, to improve inference accuracy and efficiency, it analyzes the WiFi traffic toselectively collect CSI only for the sensitive period where password entering occurs. WindTalker can be implemented without therequirement of visually seeing the target device, or installing any malware on the device. We tested Windtalker on several mobilephones and performed a detailed case study to evaluate the practicality of the password inference towards Alipay, the largest mobilepayment platform in the world. Furthermore, we proposed a novel CSI obfuscation countermeasure to thwart the inference attack. Theevaluation results show that the performance of WindTalker can be dramatically reduced by adopting the proposed countermeasures.

Index Terms—Channel State Information, Online Payment, Password Inference, Traffic Analysis, Wireless Security.

F

1 INTRODUCTION

SMARTPHONES and tablets are widely used for perform-ing privacy sensitive transactions of banking, payment,

and social applications. Unlike stationary devices connect-ing to a secure network and sitting in a physically-securespace, these mobile devices are often carried by a mobileuser and connected to a dynamic network where attackerscan physically approach the target user’s device and launchvarious direct and indirect eavesdropping attacks. Whiledirect eavesdropping attacks aim at directly observing theinput of the target device from its screen or keyboard,indirect eavesdropping attacks, a.k.a. side-channel attacksmake use of side channels to infer the inputs on the targetdevices. Prior works [2], [3], [4], [5], [6], [7], [8], [9], [10]have shown that both types of attacks can be effective incertain conditions. Particularly for the side-channel attacks,it is shown that the PIN number and the words entered atkeyboard can be inferred from the electromagnetic signalat radio antenna [2], the acoustic signal at microphone [3],[4], [5], the visible light at camera [6], [7], and the motion

• Haojin Zhu is the corresponding author.• Y. Meng, J. Li, H. Zhu, N. Ruan are with the Shanghai Key Labo-

ratory of Scalable Computing and Systems, Department of ComputerScience and Engineering, Shanghai Jiao Tong University, Shanghai200240, China (e-mail: yan [email protected]; [email protected];[email protected]; [email protected]).

• X. Liang is with the Department of Computer Science, University of Mas-sachusetts at Boston, MA 02125, USA (e-mail: [email protected]).

• Y. Liu is with the Department of Computer Science and Engineer-ing, University of South Florida, Tempa, FL 02125, USA (e-mail:[email protected]).

• The preliminary version of this paper titled “When CSI Meets PublicWiFi: Inferring Your Mobile Phone Password via WiFi Signals” waspublished in the Proc. of ACM CCS, 2016 [1].

status at motion sensors [8], [9], [10]. To access the sidechannels, these works often assume either external signalcollector devices are physically close to the target device(for example, 30 cm in [2]) or the sensors of the targetdevices are compromised to provide side channel infor-mation. However, in a mobile scenario, both assumptionsare hardly true and the impact of attacks is thus limited.In addition, the prior works have studied the keystrokeinference aiming at achieving a high inference accuracy on aseries of keystrokes during a relatively-long period of time.However, the keystrokes on a mobile device are not alwayshighly sensitive. Obviously, the eavesdropping attacker hasa greater interest in obtaining the payment PIN number ina short moment than a regular typing information. There-fore, to increase the inference accuracy and efficiency, theapplication context information needs to be considered inthe keystroke inference framework.

In this paper, we present WindTalker, a novel and prac-tical keystroke inference framework that can be used toinfer sensitive keystrokes on a mobile device through WiFisignals. WindTalker is motivated from an observation thatthe typing activity on mobile devices involves hand and thefinger motions, which produce a recognizable interferenceto the multi-path WiFi signals from the target device to theWiFi router that connects to the device. Unlike prior side-channel attacks or traditional CSI based gesture recognition,WindTalker neither deploys external devices close to thetarget device nor compromises any part of the target device;instead, WindTalker setups a ‘rogue’ hotspot to lure thetarget user with free WiFi service, which is easy-to-deployand difficult-to-detect. As long as the target mobile device isconnected to the rogue WiFi hotspot, WindTalker intercepts




the WiFi traffic and selectively collects the channel stateinformation (CSI) between the target device and the hotspot.

WindTalker has three major technical challenges. i) Theimpact of the hand and finger movement of keystrokes onCSI waveforms is very subtle. An effective signal analysismethod is needed to analyze keystrokes from the limitedCSI. ii) The prior CSI collection method requires two WiFidevices, one as a signal sender and the other as a signalreceiver, which are deployed close to the victim. A moreflexible and practical CSI collection method is highly desir-able for the mobile device scenario. iii) The key inferencemust be done at some selective moments for obtaining asensitive keystroke, such as payment PIN number. Suchcontext-oriented CSI collection has not been addressed byprior works. The contributions of our paper are as follows.

• We present a practical cross-layer based approachfor mobile payment password inference on smart-phones using public WiFi architecture. We proposea novel password inference model which analyzesboth physical layer information (CSI) and networklayer traffic.

• We present a novel ICMP-based CSI collectionmethod, without compromising the victim’s deviceor deploying an external device very close to thevictim’s device. We develop an IP pool based methodto recognize the PIN input period. And we proposean effective keystroke inference algorithm based onthe collected CSI.

• We perform extensive evaluations on password infer-ence at the mobile payment platform Alipay, which issecured by the HTTPS protocol and thus traditionallybelieved to be secure. We investigate the impact ofvarious factors on WindTalker and we demonstratethat WindTalker can infer the PIN number at a highsuccessful rate.

• We introduce some effective countermeasures tothwart the inference attack. Especially, we proposea novel CSI obfuscation algorithm to prevent theattacker to collect the accurate CSI data withoutthe requirements of user’s participation. This coun-termeasure could minimize the impact on the userexperience and we perform experiments to proveits ability to reduce the attacking performance ofWindTalker.

The remainder of this paper is organized as follows. InSection 2, we introduce the background of this work. InSection 3, we introduce the research motivation by showingthe correlation of keystroke and CSI changing. We presentthe detailed design in Section 4, which is followed by Eval-uation, Real-world experiment, Impact of various factors,Countermeasures, Limitations and Related work in Section5, 6, 7, 8, 9 and 10, respectively. Finally, we conclude thispaper in Section 11.

2 BACKGROUND

In this section, we introduce our attack scenario, theoverview of the keystroke inference methods, and prelim-inaries of channel state information.

Establish Wi-Fi connection RX

TX

ICMP Request

ICMP Reply

Collect both CSI data and WiFi traffic from user’s deviceUser’s device

Attacker

(a) IKI Model

RX

TX

WiFi Router

User’s device Attacker

Only collect CSI data

3G\4G\WiFi

WiFi

Signals

(b) OKI Model

Fig. 1. WiFi-based Keystroke Inference Models

2.1 ScenarioWe consider a scenario where a user has a mobile device,such as a smartphone and he or she is using the free publicWiFi through the device. It is a very common situation thatpeople could have in the shopping mall, the airport, andrestaurants. A WiFi hotspot is set up at a corner or on theceiling, an unnoticeable location from the user’s view. Theuser searches all the available WiFi signals at her device, andchooses to connect with the WiFi hotspot if the name of thehotspot “looks” good and the hotspot is authentication-free.With the use of application layer security protocol (HTTPS),the user may believe that the Internet traffic is protectedfrom end-to-end such that the content shown at the deviceand the user’s inputs at the device will be only known toherself and the service provider. However, as we will show,our WindTalker framework presents an effective keystrokeinference method targeting at the mobile device.

2.2 In-band keystroke inference modelDifferent with existing works [2], [11], [12], WindTalkerchooses In-band Keystroke Inference (IKI) model. As shownin Fig. 1(a), WindTalker deploys one Commercial Off-The-Shelf (COTS) WiFi device close to the target device, whichcould be a WiFi hotspot. The WiFi hotspot provides freeWiFi networks for nearby users. When a user connects herdevice to the hotspot, the WiFi hotspot is able to monitor theapplication context by checking the pattern of the transmit-ted WiFi traffic. In addition, the WiFi hotspot periodicallysends ICMP packets to obtain the CSI information fromthe target device. With the meta data of the WiFi trafficcollected by hotspot, WindTalker knows when the sensitiveoperations (such as typing password) happen. And then, thehotspot adaptively launches CSI-based keystroke inferencemethod to recognize sensitive key inputs. To the best of ourknowledge, the IKI method we propose is the first one usingexisting network protocols of IEEE 802.11n/ac standard toobtain the application context and the CSI information atmobile devices.

Note that the existing works about CSI based gesturerecognition choose another strategy: Out-of-band KeystrokeInference (OKI) model [2]. In this model, the adversarydeploys two COTS WiFi devices close to the target deviceand makes sure the target device is placed right betweentwo COTS WiFi devices. One is the sender device contin-uously emitting signals and the other one is the receiverdevice continuously receiving the signals. The keystrokesare inferred from the multi-path distortions in signals.

Compared with OKI model, the proposed IKI modelhas the following advantages. Firstly, IKI model does notrequire the placement of both sender and receiver device




and can be deployed in a more flexible and stealthy way.Secondly, in OKI model, the user device is not connectedwith attacker’s device, so that the attacker cannot obtain theWiFi traffic from the user’s device. Therefore, OKI modelfails to differentiate the non-sensitive operations on mobiledevices (e.g., clicking the screen to open an APP or just forweb-browsing) from sensitive operation (e.g., inputting thepassword). Instead, IKI model allows the attacker to obtainboth of un-encrypted meta data traffic as well as the CSIdata to launch a more fine-grained attack.

2.3 Channel State InformationThe basic goal of WindTalker is measuring the impact ofhand and fingers’ movement on WiFi signals and leveragingcorrelation of CSI and the unique hand motion to recognizePIN. In the below, we briefly introduce the CSI relatedbackgrounds.

WiFi Standards like IEEE 802.11n/ac all supportMultiple-Input Multiple-Output (MIMO) and OrthogonalFrequency Division Multiplexing (OFDM), which are ex-pected to significantly improve the channel capacity ofthe wireless system. In a system with transmitter antennanumber NTX , receiver antenna number NRX and OFDMsubcarriers number Ns, system will use NTX ×NRX ×Nssubcarriers to transmit signal at the same time.

CSI measures Channel Frequency Response (CFR) indifferent subcarriers f . CFR H (f, t) represents the stateof wireless channel in a signal transmission process. LetX (f, t) and Y (f, t) represent the transmitted and receivedsignal with different subcarrier frequency. H (f, t) can becalculated in receiver using a known transmitted signal via

Y (f, t) = H (f, t)×X (f, t) (1)

Since the received signal reflects the constructive and de-structive interference of several multi-path signals scatteredfrom the wall and surrounding objects, the movements ofthe fingers while password input can generate a uniquepattern in the time-series of CSI values, which can be usedfor keystrokes recognition.

Many commercial devices such as Atheros 9390 [13],Atheros 9580 [14] and Intel 5300 [15] network interfacecards (NICs) with special drivers provide open access toCSI value. In this study, we adopt Intel 5300 NICs, whichfollows IEEE 802.11n standard [16] and can work in 2.4GHzor 5GHz. By selecting a group of 30 OFDM subcarriers oftotally 56 subcarriers, Intel 5300 NICs collect CSI value foreach TX-RX antenna pair.

3 MOTIVATION

In this section, we illustrate the rationale behind CSI basedkeystroke inference on smart phones using real-world ex-periments. Fig. 2(a) shows the sketch of typical touchingscreen during the PIN entry for mobile payment (e.g., Ali-pay or Wechat pay). We particularly focus on the verticaltouch and the oblique touch, which are two most commontouching gestures [17], [18], [19]. As shown in Fig. 2(b)and Fig. 2(c), oblique touch is the most common typinggesture which happens when people press different keys,and vertical touch usually happens when the human con-tinuously presses the same key. Fig .2(d) shows the original

(a) Finger typing

X

Y

Z

X

YZ

(b) Vertical Touch

X

Y

Z

X

Y

Z

(c) Oblique Touch

0 500 10000

10

20

30

40

50

60

70

CSI Sample Index

CSI

Val

ue

Keystroke

(d) CSI Waveforms from the 21stto the 30th Subcarrier

0 500 1000-100

-50

0

50

100

CSI Sample Index

CSI

Val

ue a

fter P

roce

ssed

Oblique Touch

Vertical Touch

(e) Impact of Click and Coverage

Fig. 2. Finger’s Influence on CSI

0 1 2 3 4 5 6 7x 104

0

10

20

30

40

50

CSI Sample Index

CSI

Val

ue

(a) Continuously Clicking in the Same Key

2000 4000 6000

15

20

25

30

35

40

CSI

Val

ue

Number 1

CSI Sample Index4 4.2 4.4

x 104

0

5

10

15

20

CSI

Val

ue

Number 6

CSI Sample Index5.6 5.8 6 6.2

x 104

15

20

25

30

35

CSI

Val

ue

Number 8

CSI Sample Index7.3 7.4 7.5 7.6 7.7

x 104

15

20

25

30

35

40

CSI

Val

ue

Number 0

CSI Sample Index

(b) Continuously Clicking in Different Keys

Fig. 3. CSI Change when Typing

CSI waveforms from the 21st subcarrier to 30th subcarrierduring once keystroke. It can be seen that CSI waveformscollected by Intel 5300 NIC are affected by the keystroke andthe fluctuations of these ten waveforms are similar. Fig. 2(e)shows the processed CSI value for the keystroke (the processmethod is mentioned in Section 4). We find that the patternof processed CSI value is very closely related to oblique andvertical touch, and this pattern could be used to characterizethe corresponding keystroke.

We further investigate how these two common typinggestures influence CSI. Generally speaking, since CSI re-flects the constructive and destructive interference of severalmulti-path signals, the change of multi-path propagation




during the PIN entry can generate a unique pattern in thetime-series of CSI values, which can be used for keystrokesinference. From our experiments, we found that two mainfactors contributing to CSI changes are hand coverage andthe finger click.

Hand coverage and finger position on a smart phonetouchscreen are one of the major factors that cause the fluc-tuation of CSI waveform. Since time series of CSI waveformreflects the interference of several multi-path signals, differ-ent finger position and coverage will inevitably introducethe interference to the WiFi signals and thus lead to thechanges of the CSI. We further demonstrate the relationshipbetween CSI variation and finger position/coverage viaa series of experiments. Fig. 3(a) shows a CSI waveformwhen continuously pressing different number from 1 to 9,followed by 0, each for 5 times. It can be seen that thedifferent coverage leads to the different fluctuation rangeof the CSI value, which can be exploited for key inference.

Finger click is another important factor that contributesto the fluctuation of CSI. Compared with CSI change causedby the hand coverage, the experiment shows that finger clickhas a more direct influence on CSI by introducing a sharpconvex in Fig. 3(b), which corresponds to the quick click’sinfluence on multi-path propagation. This feature can beused to distinguish the oblique touches in the case that thehuman continuously presses the same key or the adjacentkeys, which produce similar CSI values.

4 THE DESIGN OF WINDTALKER

4.1 System OverviewThe basic strategy of WindTalker is hitting two birds withone stone. On one hand, it analyzes the WiFi traffic toidentify the sensitive attack windows (e.g., PIN number)on smartphones. On the other hand, as long as an attackwindow is identified, WindTalker starts to launch the CSIbased keystroke recognition. As shown in Fig. 4, WindTalkeris consisted of the following modules: Sensitive Input WindowRecognition Module, which is responsible for distinguishingthe sensitive input time windows, ICMP Based CSI Acquire-ment Module, which collects the user’s CSI data during hisaccess to WiFi hotspot, Data Preprocessing Module, whichpreprocesses the CSI data to remove the noises and reducethe dimension, Keystroke Extraction Module, which enablesWindTalker to automatically determine the start and theend point of keystroke waveform, and Keystroke InferenceModule, which compares the different keystroke waveformsand determines the corresponding keystroke.

4.2 Sensitive Input Window Recognition ModuleTo distinguish the time window of the sensitive input fromthat of the insensitive input, WindTalker captures all packetsof the victim with Wireshark and records the timestampof each CSI data. Currently, most of the important appli-cations are secured via HTTPS, which provides end-to-endencryption and prevents the eavesdropper from obtainingthe sensitive data such as the password. Our insight is thatthough HTTPS provides end-to-end encryption, it cannotprotect the meta data of the traffic such as the IP addressof the destination sever, which can be used to recognizesensitive input window.

Connected Victim

Sensitive Input

Directional Antenna

Internet Control Message Protocol

CSINoise

RemovalDimension Reduction

Keystroke Extraction

Keystroke Recognition

Output

WiFi Packets Analysis

Fig. 4. WindTalker Framework

TABLE 1Payment applications and their sensitive IP addresses.

Payment application IP addressAlipay 110.76.15.1xx & 110.75.236.xx

Wechat Pay 182.254.78.1xxJD Pay 111.13.142.x

In particular, WindTalker builds a Sensitive IP Pool forthe interested applications or services. Take the AliPay asan example. During the payment process, the data packetswill be directed to a limited number of IP addresses, whichcan be obtained via a series of trials. In the experimentalevaluation, it is shown that, for Alipay users, the traffics ofthe users under the same network will be directed to thesame server IP, which will last for a period (e.g., severaldays for one round of experiment). Therefore, it is feasibleto try to access the interested applications or services atregular intervals and append the obtained IP addresses tothe Sensitive IP Pool. This constantly updated pool allowsWindTalker to figure out the sensitive input time window.

To evaluate this method, we conduct experiments onthree popular mobile payment applications (i.e., Alipay,Wechat Pay and JD Pay) and capture the network trafficusing WireShark. We completed mobile payment for eachapplication ten times. As shown in Table 1, for a certainapplication, when the password input process starts, somepackets with a specific IP address will happen. This resultdemonstrates the effectiveness of the sensitive IP pool basedmethod. Therefore, during the attack process, as long as thetraffic to the IP addresses contained in the Sensitive IP Poolis observed, WindTalker will extract these traffic, and thenrecord the corresponding start time and the end time, whichserve as the start and the end of the Sensitive Input Window.Then, it starts to analyze the CSI data in this period to launchthe password inference attack via WiFi signals.

4.3 ICMP based CSI Acquirement Module4.3.1 Collecting CSI Data by Enforcing ICMP ReplyDifferent from the previous works which rely on two de-vices including both of the sender and the receiver to collectCSI data, we apply an approach that leverages InternetControl Message Protocol (ICMP) in hotspot to collect CSIdata during the user accesses to the pre-installed accesspoint. In particular, WindTalker periodically sends a ICMPEcho Request to the victim smartphone, which will replyan Echo Reply for each request. To acquire enough CSI




information of the victim, WindTalker needs to send ICMPEcho Request at a high frequency, which enforces the victimto replay at the same frequency. In practice, WindTalker canwork well for several smartphones such as Xiaomi, Redmiand Samsung at the rate of 800 packets per second. It isimportant to point out that this approach does not requireany permission of the target smartphone and is difficult tobe detected by the victim.

ICMP based CSI collection approach introduces a limitednumber of extra traffics. For a 98 bytes ICMP packet, whenwe are sending 800 ICMP packets per second to the victim,it needs only 78.4 KB/s for the attack where 802.11n cantheoretically support the transmission speed up to 140 Mbitsper second. It is clear that the proposed attack makes littleinterference to the WiFi experience of the victim.

4.3.2 Reducing Noise via Directional Antenna

CSI will be influenced by both finger movement and peo-ple’s body movement. One of the major challenges of ob-taining the exact CSI data in public space is how to minimizethe interference caused by the nearby human beings. Wepresent a noise reduction approach by adopting the direc-tional antenna. Different from omnidirectional antennas thathave a uniform gain in each direction, directional antennashave a different antenna gain in each direction. As a resultthe signal level at a receiver can be increased or decreasedsimply by rotating the orientation of the directional antenna.WindTalker employs directional antenna to focus the energytoward the target of interest, which is expected to minimizethe effects of the nearby human body movement.

WindTalker employs a TDJ-2400BKC antenna workingin 2.4GHz to collect CSI data of the targeted victim, whoseHorizontal Plane -3dB Power Beamwidth and Vertical Plane-3dB Power Beamwidth are 30◦ and 25◦ respectively.

Fig. 5 shows the comparison of CSI collection with di-rectional antenna and without directional antenna in publicplace. Fig. 5(b), Fig. 5(c), Fig. 5(d) show CSI amplitude in thecase that a victim is located at 75, 125, 150 cm accordinglyaway from directional antenna while one human movingnearby. Unique pattern caused by finger click in number1 can be easily caught from the original CSI waveformwithout any preprocessing. However, these patterns aresubmerged in human body’s influence on CSI waveformobtained by omni-directional antenna even when the victimand attacker is close as 75 cm, which is shown in Fig. 5(a). Inthe following sections, we only discuss the CSI acquirementwith directional antenna.

4.4 Data Preprocessing Module

Before launching keystroke inference module, WindTalkerneeds to preprocess the CSI data to remove the noisesintroduced by commodity WiFi NICs due to the frequentchanges in internal CSI reference levels, transmission powerlevels, and transmission rates. To achieve this, WindTalkerfirst turns to wavelet denoising to remove noises from theobtained signals. Then, WindTalker leverages the PrincipalComponent Analysis to reduce the dimensionality of thefeature vectors to enable better analysis of the data.

0 2000 400020

30

40

50

CSI Sample Index

CSI

Val

ue

(a) Omnidirectional An-tenna in 75cm

0 1000 2000 300016182022242628

CSI Sample Index

CSI

Valu

e

(b) Directional Antenna in75cm

0 2000 400018

20

22

24

26

28

CSI Sample Index

CSI

Val

ue

(c) Directional Antenna in125cm

0 2000 400016

18

20

22

CSI Sample Index

CSI

Val

ue

(d) Directional Antenna in150cm

Fig. 5. Antenna Performance in Public Place

4.4.1 Wavelet DenoisingWe observe that the variation of CSI waveforms causedby finger motion normally appears at the low end of thespectrogram while the frequency of the noise occupies at thehigh end of the spectrogram. We do not adopt the low-passfilter since high-frequency signal includes some finger mo-tion characters. In this paper, wavelet denoising method isused to remove noise from the raw signal. Different from thetraditional frequency analysis such as Fourier Transform,Discrete Wavelet Transform (DWT) is the time-frequencyanalysis which has a good resolution at both of the time andfrequency domains. WindTalker can thus leverage DWT toanalyze the finger movement in varied frequency domains.Wavelet denoising includes three main steps as follows:

Discrete Wavelet Transform: Generally speaking, a dis-crete signal x [n] can be expressed in terms of the waveletfunction by the following equation:

x[n] =1√L

∑k

Wφ[j0, k]φj0,k[n]

+1√L

∞∑j=j0

∑k

Wψ[j, k]ψj,k[n]

(2)

Where x[n] represents the original discrete signal and Lrepresents the length of x[n]. φj0,k[n] and ψj,k[n] refer towavelet basis. Wφ[j0, k] and Wψ[j, k] refer to the waveletcoefficients. The functions φj0,k[n] refer to scaling functionsand the corresponding coefficients Wφ[j0, k] refer to theapproximation coefficients. Similarly, functions ψj,k[n] referto wavelet functions and coefficients Wψ[j, k] refer to detailcoefficients. To obtain the wavelet coefficients, the waveletbasis φj0,k[n] and ψj,k[n] are chosen to be orthogonal to eachother.

During the decomposition process, the origin signal isfirst divided into the approximation coefficients and detailcoefficients. Then the approximation coefficients are itera-tively divided into the approximation and detail coefficients




CSI Sample Index

Subc

arrie

r Ind

ex

2000 4000 6000 8000

5

10

15

20

25

30 15

20

25

30

35

40

45

Not Sensitive

(a) CSI Waveforms while TypingKeystroke

0 2000 4000 6000 800015

20

25

30

35

40

45

CSI Sample Index

CSI

Vau

e

(b) 1st Subcarrier: Sensitive

0 2000 4000 6000 800024

26

28

30

32

34

36

CSI Sample Index

CSI

Vau

e

(c) 16th Subcarrier: Not Sen-sitive

10 20 300

10

20

30

Subcarrier Index

Varia

nce

(d) Variance of each Subcarrier

Fig. 6. Subcarrier Selection Algorithm

of next level. The approximation and the detail coefficientsin jth level can be calculated as follows:

Wφ[j0, k] = 〈x[n], φj0+1,k[n]〉 =1√L

∑n

x[n]φj0+1,k[n] (3)

Wψ[j, k] = 〈x[n], ψj+1,k[n]〉 =1√L

∑n

x[n]ψj+1,k[n] (4)

Threshold Selection: After recursive DWT decomposi-tion, the raw signal is broken into detail coefficients (high-frequency) and approximation coefficients (low-frequency)at different frequency levels. Then, the threshold is appliedto the detail coefficients to remove their noisy part. Thethreshold selection is important because a small thresholdwill remain the noisy components while a large thresholdwill lose the major information of signals. In this paper,the minimax threshold is chosen based on it’s dynamic,effectiveness and simplicity [20].

Wavelet Reconstruction: After the above two steps, wereconstruct the signal to achieve noise removal by com-bining the coefficients of the last approximation level withall details which have applied threshold. Wavelet selectionplays a key role in wavelet decomposition and reconstruc-tion. There are many wavelet bases such as Daubechies andHaar wavelet [20]. In practice, we choose Daubechies D4wavelet and perform 5-level DWT decomposition in waveletdenoising in our study.

4.4.2 Dimension ReductionDimension reduction is essential for keystroke inferencevia CSI information. For a CSI recording system usingIntel 5300 NICs with NTX transmitter antennas and NRXreceiver antennas, it can collect NTX × NRX × 30 CSIwaveforms. It is important to reduce the dimensionality ofthe CSI information obtained from 30 subcarriers in eachTX-RX pair and recognize those subcarriers which show thestrongest correlation with the hand and fingers movements.WindTalker adopts PCA to choose the most representativeor principal components from all CSI time series. PCA isalso expected to remove the uncorrelated noisy components.The procedure of dimension reduction of CSI time seriesbased on PCA includes the following steps.

Subcarrier Selection: We observe that the CSI waveformsfrom different subcarriers have different sensitivities to CSIvariation caused by keystrokes due to frequency diversity.As shown in Fig. 6(a), 6(b) and 6(c), some subcarriers am-plitudes vary a lot with keystrokes, but others are obtuse.

As shown in Fig. 6(d), we calculate the variance of eachsubcarrier. We find that subcarriers 10 to 19 have lowervariances, which means they have lower sensitivities withkeystrokes. So we discard the lowest ten subcarriers beforePCA.

Sample Centralization: We use a matrix H to presentoriginal CSI waveform data. For example, in a system withone pair of TX-RX antenna, we will get 30 CSI waveformsfrom 30 subcarriers. Thus, with sampling rate S and time T ,H has dimension of M × 30, where M = S × T . Then wecalculate the mean value of each column in H and subtractthe corresponding mean values in every column. After thecentralization step, we get a processed matrix Hp.

Calculating Covariance Matrix: Calculating the correla-tion matrix of Hp as Hp

T ×Hp.Handling Covariance: Calculating the Eigenvalues and

Eigenvectors of Covariance. The Eigenvectors are normal-ized to unit vectors.

Choosing Main Eigenvalues: Sorting the Eigenvaluesfrom large to small and choosing the maximum k numberof Eigenvalues. Then the corresponding k Eigenvectors areused as the column vectors to form a Eigenvector matrix. Wewill get a Eigenvector matrix whose dimension is 30× k.

Data Reconstruction: Projecting Hp onto the selected kEigenvector matrix. The reconstruction CSI data stream Hr

has the dimension of M × k.

Hr(M × k) = Hp(M × 30)× EigenV ectors(30× k) (5)

With PCA, we can identify the most representativecomponents influenced by the victim’s hand and fingers’movement and remove the noisy components at the sametime. In our experiment, it is observed the first k = 4components almost show the most significant changes inCSI waveforms and the rest components are noises. In ourexperiment part, we observed that the first PCA componentreserves most changes in CSI while the ambient noise isweak. Thus we only take one PCA component from the first4 components in the password inference module.

4.5 Keystroke Inference Module4.5.1 Keystroke ExtractionBy processing the wavelet denoising and dimension re-duction, it is observed that the CSI data shows a strongcorrelation with the keystrokes, as shown in Fig. 7(a). Inthe experiment, the sharp rise and fall of the CSI waveformsignals are observed in coincidence with the start and end




0 2000 4000 6000 8000 10000 12000 14000

-10

0

10

20

CSI Sample Index

CSI

PC

A C

ompo

nent

s

the 1st PCA Component

(a) After Data Preprocessing

0 2000 4000 6000 8000 10000 12000 14000

-10

0

10

20

CSI Sample Index

CSI

PC

A C

ompo

nent

s

the 1st PCA Component

(b) After Twice Filter

5000 5500 6000 6500-8

-4

0

4

CSI Sample Index

CSI

PC

A C

ompo

nent

Mean ValueKLAnchor Points on KAnchor Points on L

(c) Judgement Value

0 2000 4000 6000 8000 10000 12000 14000

-10

0

10

20

CSI Sample Index

CSI

PC

A C

ompo

nent

s

the 1st PCA ComponentVariance

(d) Variance Scan

0 2000 4000 6000 8000 10000 12000 14000

-10

0

10

20

CSI Sample Index

CSI

PC

A C

ompo

nent

s

the 1st PCA ComponentStart PointEnd Point

(e) The Results of Extraction

5000 5500 6000 6500-8

-4

0

4

CSI Sample Index

CSI

PC

A C

ompo

nent

Mean ValueKLAnchor Points on KAnchor Points on L

5000 5500 6000 6500-8

-4

0

4

CSI Sample Index

CSI

PC

A C

ompo

nent

Mean ValueKLExtrems of KExtrems of L

Begin Point

End Point

(f) Keystroke Area

Fig. 7. Keystroke Extraction

of finger touch. How to determine the start and the endpoint of CSI time series during a keystroke is essential forkeystroke recognition. However, the existing burst detec-tion schemes such as Mann-Kendall test, moving averagemethod and cumulative anomalies [21] do not work wellin our situation since the CSI waveform has many change-points during the password input period. Therefore, wepropose a novel detection algorithm to automatically detectthe start and end point. The proposed algorithm includesthe following three steps.

Waveform Profile Building: As shown in Fig. 7(a), it isobserved that there is a sharp rise and fall which correspondto the finger motions. However, there is a strong noise whichprevents us from extracting interested CSI waveform re-lated to the keystrokes. This motives us to perform anotherround of noise filtering. In the experiment, we still adoptwavelet denoising to make the waveform smooth. Afterbeing filtered, the CSI data during the keystroke periodare highlighted while the waveform during non-keystrokeperiod becomes smooth, which are shown in Fig. 7(b).

CSI Time Series Segmentation and Feature SegmentSelection: To extract the CSI waveforms for individualkeystrokes, we slice the CSI time series into multiple seg-ments, which be grouped together according to the temporalproximity, and then choose the center of segment as thefeature waveform for a specific keystroke. Without loss ofthe generality, it is assumed that each segment contains Wsamples. Given the sampling frequency S, and the time du-ration τ , W can be represented by S × τ . For the waveformwith time duration of T , the number of segments N can becalculated as below:

N =

[T × SW

](6)

It is observed that the CSI segments during the keystrokeperiod show a much larger variance than those happeningout of the period, which is shown in Fig. 7(d). Motivatedby this, we are only interested in the segments with the

variance which is larger than a predetermined thresholdwhile removing the segments with the variance under thisthreshold. The selected segments are grouped into variousgroups according to the temporal proximity (e.g., five ad-jacent segments grouped into one group in the practice).Each group represents the CSI waveform of an individualkeystroke and the center point of this group is selected asthe feature segment of this keystroke. The process of timeseries segmentation and feature segment selection is shownin Fig. 7(d).

Keystroke Waveforms Extraction: To extract keystrokewaveforms, the key issue is how to determine the startand the end point of CSI time series, which could coveras much keystroke waveform as possible while minimizingthe coverage of the non-keystroke portion.

We calculate the average value of the segment samplesJ , and then choose two key metrics K and L. K is theaverage value of J and samples’ maximum value, whileL is the average value of J and samples’ minimum value.The intersection of K, L and the CSI waveform serves as theanchor points. On line K, starting from the leftmost anchorpoint, it performs a local search and chooses the nearestlocal extremum which is below K as the first start point.Similarly, beyond the rightmost anchor point, it can choosethe nearest local extremum which is belowK as the first endpoint. Also, we can perform local searches from two anchorpoints on line L in order to choose two local extremumbeyondL as the second start point and the second end point.Finally, we compare these points respectively. As shown inFig. 7(c), Fig. 7(f), Fig. 7(e), with the lower start point andthe higher end point, keystroke waveform can be extracted.

Thus, we can divide a CSI waveform into severalkeystroke waveform. The ith keystroke waveform Ki fromthe kth principal component Hr(:, k) of CSI waveforms asfollows.

Ki = Hr(si : ei, k) (7)

where si and ei are the start and the end time of




0 200 400 600 800CSI Sample Index

-10

-5

0

5

10

CS

I Val

ue

0 200 400 600CSI Sample Index

-10

-5

0

5

10

CS

I Val

ue0 200 400 600

CSI Sample Index

-20

-10

0

CS

I Val

ue


-20

-10

0

10

CS

I Val

ue

(a) Two samples of CSI waveforms: PIN number 50 200 400 600 800CSI Sample Index

-10

-5

0

5

10C

SI V

alue


-10

-5

0

5

10

CS

I Val

ue


-20

-10

0

CS

I Val

ue


-20

-10

0

10

CS

I Val

ue

(b) Two samples of CSI waveforms: PIN number 4

Fig. 8. CSI Difference Between Two Number

ith keystroke. After keystroke extraction, we use thesekeystroke waveform to conduct recognition process.

4.5.2 Keystroke Time Domain Feature Extraction

One of the major challenges for differentiating keystrokesis how to choose the appropriate features that can uniquelyrepresent the keystrokes. As shown in Fig. 8, it is observedthat different keystrokes will lead to different waveforms,which motivates us to choose waveform shape as a featurefor keystroke classification. However, directly using thekeystroke waveforms as the classification features leads toa high computational cost in the classification process sincewaveforms contain many data points for each keystroke.Therefore, we leverage Discrete Wavelet Transform (DWT)to compress the length of CSI waveform by extracting theapproximate sequence. In the below, we will introduce thedetails.

Wavelet Compression: As mentioned in Section 4.4.1, adiscrete keystroke waveform Ki[n] can be expressed by thefollowing equation:

Ki[n] =1√L

∑k

Wφ[j0, k]φj0,k[n]

+1√L

∞∑j=j0

∑k

Wψ[j, k]ψj,k[n]

(8)

where L represents the length of Ki[n], Wφ[j0, k] andWψ[j, k] refer to the approximation and detail coefficientsrespectively. In the first DWT decomposition step, the lengthof approximation coefficients is half of L. For the jth decom-position step, the length is half of the previous decomposi-tion step. We use the approximation coefficients to compressthe original keystroke waveforms to reduce computationalcost. In order to achieve the trade-off between the sequencelength reduction and preserving the waveform information,we choose Daubechies D4 wavelet and perform 3-levelDWT decomposition in the classification model. Therefore,for ith keystroke, the third level approximation coefficientFi of Ki is chosen as the feature of the keystroke. Aftercompression, the length of feature Fi is about 1/8 of Ki[n].


5

10

15

20

Freq

uenc

y (H

z)

200 400 600CSI Sample Index

5

10

15

20

Freq

uenc

y (H

z)


5

10

15

20

Freq

uenc

y (H

z)


5

10

15

20

Freq

uenc

y (H

z)(a) Two samples of CSI waveforms: PIN number 5200 400 600 800

CSI Sample Index

5

10

15

20

Freq

uenc

y (H

z)


5

10

15

20

Freq

uenc

y (H

z)


5

10

15

20

Freq

uenc

y (H

z)


5

10

15

20

Freq

uenc

y (H

z)

(b) Two samples of CSI waveforms: PIN number 4

Fig. 9. CSI Difference Between Two Number: Frequency Domain

4.5.3 Keystroke Frequency Domain Feature Extraction

Besides CSI waveform shape, the CSI frequency feature canalso be used to differentiate keystrokes. The CSI spectro-grams in frequency domain is a stable property of CSIstreams and is highly correlated to keystrokes. Fig. 9 il-lustrates the CSI spectrograms corresponding to the CSIwaveforms shown in Fig. 8. It is observed that differentkeystrokes have significantly different CSI spectrograms.Therefore, it’s feasible to use CSI spectrogram informationas the feature to recognize keystroke.

In this paper, WindTalker first performs Short TimeFourier Transform (STFT) to obtain the two-dimensionalfrequency spectrograms of CSI. Then, WindTalker calcu-lates the contours of the spectrograms to extract features.To extract the contour, WindTalker first resizes the CSIspectrograms with frequency from 0 to 30Hz into a m-by-n matrix MCSI(i, h) and normalize the MCSI(i, h) toa range between 0 and 1. Note that, in MCSI(i, h), eachcolumn represents the normalized frequency shifts dur-ing the ith time slide. Then, WindTalker chooses a pre-defined threshold and get the contour CCSI(i), wherei = 1...n. CCSI(i) is the maximum value j which sat-isfies that MCSI(i, j) ≥ threshold. As shown in Fig. 9,the contours are marked by the black lines. It is observedthat, between the same keystrokes, the contours of CSIspectrograms have the similar variation trends. Thus wecan regard the contours as the frequency domain featuresof the classification and calculate the similarity between thecontours for keystroke recognition.

4.5.4 Keystroke Recognition

WindTalker builds a classifier to recognize the keystrokesbased on both the time domain feature and the fre-quency domain feature. To compare the features of differentkeystrokes, WindTalker adopts the Dynamic Time Warping(DTW) to measure the similarity between two keystrokes.

Dynamic Time Warping: DTW utilizes dynamic pro-gramming to calculate the distance between two sequenceswith different lengths. With DTW, the sequences (e.g., timeseries and spectrogram contours) are warped non-linearlyin the time dimension to measure their similarity. The input




of DTW algorithm is two sequences and the output is thedistance between them. A low distance indicates that thesetwo sequences are highly similar.

By adopting DTW, the classifier gives each keystroke aset of scores, which allows the keystrokes to be differen-tiated based on the user’s training dataset (keystrokes ondifferent numbers). For a certain keystroke Ki, classifierfirst calculates the DTW distances between the features ofKi and all of the keystroke number’s features in datasetin time and frequency domain respectively. Thus, for Ki,we will get two scores arrays ST = {st1, st2, ..., st10},SF = {sf1, sf2, ..., sf10}, where ST , SF represent the scoresin time and frequency domain respectively, and stn refers tothe shortest distance between the input keystroke and thecertain key number n in time domain. sfn is similar but infrequency domain. Finally the classifier calculates the scoreS = {s1, s2, ..., s10}, where sn = stn × sfn. The lower thescore sn is, the higher possibility the certain number n isactual input number. The classifier chooses the key numberwhich has the minimum score (the value n which satisfiessn is the lowest one) as the predicted key number. Note thatthe classifier saves all scores of the certain keystroke Ki inorder to generate password candidates in Section 5.3.

5 KEYSTROKE INFERENCE EVALUATIONS

5.1 System Setup

WindTalker is built with the off-the-shelf hardware, which isactually a commercial laptop computer equipped with Intel5300 NIC with one external directional antenna. WindTalkeralso serves as the WiFi hotspot to attract the users to accessto the WiFi. The laptop runs Ubuntu 14.04 LTS with amodified Intel driver to collect CSI data. To collect the CSIdata related to the user’s touch screen clicks, WindTalkeruses ICMP echo and reply to achieve the sampling rate of800 packets/s. In this evaluation, the distance between themobile user and the AP is 75 cm and the AP is placed on theleft side of mobile phone.

In the experiments, we recruit 20 volunteers to join ourevaluation, including 17 males and 3 females. All of thevolunteers are right-handed and they perform the touch-screen operations by following their own fashions. Duringthe experiment, the volunteers should participate in thedata training phase and keystroke recognition phase byinputting the numbers according to the system hints. In thedata training phase, WindTalker records each input and itscorresponding CSI data. In the test phase, WindTalker infersthe input data based on the observed CSI time series. Thetraining data and testing data collection should be finishedwithin 30 minutes since CSI may change with the change ofenvironment.

We start the evaluation by testing the classification ac-curacy and the 6-digit password inference accuracy. Thenwe perform a more specific case study by inferring thepassword of mobile payment for Alipay in Section 6. Af-terwards we investigate various metrics that may influencethe inference accuracy of WindTalker including the distance,the direction and the human movement in Section 7. Inthe current stage evaluation, we only perform user-specifictraining and will discuss its limitation in Section 9.

1 2 3 4 7 8 9 05 6PIN Number

0

20

40

60

80

100

Acc

urac

y (%

)

WindTalker accuracy Without frequency feature

(a) Classification Accuracy per key

1 2 3 4 5 6 7 8 9 0Predicted PIN Number

1234567890

Act

ual PIN

Num

ber

(b) Color Map of Confusion Matrix (re-drawn)

Fig. 10. Classification Accuracy

5.2 Classification Accuracy

In Section 3, we have shown that different keystrokes maybe correlated with different CSI waveforms. In this section,we aim to explore whether the differences of keystrokewaveforms are large enough to be used for recognizingdifferent PIN numbers inputs in the real-world setting. Wecollected training and testing data from 20 volunteers. Eachvolunteer first generates 50 loop samples, where a loop isdefined as the CSI waveform of keystroke number from0 to 9 by pressing the corresponding digit. After that, weevaluate the classification accuracy of WindTalker throughthe collected CSI data.

The classification accuracy is evaluated in terms of 10-fold cross validation accuracy. However, in real world sce-nario, it is not reasonable to collect 50 training samplesfor one specific PIN number. Therefore, we first dividethese 50 loops data into 5 groups evenly. Then, for every10 loops CSI data, we pick up one loop in turn for thetesting data and choose the other 9 loops as the trainingdata. WindTalker adopts the classifier introduced in Section4.5 to recognize the keystroke. We perform the evaluationon Xiaomi, Redmi and Samsung Note3 smartphone. All ofthem run with Android 5.0.2. Fig. 10(a) shows the averageclassification accuracy of all 20 volunteers in 10 PIN number.It is observed that WindTalker achieves the average accuracyclassification of 93.5% using combined CSI features. How-ever, if WindTalker only utilizes time-domain feature as [1],the accuracy will drop to 87.3%.

Fig. 10(b) describes the color map of confusion matrix ofkeystroke inference. For a specific typed number, it gives thecorresponding inference results. The darker the area is, thehigher the possibility of keystroke inference result is. Intu-itively, it is easier for an input number that is confused withthe neighboring numbers during the keystroke inference




TABLE 2Recovery Rate and Training Loop Times

Loop Times One Three Five NineRecovery Rate 79.5% 86.2% 88.5% 93.5%

TABLE 3Recovery rate and the number of candidates.

Number of candidates One Two ThreeRecovery rate 86.2% 93.4% 96.2%

process. We further analyze the impact of the number oftraining data on recovery rate in WindTalker. Table. 2 showsthe keystroke inference accuracy increases with the trainingloop increases. Even if there is only one training sample forone keystroke, WindTalker can still achieve whole recoveryrate of 79.5%.

5.3 Password Inference

In a practical scenario setting, it may not be easy forWindTalker to get 9 training samples for each PIN number.So in the remaining section, we only use 3 samples perPIN number for training. To illustrate the performance ofWindTalker for password Inference, in this part, we ask vol-unteers to press 10 randomly generated 6-digit passwordson Xiaomi smartphone and use their corresponding 3 loopsas training dataset.

We test totally 500 set of passwords, which include 3000keys. As shown in Table. 3, with 3 loops as training data,WindTalker can achieve an average 1-digit recovery rate of86.2%. For a 6-digit password in AliPay, the attacker cantry several times to recover the password at an increasedsuccessful rate. Thus, we introduce a new metric, recoveryrate with Top N candidates, which indicates the rate ofsuccessfully recovering the password for trying N timesand represents a more reasonable metric to describe thecapability of the attacker in the practical setting. As shownin Table. 3, if we evaluate the 1-digit recovery rate under top2 and top 3 candidates, the recovery rate can be significantlyimproved.

We further study how many candidates can help us tosucceed in predicting the right 6-digit payment password inWindTalker. In particular, we will investigate the inferenceaccuracy under top N candidates. In the experiment, each6-digit password will be correlated with six keystrokesK = {K1,K2, . . . ,K6}. For each keystroke Ki, WindTalkercalculates its corresponding score Si = {si,1, si,2, . . . , si,10}.Then, for a given password candidate PIN number P ={p1, p2, . . . , p6}, where pi ∈ [0, 9], WindTalker calculatesthe likelihood L between K and P . L is defined byL =

∏6i=1 si,pi . Given a 6-digit password K, for each

keystroke Ki, we can obtain 5 candidates with lowest siand then generate 56 = 15626 candidate passwords. ThenWindTalker sorts these passwords by their likelihoods inascending order. A successful password inference is definedas that the real password is included in top N candidates. InFig. 11(a) ,we give the password inference accuracy undertop N candidates, where N ranges from 1 to 20. The resultis encouraging. It is shown that, given top 1 candidate,

0 5 10 15 20

Number of Candidate Passwords

0

20

40

60

80

Pas

swor

d In

fere

nce

Acc

urac

y (%

)

20 40 60 80 100


75

80

85

90

Pas

swor

d In

fere

nce

Acc

urac

y (%

)

(a) Top 20 Candidates

0 5 10 15 20


0

20

40

60

80

Pas

swor

d In

fere

nce

Acc

urac

y (%

)

20 40 60 80 100


75

80

85

90

Pas

swor

d In

fere

nce

Acc

urac

y (%

)

(b) Top 100 Candidates

Fig. 11. 6-digit Password Inference Accuracy

Target

Hidden

Devices

Intel 5300 NIC

Antennas

1m

Fig. 12. Real Case Scenario

the inference accuracy is 41.2%. And the inference ratecan be significantly improved if given top 5 candidates ortop 10 candidates, which correspond to 69.6% and 77.4%,respectively. It is also shown in Fig. 11(b) that, if givenenough top N candidates (e.g., set N as 60), the inferenceaccuracy can reach above 85%.

6 REAL-WORLD EXPERIMENT: MOBILE PAYMENTPASSWORD INFERENCE TOWARDS ALIPAY

6.1 System Setup

To demonstrate the practicality of the WindTalker, we per-form an experimental evaluation of password inference onAlipay, a popular mobile payment platform on Both of An-droid and iOS system. Alipay is the largest mobile paymentcompany in the world and has 450 million monthly activeuser including 270 million mobile payment users [22]. Asshown in Fig. 12, we deploy a WindTalker system at a cafe-like environment and release an authentication-free WiFi.The AP (including Intel 5300 NIC and the antennas) is set upbehind the counter, which makes it less likely to be detectedvisually. The victim is 1 meter away from our deployed WiFidevices. When we collect the data, one volunteer walks passby the victim but none of volunteers walks between thevictim and the AP.

To simulate the real-world attack scenarios, the recruitedvolunteers are required to access to this free WiFi accesspoint and perform the following three phases: 1) OnlineTraining Phase: the volunteers are required to input somerandomly generated numbers by following a similar way asText Captcha. This phase is designed to collect the user’sinput number and the corresponding CSI data to finish the




data training. 2) Normal Use Phase: the volunteers performthe online browsing or use the applications as a normaluser. 3) Mobile Payment Phase: when the users use theonline shopping applications, it will be ended with themobile payment. All of the online shopping and mobilepayments are secured with HTTPS protocol. According toAlipay mobile payment policy, the mobile users must inputthe password to finish an mobile payment transactions.The goal of the attacker is to recover the mobile paymentpassword of the volunteers.

6.2 Operations of WindTalkerAfter the volunteers connect to the authentication-free WiFihotspot, WindTalker triggers ICMP based CSI AcquirementModule to collect the CSI data at the sampling rate of 800packets/s. WindTalker records the timestamp per one hun-dred CSI data. Simultaneously, WindTalker utilizes Wire-shark to capture and record WiFi traffic packets and theircorresponding timestamps. During the real-world experi-ment, WindTalker collects WiFi traffic data and CSI data inthe online phase. After collecting the data, WindTalker infersthe user’s mobile payment password in the offline phase.

During collecting ICMP reply packets, WindTalker alsocollects additional network traffic packets from users’ APPs.As pointed out in [15] and [23], only some particular typesof packets (e.g., ICMP packets using “HT” rate) will bemeasured by Linux 802.11n CSI Tool. In our real-worldexperiments, CSI values will not be extracted from thesepackets generated by user’s APPs. Besides, since CSI is thephysical layer information which reflects the wireless chan-nel environment, the CSI measurements are irrelevant to thetypes of network traffic packets. Thus even some addtionalpackets were measured by Linux 802.11n CSI Tool, they willonly cause the CSI sampling rate vary slightly. Because wecan record the timestamp of each CSI value, thus we canuse the timestamps to reconstruct CSI stream to eliminatethe impact of sampling rate variation. Fig. 13 shows the CSIwaveforms reconstructed according to timestamps.

6.3 Recognizing the Sensitive Input WindowTo determine the sensitive input window, WindTalker uti-lizes Wireshark to collect the meta data (eg., IP address) ofthe WiFi traffic during collecting CSI data. The meta datacollected by Wireshark is shown in Fig. 13(a). We can findthat in the experiment, Alipay applications route their datato a server of some fixed IP address such as “110.75.xx.xx”.These IP addresses are used by the Alipay service providerand do not change for one to two weeks. With the trafficmeta data, as shown in Fig. 13(a), WindTalker obtains therough start time and end time of the sensitive input windowvia searching packets whose destination is “110.75.xx.xx”.Then, according to the timestamps of CSI data, WindTalkerlocks the CSI data during this period of time.

6.4 CSI based Password InferenceFig. 13(b) shows the original the 30th subcarrier CSI datain Sensitive Input Window. After data preprocessing, Fig.13(c) shows the first three principal components of CSI dataafter PCA. It is found that in the real-world experiment

Start

End …

Time

Time

(a) Sensitive Input Window RecognitionModule

0 1 2 3 4x 104

20

30

40

50

A CSI Sequence Containing a Sensitive Window

CS

I Am

plitu

de

(b) Original CSI: the 30thSubcarrier

0 10 20 30 40-60

-30

0

30

60

Time (second)

CSI

PC

A C

ompo

nent

s

the 1st PCA componentSensitive Input Window

Keystroke Inference

Keystroke Extraction

99377

1

(c) Keystroke Inference Module

Fig. 13. WindTalker in Case Study

that besides input payment password, victim may haveother operations such as selecting credit card for paymentin period of time of Sensitive Input. In order to handlethis situation, WindTalker only needs to find a continuouskeystroke of certain length. In our case, we are interestedin continuous 6-bit password input since Alipay chooses6-digit mobile payment password. Thus after keystrokeextraction and recognition process, WindTalker is able to listpossible password candidates according to probability. Thetop three password candidates in this case is 773919, 773619,773916 while the actual password is 773919. We carry out thereal-world experiment ten times, each time the password isdifferent. Our experiment results show that the attacker cansuccessfully recover 6, 8 and 9 passwords if allowing to trythe password input for 5, 10 and 50 times (or Top 5, 10 and50 candidates). This further demonstrates the practicality ofthe proposed attack in the practical environment.

7 IMPACT OF VARIOUS FACTORS

There are many factors potentially affecting the CSI. Theperformance of WindTalker is affected by various factorssuch as relative position of AP and mobile device, CSIsampling rate, keyboard layout, human movement andtemporal factors. Even clicking at the same key, the differentdistance and direction between AP and the mobile devicemay also lead to a different CSI. We will investigate theimpact of these factors on WindTalker in our experiments.

7.1 DistanceIn a real scenario, the distance between the victim’s mobiledevice and AP is not fixed. As shown in Fig. 14(a), the recov-ery rate of WindTalker will decrease along with the increaseof the distance. However, it is observed that, even if thedistance between the antenna of WindTalker and victim’ssmartphone (i.e., Xiaomi) is enlarged to 1.5m, WindTalkercan still achieve keystroke inference accuracy of 83.5% interms of 10-fold cross validation, which is high enough forlaunch keystroke inference. Fig. 14(b) shows that both of




0.75 1 1.25 1.5Distance between Smartphone and Antenna (m)

0

50

100

Acc

urac

y (%

)


(a) Distance

0 500 1000 1500

-50

0

50

CSI Sample Index

CSI

PC

A C

ompo

nent

s

75 cm

0 500 1000

0

20

40

100 cm

CSI Sample Index

CSI

PC

A C

ompo

nent

s

0 500 1000-20

-10

0

10125 cm

CSI Sample Index

CSI

PC

A C

ompo

nent

s

0 500 1000

-5

0

5

10

15

CSI Sample Index

CSI

PC

A C

ompo

nent

s

150 cm

PCA 1st Component PCA 2nd Component PCA 3rd Component

(b) CSI Shape Change by Distance: PIN 1

Fig. 14. Distance’s influence in WindTalker

CSI shape and degree will change under different distancewhen pressing the same key. This indicates that WindTalkerneeds to retrain dataset even for the same victim withdifferent distances. When the distance between antenna andvictim is too long, the multiple-path propagate will becomemore complicated. Thus the collected CSI cannot reflect thevictims finger precisely and result in inaccurate inferenceresults. To partially solve these limitations, there are twopossible solutions. Firstly, the attacker can fix the location oftable and chairs, which will make the user’s position rela-tively stable. The other solution is placing three antennas ofIntel 5300 NIC at different locations to enlarge the effectiverange of WindTalker. Therefore, when the victim connectsto rogue WiFi, WindTalker could dynamically choose theantenna which is closest to the victim to collect CSI data.

7.2 DirectionThe relative direction between the victim and attacker mayseriously affect the CSI since different directions mean dif-ferent multi-path propagation between the transmitter andthe receiver. Thus, we show the performance of WindTalkerunder different directions. Note that the mobile device (i.e.,Xiaomi in this experiment) is in front of victim. It is impor-tant to point out that, for a right-handed user, WindTalkershows a better performance when the AP is on the left sideof the victim. This is because it is easier for WindTalker to

Left Right Front Behind

Direction of antenna

0

20

40

60

80

100

Acc

urac

y (%

)


Fig. 15. Accuracy in Different Direction

100 200 400 600 800CSI Sampling Rate (packets/s)

0

20

40

60

80

100

Acc

urac

y (%

)


Fig. 16. Effect of CSI Sampling Rate

sense victim’s finger clicks and the hand motion. Fig. 15shows the keystroke inference accuracy of WindTalker indifferent direction in terms of 10-fold cross validation. It isinteresting that WindTalker can achieve a high performanceeven the AP is deployed behind victims (i.e., 81%), whichmeans that the proposed CSI based keystroke inference canwork well even if the attacker is behind the user withoutvisually seeing the clicking actions. This represents one ofsignificant merits which cannot be achieved by any previouswork. In real-world, the attacker can adjust the position andorientation of directional antenna to overcome the limita-tions of distance and direction.

7.3 Smartphone Type

The experiments in Section 5 and Section 6 are implementedon Xiaomi, Redmi and Samsung Note3 smartphone. To eval-uate the impact of different smartphone types, we recruit tenvolunteers to generate 10 loop keystrokes on Xiaomi, Redmiand Samsung Note3. All of these mobile phones run withAndroid 5.0.2. When using all nine loops data, WindTalkerachieves the average classification accuracy of 93.5%, 88.3%and 83.9% on Xiaomi, Redmi and Samsung Note3 respec-tively. The experimental result indicates that the WindTalkerperformance is affected by the smartphone type, becausedifferent smartphones may have different relative positionsof antennas and working powers. Fortunately, the accuracyof WindTalker on different smartphones are still acceptablefor password inference.

7.4 CSI Sampling Rate

The keystroke recognition accuracy depends on the sam-pling rate of CSI. When the CSI sampling rate is high, thereis more information in the CSI waveform, which increases




1 2 3 4 5 6 7 8 9 0PIN Number

0

20

40

60

80

100A

ccur

acy

(%)

Numeric QWERTY

(a) Classification Accuracy on DifferentKeyboard Layout

1 2 3 4 5 6 7 8 9 0Predicted PIN number

1234567890

Act

ual P

IN n

umbe

r

(b) Confusion Matrix aboutQWERTY Keyboard

Fig. 17. Keystroke Recognition on QWERTY Keyboard

the keystroke recognition accuracy. Thus, we are interestedin how the CSI sampling rate influences the performance ofWindTalker. Fig. 16 shows the average classification accu-racy of all volunteers with Xiaomi smartphone when vary-ing the sampling rate from 100 packets/s to 800 packets/s.The experiment procedures are the same with Section 5.2and the antenna is placed at the best position as mentionedin Section 7.1 and 7.2. From Fig. 16, we observe that theclassification accuracy improves when the sampling rate ishigher, but the improvement is not significant beyond thesampling rate of 400 packets/s. For instance, with samplingrate of 400 packets/s, the classification accuracy of Xiaomiis 90.3%, which is only a slight drop compared to 93.5%achieved for a sampling rate of 800 packets/s. Becausesampling rate of 400 packets/s is still enough to capturethe movement feature of keystroke. When sampling ratereduces to 100 packets/s, the accuracy of Xiaomi reducessignificantly to 82.8%, as this sampling rate loses the de-tailed feature of keystroke. In our experiment, we use thesampling rate of 800 packets/s to achieve the best perfor-mance of WindTalker. But when facing a high packet lossrate situation, we can use the a lower sampling rate above100 packets/s to achieve an acceptable performance.

7.5 Keyboard Layout

There are two different keyboard layouts which influencethe keystroke recognition accuracy. Besides the numerickeyboard which is used in most online payment scenarios,there is QWERTY keyboard on which a user can typeletters, numbers and special characters. The main differencebetween the two keyboards is the key space. Comparing totyping numeric keyboard, the hand movement tends to besubtle when typing adjacent keys on QWERTY keyboard,which makes recognizing keystrokes much more difficultsince the CSI waveforms become similar.

We are interested in how the QWERTY keyboard influ-ences the recognition of keystroke. For simplicity, we justfocus on the digital input on the QWERTY keyboard. Weperform experiment on Xiaomi phone and the keyboardlayout is provided by Google input method. Fig. 17(a) showsaverage classification accuracy on both numeric and QW-ERTY keyboard. We observe that the accuracy of QWERTYkeyboard is 67.8%, which significantly drops compared to93.5% of numeric keyboard. Fig. 17(b) is the confusionmatrix of QWERTY keyboard. We observe that most errorrecognition happened between the adjacent keys. Although

attacker victim

1 m

L2 L3 L4

1 m 1 m 1 m

L1

Volunteer

C1 C2 C3 C4

(a) The experiment environment.

0 2000 4000 6000 8000

CSI sample index

-10

0

10

20

PC

A 1

st c

ompo

nent

1 m

0 2000 4000 6000

CSI sample index

-10

0

10

202 m

0 2000 4000 6000

CSI sample index

-5

0

5

10

153 m

0 2000 4000 6000 8000

CSI sample index

-5

0

5

10

154 m

(b) The CSI data under human walking scenario.

0 2000 4000 6000 8000

CSI sample index

-5

0

5

10

PC

A 1

st c

ompo

nent

1 m

0 2000400060008000

CSI sample index

-5

0

5

10

2 m

2000 4000 6000 8000

CSI sample index

-2

0

2

4

6

3 m

4000 6000 8000

CSI sample index

0

5

10

4 m

(c) The CSI data under human arms movement scenario.

Fig. 18. Effect of human movement.

the accuracy of QWERTY keyboard is lowered than numerickeyboard, but it still higher than the random guess.

7.6 Human Movement

In some cases, the CSI-based sensing may be affected bythe movement of other nearby human. Thus, we evaluatethe impact of human walking and human arm movementon the performance of WindTalker. As shown in Fig. 18(a),while WindTalker collecting the CSI data to infer the victimskeystroke, we recruit a volunteer to walk along four differ-ent lines (L1, L2, L3, L4) respectively. The distances betweenWindTalkers antenna and the midpoints of L1, L2, L3 andL4 are 1 meter, 2 meters, 3 meters and 4 meters respectively.The distance between antenna and the victim is 1 meter. Wetotally conduct four experiments. In each experiment we askthe victim to continuously generate keystrokes and collectthe corresponding CSI, at the same time, the volunteer walksalong one of the four lines with the speed of 0.5 m/s.Fig. 18(b) shows the experimental result. When the distancebetween antenna and the midpoint of walking mans trajec-tory is larger than 2 meters, the keystrokes could be easilyfound from the collected CSI waveforms. However, whenthe distance is 1 meter (i.e., the walking mans trajectoryis very close to the victim), it is hard to extract keystrokewaveforms from collected CSI data. The results show thatthe humans walking will bring additional multiple-patheffects into the wireless transmission. However, WindTalkeris still effective if only there is no human walking within 2meters of the WindTalkers antenna.

Besides human walking, we also consider another sce-nario in which a human stays at a fixed location butwaves his/her arms. We conduct four experiments. Whenthe victim continuously generating keystrokes, we ask thevolunteer stays at the midpoints (i.e., C1, C2, C3, C4 in Fig.18(a)) of above four lines respectively and spins his/her arm




9500 10000

sample index

-10

0

10

20P

CA

1st

com

pone

nt Day 1

5000 6000

sample index

-5

0

5

Day 2

8000 9000 10000

sample index

-10

0

10Day 3

1000 2000

sample index

0

20

40

Day 4

Fig. 19. CSI waveforms of PIN number 1 on different days.

with the average speed of 0.91 cycle per second. As shown inFig. 18(c), when the distance between antenna and volunteeris larger than 3 meters, the keystrokes could be recognizedfrom collected CSI data. When the distance is 1 meter (i.e.,the victim is very close to another people), the keystrokesis hard to be extracted. Therefore, WindTalker will worknormally only if there is no user waves his/her arms within3 meters of the WindTalkers antenna.

7.7 Temporal factorsThe temporal factors will also affect the performance ofWindTalker. Fig. 19 shows how CSI waveform changes ondifferent days. We can observe that these CSI shape patternslook different. The reason is that in different days, the userstyping behaviour may be inconsistent and the surroundingenvironment may change, which may affect the constructiveand destructive interference of several multi-path signals.Therefore, in current state, for each keystroke inference,WindTalker needs to update the users CSI profiles to ensureits performance. We leave this limitation for future work.

8 COUNTERMEASURES

8.1 Basic Defense Strategies8.1.1 Randomizing the Keyboard LayoutOne of the most straightforward defense strategies is torandomize the layouts of the PIN keyboard, such that theattacker cannot recover the typed PIN number even if he caninfer the keystroke positions on the touchscreen. As pointedout by [7], randomizing the keyboards is effective at the costof the user experience since the user needs to find every keyon a random keyboard layout for every key typing.

8.1.2 Changing Typing GestureFor WindTalker, collecting the accurate CSI data is essentialfor achieving high inference success rate. Thus the user canintentionally change his typing gestures or clicking patternsto introduce the unexpected interference to the CSI data.For example, the randomized human behaviors (e.g., humanmobility) would introduce more impact on CSI than fingerclick on wireless signals, which reduce the successful chanceof the adversary.

8.1.3 Refusing to Connect to Rogue WiFiThe most thorough defense strategy is refusing to connectto rogue WiFi hotspot. For instance, [24] and [25] proposeda method which can detect a rogue WiFi hotspot. Thesedetection systems suppose that both of the rogue hotspotand the legitimate hotspot have the same SSID. However, ifthe attacker uses a new SSID that is not observed before bythe detection system, it will fail either.

ICMP Request

ICMP Reply

Victim's device

Hotspot

Sending Obfuscation Packets

Attacker

Sensitive Application

UserNo

ICMP Request

ICMP Reply

Victim's device

HotspotAttacker

Yes

Fig. 20. Obfuscation Defense Strategy

8.1.4 Blocking the ICMP Echo RequestOur CSI based typing inference requires collecting CSI datawith a high frequency. According to [26], the data receivedin the echo message must be returned in the echo replymessage. It means that the victims device must reply tothe attackers WiFi hotspot when it received the ICMP echorequest. A countermeasure for the user is configuring thefirewall to detect and block the high-frequency ICMP echorequests. But this countermeasure is rarely used in Androidsmartphones, because it needs to be implemented at theoperation system level and the common users have noaccess to it [27]. As far as we have tested in 3 mainstream un-rooting smart phones(Xiaomi, Redmi and Samsung), noneof them have blocked this kind of ICMP echo request,because it will forbid other hosts to ping the user deviceand affect the user experience.

8.2 CSI Obfuscation AlgorithmIn this subsection, we propose a novel obfuscation strategyto defend against the CSI based side channel attacks. Ourgoal is preventing the attackers from collecting the accurateCSI data introduced by users password input. In the idealcase, the strategy can be implemented and deployed at theusers side and can be triggered in a user-transparent wayas long as any sensitive input time window is observed.This strategy does not need the user’s participation and thusminimize its impact on the user experience.

8.2.1 Overview of the Basic IdeaThe basic idea of the proposed defense strategy is intro-ducing a randomly generated CSI time series sequence toobfuscate the original one. As shown in Fig. 20, during thesensitive input time window, when the attacker collects theCSI data (or original CSI data) from the target user, the userdevice can randomly generate some CSI data (or obfuscationdata) to obfuscate the original CSI data and thwart the sidechannel attack. According to 802.11n standard [16], whenthe user does not launch sensitive applications, the attackercan obtain the CSI data by analyzing the training sequenceof the preamble of the WiFi packet obtained from the vic-tims device. Without loss of the generality, the original CSIbetween victim and attacker is estimated as

H1 =Y1X1

(9)




where X1 is the training sequence on transmitter and Y1 isthe training sequence on receiver. In practice, both the trans-mitter and receiver assume that the training sequence X1

will not change during the whole communication process.During the password input progress for a specific mobile

payment application, (eg. Alipay), the defense strategy willbe launched. The attacker uses the ICMP requests to obtainWiFi packets from the victim, and, at the same time, theusers device can also proactively sends the obfuscationpackets to the attacker. For instance, the training sequenceX1 in Equation.9 was changed into

X2 = ∆HX1 (10)

The revised training sequence will be received by at-tacker as:

Y2 = H1X2 = H1∆HX1 = H2X1 (11)

From the attacks perspective, it is indistinguishable for theoriginal and obfuscation data. Because the attacker still uti-lizes original training sequenceX1 to estimate CSI, thereforethe attacker would estimate victims CSI as H2 = H1∆H . Itmeans that the original CSI data will be masked by insertingforged CSI data H2 into the original CSI sequence H1. Thusthe CSI based side channel attack can be thwarted becausethe attacker cannot infer the users keystroke by analyzingCSI data.

8.2.2 Experiment EvaluationsWe perform an experiment to prove the effectiveness ofour proposed strategy. In the ideal case, it should be theusers device that generates the obfuscation data. In ourexperiments, we adopt a mobile phone as the target deviceand another phone as the obfuscation device to performthe proof-of-concept experiments and evaluate the effec-tiveness of the proposed defending strategy. In practice, toimplement this defense strategy in users devices, we canuse Software Defined Radios (SDR) to revise the trainingsequence of mobile device [28].

In our experiment, both devices are connected to a WiFihotspot released by WindTalker. The WindTalker uses ICMPbased CSI Acquirement Model to obtain CSI data H1 fromthe victim, and during this period, the victim continuouslytypes PIN numbers. When victim launches sensitive appli-cation (e.g., Alipay), the obfuscation device continuouslysends packets (e.g., UDP packets) to WindTalker so thatthe WindTalker receives mixed CSI data. Note that, theobfuscation device is placed at different places to get adifferent CSI estimated value H2.

The result is shown in Fig. 21. We can find that with-out the involvement of obfuscation device, the WindTalkerworks normally and the finger clicks are easily distin-guished in CSI H1. With the involvement of obfuscationdevice, the finger click patterns are obfuscated with theforged CSI measurements H2. So the effectiveness of thisdefense strategy is demonstrated. The [28], [29] and [30]have discussed how to implement it in the SDR system. Toapply this method to mobile phone, the operation systemkernel of the phone should be revised [16], which is out ofthe scope of this work. We will leave it for the future work.

Three distinguishable keystroke waveforms

Two illegible keystroke waveforms due to obfuscation device

Fig. 21. The 4th Subcarrier Waveform in the Experiment

9 LIMITATIONS

In this section, we discuss the main limitations ofWindTalker. WindTalker’s high performance is achieved inan experiment environment. However, if we try to applyWindTalker in anytime and anyplace, we need to overcomethe limitations as follows.

Hardware Limitations. In WindTalker, we use Intel 5300NIC and Linux 802.11n CSI Tool [15]. In our experiments,it is observed that the system will crash when we performCSI data collection for iPhone or some versions of androidsmart phones. This is because, according to the statement ofthe CSI Tool, it is very easy to crash when one Intel 5300NIC works with other NICs (e.g., an iPhone). However, ourimplementation and evaluation on a wide range of smartphones (including Xiaomi, Redmi and Samsung phones)demonstrate the practicality of the proposed CSI basedkeystroke inference method. We will leave the issues ofimproving the compatibility of Intel 5300 NIC with a widerrange of mobile devices to our future work.

Fixed Typing Gesture. Currently, WindTalker can onlywork for the situation that the victim can only touch thescreen with a relatively fixed gesture and the phone needsto be placed in a relative stable environment (e.g., a table). Inreality, the user may type in an ad-hoc way (e.g., the victimmay hold and shake the phone, or even perform some otheractions while typing). We argue that is a common problemfor most of the side channel based keystroke inferenceschemes such as [2], [8], [10]. This problem can be partiallycircumvented by profiling the victim ahead or performing atargeted attack by applying the relevant movement modelas pointed out by [8].

User-specific Training. WindTalker needs to extract thekeystroke samples from the victim before launching pass-word inference attack. This requirement is a common as-sumption for most of the side channel keystroke inferenceattacks such as [2], [9], [31], [32], [33], [34]. To launch a real-world attack, the attacker can consider the following twostrategies. Firstly, WindTalker could leverage some socialengineering methods to collect training data from victim.For example, the attacker could implement online trainingby mimicking a Text Captcha to require the victim to inputthe chosen numbers. As shown in the Section 5.3, giventhree training samples per key, WindTalker could achieve




6-digit password inference accuracy of 69.6% under top5 password candidates. The second strategy is using theself-contained structures of collected CSI data. For exam-ple, our follow-up work [35] proposes a non-training CSIbased keystroke inference system. In this system, the at-tacker extracts the correlations between the CSI featuresof keystrokes, and then maps the collected CSI data to aword within a predefined dictionary. Applying this idea inour 6-digital password inference scenario maybe a potentialsolution, and we leave it for future work.

10 RELATED WORK

10.1 Free Public WiFi with Malicious Behaviors

Free Wi-Fi services provided by public hotspots are attrac-tive to users in a mobile environment when their mobiledevices have limited Cellular connection. Existing works[36], [37], [38], [39], [40], [41] have demonstrated it is feasibleto deploy a malicious Wi-Fi hotspot in a public area. Forexample, an iPhone can turn itself into a Wi-Fi hotspot. Ifthe iPhone user changes the session ID to “Starbucks FreeWi-Fi”, other people may connect their phones to the iPhonewhile wrongly believe they are using free WiFi services froma nearby Starbucks. In such a scenario, the attacker canutilize the WiFi network traffic collected by the WiFi hotspotto infer the user’s privacy information. Taylor et al. [42]proposed methodology to fingerprint and identify Androidapps by analyzing the encrypted HTTPS/LTS traffic. Alanet al. [43] proposed a method to identify mobile apps onlyusing the TCP/IP headers from the apps launch time traffic.Finally, Conti et al. [44] presented a system that usingnetwork traffic to identify the specific actions that a useris performing on his/her mobile apps.

Compared with these previous works, our WinderTalkerutilizes both network layer traffic and physical layer CSIinformation to infer the user’s sensitive information. In ourconsidered scenarios, attacker lures the users to connecttheir devices to a fake access point. Then, the attackereavesdrops the WiFi traffic to identify the sensitive windowand selectively analyzes the CSI information to infer thesensitive keystroke information.

10.2 Keystroke Inference Methods

Prior keystroke inference methods utilized the informationfrom various sensors and communication channels, such asmotion, camera, acoustic signals, and WiFi signals.

Motion: Owusu et al. [10] presented an accelerometer-based keystroke inference method, which aims to recoversix-character passwords on smartphones. Later, Liu et al. [8]applied a similar idea to the smartwatch scenario. Their ob-jective is to track user’s hand movement over the keyboardusing the accelerometer readings from the smartwatch, andthe keystroke inference achieves 65% recognition accuracy.

Acoustic signals: Zhu et al. [5] presented a context-freeand geometry-based keystroke inference. They leverage themicrophones of a smartphone to record keystrokes’ acousticemanations and the experimental results show that morethan 72.2% of keystrokes can be accurately recovered. Liuet al. [4] further proposed a keystroke snooping systemby exploiting the audio hardware to distinguish mm-level

position difference. The accuracy of their system can achieve94%. These works could achieve high accuracy on bothdigital and QWERTY keyboard. However, compared withthese works, WindTalker requires neither a fixed positionnor a close distance to the victim. Furthermore, WindTalkercan obtain the network traffic information, which improvesthe practicality in real-world environments.

Camera based: Yue et al. [7] introduces a camera-basedkeystroke inference using Google Glass or off-the-shelf we-bcam. Shukla et al. [6] also presented a video-based attackrelies on the spatio-temporal dynamics of the hands duringtyping. Sun et al. [34] use camera to record tablet backsidemotion and infer the victim’s typing content.

WiFi signal based: Using WiFi signals to infer thekeystroke draws a large research attention because it offersdevice-free and non-invasion advantages. Ali et al. [2] pro-posed a keystroke inference systems called WiKey, whichuses the CSI waveform pattern generated by finger’s uniquemotion to distinguish keystrokes on a external keyboard.Zhang et al. [11] presented WiPass, which can work inmobile device to detect the graphical unlock passwords.Tan et al [12] also proposed WiFinger, which leverageCSI from COTS device to capture the user’s fine-grainedfinger gesture. Compared with our work, WiKey, WiPassand WiFinger don’t utilize the network traffic information,thus these schemes work on the OKI keystroke inferencemodel and they can not recognize the user’s sensitive inputwindow.

11 CONCLUSION AND FUTURE WORK

In this paper, we have proposed a novel side-channel attackmodel named WindTalker, which can be used to infer avictim’s mobile password via WiFi signals. WindTalker isa cross-layer inference system, which utilizes both networklayer traffic information and physical layer CSI information.Our experiments on Alipay shows that WindTalker can beeffective in recognizing the victim’s password on smartphones. Compared with previous works, WindTalker nei-ther deploys external devices close to the target device norcompromises the target device. Furthermore, we proposedthe CSI obfuscation based countermeasure and performedthe experiment to prove the effectiveness of this counter-measure method.

ACKNOWLEDGMENTS

This work is supported by National Natural Science Foun-dation of China (No. 61272444, No.61672350, U1401253,U1405251, No. 61411146001) and National Science Founda-tion (No. 1527144, No. 1553304, No. 1618893).

REFERENCES

[1] M. Li, Y. Meng, J. Liu, H. Zhu, X. Liang, Y. Liu, and N. Ruan,“When csi meets public wifi: Inferring your mobile phone pass-word via wifi signals,” in Proceedings of the 2016 ACM SIGSACConference on Computer and Communications Security. ACM, 2016,pp. 1068–1079.

[2] K. Ali, A. X. Liu, W. Wang, and M. Shahzad, “Keystroke recogni-tion using wifi signals,” in Proceedings of the 21st Annual Interna-tional Conference on Mobile Computing and Networking. ACM, 2015,pp. 90–102.




[3] D. Balzarotti, M. Cova, and G. Vigna, “Clearshot: Eavesdroppingon keyboard input from video,” in Security and Privacy, 2008. SP2008. IEEE Symposium on. IEEE, 2008, pp. 170–183.

[4] J. Liu, Y. Wang, G. Kar, Y. Chen, J. Yang, and M. Gruteser,“Snooping keystrokes with mm-level audio ranging on a singlephone,” in Proceedings of the 21st Annual International Conference onMobile Computing and Networking. ACM, 2015, pp. 142–154.

[5] T. Zhu, Q. Ma, S. Zhang, and Y. Liu, “Context-free attacks us-ing keyboard acoustic emanations,” in Proceedings of the 2014ACM SIGSAC Conference on Computer and Communications Security.ACM, 2014, pp. 453–464.

[6] D. Shukla, R. Kumar, A. Serwadda, and V. V. Phoha, “Beware, yourhands reveal your secrets!” in Proceedings of the 2014 ACM SIGSACConference on Computer and Communications Security. ACM, 2014,pp. 904–917.

[7] Q. Yue, Z. Ling, X. Fu, B. Liu, K. Ren, and W. Zhao, “Blindrecognition of touched keys on mobile devices,” in Proceedings ofthe 2014 ACM SIGSAC Conference on Computer and CommunicationsSecurity. ACM, 2014, pp. 1403–1414.

[8] X. Liu, Z. Zhou, W. Diao, Z. Li, and K. Zhang, “When good be-comes evil: Keystroke inference with smartwatch,” in Proceedingsof the 22nd ACM SIGSAC Conference on Computer and Communica-tions Security. ACM, 2015, pp. 1273–1285.

[9] P. Marquardt, A. Verma, H. Carter, and P. Traynor, “(sp) iphone:decoding vibrations from nearby keyboards using mobile phoneaccelerometers,” in Proceedings of the 18th ACM conference on Com-puter and communications security. ACM, 2011, pp. 551–562.

[10] E. Owusu, J. Han, S. Das, A. Perrig, and J. Zhang, “Accessory:password inference using accelerometers on smartphones,” inProceedings of the Twelfth Workshop on Mobile Computing Systems& Applications, 2012, pp. 1–6.

[11] J. Zhang, X. Zheng, Z. Tang, T. Xing, X. Chen, D. Fang, R. Li,X. Gong, and F. Chen, “Privacy leakage in mobile sensing: Yourunlock passwords can be leaked through wireless hotspot func-tionality,” Mobile Information Systems, vol. 2016, 2016.

[12] S. Tan and J. Yang, “Wifinger: leveraging commodity wifi forfine-grained finger gesture recognition,” in Proceedings of the 17thACM International Symposium on Mobile Ad Hoc Networking andComputing. ACM, 2016, pp. 201–210.

[13] S. Sen, J. Lee, K.-H. Kim, and P. Congdon, “Avoiding multipath torevive inbuilding wifi localization,” in Proceeding of the 11th annualinternational conference on Mobile systems, applications, and services.ACM, 2013, pp. 249–262.

[14] Y. Xie, Z. Li, and M. Li, “Precise power delay profiling withcommodity wifi,” in Proceedings of the 21st Annual InternationalConference on Mobile Computing and Networking, ser. MobiCom ’15.New York, NY, USA: ACM, 2015, pp. 53–64. [Online]. Available:http://doi.acm.org/10.1145/2789168.2790124

[15] D. Halperin, W. Hu, A. Sheth, and D. Wetherall, “Tool release:gathering 802.11 n traces with channel state information,” ACMSIGCOMM Computer Communication Review, vol. 41, no. 1, pp. 53–53, 2011.

[16] “IEEE Std. 802.11n-2009: Enhancements for higher throughput.”http://www.ieee802.org, 2009.

[17] H. Benko, A. D. Wilson, and P. Baudisch, “Precise selectiontechniques for multi-touch screens,” in Proceedings of the SIGCHIconference on Human Factors in computing systems. ACM, 2006, pp.1263–1272.

[18] C. Forlines, D. Wigdor, C. Shen, and R. Balakrishnan, “Direct-touch vs. mouse input for tabletop displays,” in Proceedings of theSIGCHI conference on Human factors in computing systems. ACM,2007, pp. 647–656.

[19] F. Wang, X. Cao, X. Ren, and P. Irani, “Detecting and leveragingfinger orientation for interaction with direct-touch surfaces,” inProceedings of the 22nd annual ACM symposium on User interfacesoftware and technology. ACM, 2009, pp. 23–32.

[20] S. Sardy, P. Tseng, and A. Bruce, “Robust wavelet denoising,” IEEETransactions on Signal Processing, vol. 49, no. 6, pp. 1146–1152, Jun2001.

[21] C. C. Holt, “Forecasting seasonals and trends by exponentiallyweighted moving averages,” International journal of forecasting,vol. 20, no. 1, pp. 5–10, 2004.

[22] J. Russell, “Alipay, chinas top mobile payment service,expands to the u.s.” https://techcrunch.com/2017/05/09/alipay-first-data-us-point-of-sale-expansion/, accessed May 9,2017.

[23] D. Halperin, “Linux 802.11n csi tool,” http://dhalperi.github.io/linux-80211n-csitool/faq.html.

[24] O. Nakhila, E. Dondyk, M. F. Amjad, and C. Zou, “User-side wi-fievil twin attack detection using ssl/tcp protocols,” in 2015 12thAnnual IEEE Consumer Communications and Networking Conference(CCNC), Jan 2015, pp. 239–244.

[25] O. Nakhila and C. Zou, “User-side wi-fi evil twin attack detectionusing random wireless channel monitoring,” in MILCOM 2016 -2016 IEEE Military Communications Conference, Nov 2016, pp. 1243–1248.

[26] J. Postel et al., “Rfc 792: Internet control message protocol,” Inter-Net Network Working Group, 1981.

[27] D. Vecchiato and E. Martins, “Experience report: A field analysis ofuser-defined security configurations of android devices,” in 2015IEEE 26th International Symposium on Software Reliability Engineer-ing (ISSRE), Nov 2015, pp. 314–323.

[28] Y. Mao, Y. Zhang, and S. Zhong, “Stemming downlink leakagefrom training sequences in multi-user mimo networks,” in Pro-ceedings of the 2016 ACM SIGSAC Conference on Computer andCommunications Security. ACM, 2016, pp. 1580–1590.

[29] S. Fang, Y. Liu, W. Shen, H. Zhu, and T. Wang, “Virtual multipathattack and defense for location distinction in wireless networks,”IEEE Transactions on Mobile Computing, vol. 16, no. 2, pp. 566–580,Feb 2017.

[30] Y.-C. Tung, S. Han, D. Chen, and K. G. Shin, “Vulnerabilityand protection of channel state information in multiuser mimonetworks,” in Proceedings of the 2014 ACM SIGSAC Conference onComputer and Communications Security. ACM, 2014, pp. 775–786.

[31] T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, “Hey, you,get off of my cloud: exploring information leakage in third-partycompute clouds,” in Proceedings of the 16th ACM conference onComputer and communications security. ACM, 2009, pp. 199–212.

[32] B. Chen, V. Yenamandra, and K. Srinivasan, “Tracking keystrokesusing wireless signals,” in Proceedings of the 13th Annual Inter-national Conference on Mobile Systems, Applications, and Services.ACM, 2015, pp. 31–44.

[33] J. Wang, K. Zhao, X. Zhang, and C. Peng, “Ubiquitous keyboardfor small mobile devices: harnessing multipath fading for fine-grained keystroke localization,” in Proceedings of the 12th annualinternational conference on Mobile systems, applications, and services.ACM, 2014, pp. 14–27.

[34] J. Sun, X. Jin, Y. Chen, J. Zhang, R. Zhang, and Y. Zhang, “Visible:Video-assisted keystroke inference from tablet backside motion,”in NDSS, 2016.

[35] Y. L. S. Z. Z. L. S. Fang, I. Markwood and H. Zhu, “No traininghurdles: Fast training-agnostic attacks to infer your typing,” inACM CCS. ACM, 2018.

[36] H. Li, Z. Xu, H. Zhu, D. Ma, S. Li, and K. Xing, “Demographics in-ference through wi-fi network traffic analysis,” in IEEE INFOCOM2016 - The 35th Annual IEEE International Conference on ComputerCommunications, April 2016, pp. 1–9.

[37] N. Cheng, X. O. Wang, W. Cheng, P. Mohapatra, and A. Senevi-ratne, “Characterizing privacy leakage of public wifi networks forusers on travel,” in 2013 Proceedings IEEE INFOCOM, April 2013,pp. 2769–2777.

[38] H. Li, H. Zhu, S. Du, X. Liang, and X. Shen, “Privacy leakage oflocation sharing in mobile social networks: Attacks and defense,”IEEE Transactions on Dependable and Secure Computing, vol. PP,no. 99, pp. 1–1, 2016.

[39] Y. Fan, Y. Jiang, H. Zhu, and X. Shen, “An efficient privacy-preserving scheme against traffic analysis attacks in networkcoding,” in IEEE INFOCOM 2009, April 2009, pp. 2213–2221.

[40] B. Konings, C. Bachmaier, F. Schaub, and M. Weber, “Device namesin the wild: Investigating privacy risks of zero configurationnetworking,” in Mobile Data Management (MDM), 2013 IEEE 14thInternational Conference on, vol. 2. IEEE, 2013, pp. 51–56.

[41] N. Xia, H. H. Song, Y. Liao, M. Iliofotou, A. Nucci, Z.-L. Zhang,and A. Kuzmanovic, “Mosaic: Quantifying privacy leakage inmobile networks,” in ACM SIGCOMM Computer CommunicationReview, vol. 43, no. 4. ACM, 2013, pp. 279–290.

[42] V. F. Taylor, R. Spolaor, M. Conti, and I. Martinovic, “Appscanner:Automatic fingerprinting of smartphone apps from encryptednetwork traffic,” in Security and Privacy (EuroS&P), 2016 IEEEEuropean Symposium on. IEEE, 2016, pp. 439–454.

[43] H. F. Alan and J. Kaur, “Can android applications be identifiedusing only tcp/ip headers of their launch time traffic?” in Proceed-




ings of the 9th ACM Conference on Security & Privacy in Wireless andMobile Networks. ACM, 2016, pp. 61–66.

[44] M. Conti, L. V. Mancini, R. Spolaor, and N. V. Verde, “Analyzingandroid encrypted network traffic to identify user actions,” IEEETransactions on Information Forensics and Security, vol. 11, no. 1, pp.114–125, 2016.

Yan Meng is a Ph.D. candidate in the Depart-ment of Computer Science and Engineering,Shanghai Jiao Tong University, China. He re-ceived his B.S. degree in Electronic and Infor-mation Engineering from Huazhong University ofScience and Technology in 2016. His researchinterests include wireless network security andsocial network privacy.

Jinlei Li is a master candidate in the De-partment of Computer Science and Engineer-ing, Shanghai Jiao Tong University, China. Hereceived his B.S. degree in the Departmentof Computer Science and Engineering fromShanghai Jiao Tong University of China in 2018.His research interests are wireless network se-curity and network privacy.

Haojin Zhu is currently a Full Professor withDepartment of Computer Science and Engineer-ing, Shanghai Jiao Tong University, China. Hereceived his B.Sc. degree (2002) from WuhanUniversity (China), his M.Sc.(2005) degree fromShanghai Jiao Tong University (China), both incomputer science and the Ph.D. in Electricaland Computer Engineering from the Universityof Waterloo (Canada), in 2009. His current re-search interests include network security andprivacy protection. He received the IEEE Com-

Soc Asia-Pacific Outstanding Young Researcher Award (2014) due tohis contribution to wireless network security and privacy, DistinguishedMember of the IEEE INFOCOM 2015 Technical Program Committee.

Xiaohui Liang received the B.Sc. degree inComputer Science and Engineering and theM.Sc. degree in Computer Software and The-ory from Shanghai Jiao Tong University (SJTU),China, in 2006 and 2009, respectively. He iscurrently working toward a Ph.D. degree in theDepartment of Electrical and Computer Engi-neering, University of Waterloo, Canada. His re-search interests include applied cryptography,and security and privacy issues for e-healthcaresystem, cloud computing, mobile social net-

works, and smart grid.

Yao Liu received the Ph.D. degree in computerscience from North Carolina State University in2012. She is currently an Assistant Professorwith the Department of Computer Science andEngineering, University of South Florida, Tampa,FL, USA. Her research is related to computerand network security, with an emphasis on de-signing and implementing defense approachesthat protect emerging wireless technologies frombeing undermined by adversaries. Her researchinterest also lies in the security of cyber-physical

systems, especially in smart grid security.

Na Ruan received the B.S. degree in Informa-tion Engineering and the M.S. degree in Com-munication and Information System from ChinaUniversity of Mining and Technology in 2007and 2009 respectively. She received D.E. degreefrom the Faculty of Engineering, Kyushu Univer-sity, Japan in 2012. Since 2013, she joined theDepartment of Computer Science and Engineer-ing of Shanghai Jiaotong University as AssistantProfessor. Her current research interests are inwireless network security and game theory.

revealing your mobile password via wifi signals: …naruan/publications/journal/revealing...2.1...

Documents