When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS...
Transcript of When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS...
![Page 1: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/1.jpg)
When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via
WiFi SignalsMengyuan Li1, Yan Meng1, Junyi Liu1, Haojin Zhu1, Xiaohui Liang2,
Yao Liu3 and Na Ruan1
1Shanghai Jiao Tong University, China2University of Massachusetts at Boston
3University of South Florida
October, 2016
1
![Page 2: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/2.jpg)
Background
The rise of mobile payment
Alipay WeChat Bank APP2
Smart mobile devices are everywhere
![Page 3: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/3.jpg)
Online Mobile Payment
3
Money transfer Online paymentQuick Pay
900 million users
1 trillion dollars transactions100 million transactions per day
In 2015
Alipay
![Page 4: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/4.jpg)
Payment ProtectionsProtections of mobile payment security
Transport protocol: TLS/SSL
The packets payloads are encrypted
6-digit PasswordTrust
encryption
4
Limited password attempt times
![Page 5: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/5.jpg)
Payment ProtectionsProtections of mobile payment security
Transport protocol: TLS/SSL
The packets payloads are encrypted
6-digit Password
Danger!encryption
5
Limited password attempt times
![Page 6: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/6.jpg)
Password Inference
Keystroke Inference methods:Accelerometer based method: CCS 2015Acoustic based method: CCS 2014Camera based method: CCS 2014
6
ExtractDifficultTraffic
Side channel Practical!Keystroke
Their assumption cannot hold in mobile paymentscenario.
![Page 7: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/7.jpg)
PASSWORD INFERENCE
Keystroke Inference Models:Accelerometer based method: CCS 2015Acoustic based method: CCS 2014Camera based method: CCS 2014
7
ExtractDifficultTraffic
Side channel Practical!Keystroke
Their assumption cannot hold in mobile paymentscenario.
Propose Wi-Fi based method
Channel State Information (CSI) from Wi-Fi
Specifically:
![Page 8: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/8.jpg)
Channel State Information
CSI(Channel State Information)CSI was the channel frequency response of Wireless signals.
8
![Page 9: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/9.jpg)
9
Wi-Fi senderWi-Fi receiver
Channel state
IEEE 802.11n/ac
Channel State Information
CSI(Channel State Information)CSI reflects the state of its transmission channel.
![Page 10: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/10.jpg)
10
Person IndentificationWiWho Y Zeng, P Pathak, P Mohapatra (IPNS 2016)
Activity RecognitionCARM W Wang, A Liu, M Shahzad, K Ling, S Lu
(MobiCom 2015)Keystroke Recognition
WiKey K Ali, A Liu, W Wang, M Shahzad (MobiCom 2015)
Advantage: device-free, commercial equipment
Centimeters-level LocalizationChronos D Vasisht, S Kumar, D Kataba (NSDI 2016)
Existing Works about CSI Based Recognition
![Page 11: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/11.jpg)
11
Keystroke RecognitionWiKey K Ali, A Liu, W Wang, M Shahzad (MobiCom 2015)
Advantage: device-free, commercial equipment
Existing Works about CSI Based Recognition
![Page 12: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/12.jpg)
Centimeters-level LocalizationChronos D Vasisht, S Kumar, D Katabi (NSDI 2016)
12
Person IndentificationWiWho Y Zeng, P Pathak, P Mohapatra (IPNS 2016)
Activity RecognitionCARM W Wang, A Liu, M Shahzad, K Ling, S Lu
(MobiCom 2015)Keystroke Recognition
WiKey K Ali, A Liu, W Wang, M Shahzad (MobiCom 2015)
Advantage: device-free, commercial equipment
Can existing works be applied to inferpayment passwords in mobile devices?
Existing Works about CSI Based Recognition
![Page 13: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/13.jpg)
Centimeters-level LocalizationChronos D Vasisht, S Kumar, D Katabi (NSDI 2016)
13
Person IndentificationWiWho Y Zeng, P Pathak, P Mohapatra (IPNS 2016)
Activity RecognitionCARM W Wang, A Liu, M Shahzad, K Ling, S Lu
(MobiCom 2015)Keystroke Recognition
WiKey K Ali, A Liu, W Wang, M Shahzad (MobiCom 2015)
These works have the following shortcomings:1 Need a sender and receiver Wi-Fi devices2 Just recognize input, but have no idea what the input is.
Existing Works about CSI Based Recognition
![Page 14: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/14.jpg)
Centimeters-level LocalizationChronos D Vasisht, S Kumar, D Katabi (NSDI 2016)
14
Person IndentificationWiWho Y Zeng, P Pathak, P Mohapatra (IPNS 2016)
Activity RecognitionCARM W Wang, A Liu, M Shahzad, K Ling, S Lu
(MobiCom 2015)Keystroke Recognition
WiKey K Ali, A Liu, W Wang, M Shahzad (MobiCom 2015)
These works have the following shortcomings:1 Need a sender and receiver Wi-Fi devices2 Just recognize input, but have no idea what the input is.
Not Practical
Existing Works about CSI Based Recognition
![Page 15: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/15.jpg)
Our Design -- WindTalker
15
Feature:• One device to attack - no requirement of victim locating
between two WiFi devices;
• Identifying the sensitive input time window (e.g., passwordinput) by considering the SSL traffic and CSI flow together;
• Successfully attack AliPay, the most popular mobile paymentsystem in the world, on several smart phones.
WindTalker, a novel keystroke inference framework towards Smart Phones through WiFi Channel State Information(CSI).
![Page 16: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/16.jpg)
OUTLINE
MotivationAttack ScenarioSystem DesignEvaluationCase StudyConclusion
16
![Page 17: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/17.jpg)
OUTLINE
MotivationAttack ScenarioSystem DesignEvaluationCase StudyConclusion
17
![Page 18: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/18.jpg)
Change CSI collection method to get valid CSI data
Out-of-band keystroke inference(OKI) model
18
CSI COLLECTION
RX
TX
WiFi RouterKeyboard
Need deploy two Wi-Fi devices
Target locating between two devices
![Page 19: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/19.jpg)
Change CSI collection method to get valid CSI data
Out-of-band keystroke inference(OKI) model
19
CSI COLLECTION
RX
TX
WiFi RouterKeyboard
Distance is too short (e.g. 30cm)
Target locating between two devices
![Page 20: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/20.jpg)
In-band keystroke inference(IKI) model 20
Public WiFi meets CSI – IKI model
Establish Wi-Fi connection
Change CSI collection method to get valid CSI data
![Page 21: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/21.jpg)
Hand influence– direct influence
21
Public WiFi meets CSI – IKI model
![Page 22: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/22.jpg)
CSI - Hand motion
22
Base Station
Mobile Phone
Finger Motion
Strong Signal Weak Signal
Finger MotionAntenna
Antenna
Factors inference CSI during typing in mobile devices
WiFi signals have a similar condition.
![Page 23: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/23.jpg)
CSI - Hand motionFactors inference CSI during typing in mobile devices
Hand coverage
Finger motion23Type in soft keyboard
![Page 24: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/24.jpg)
CSI – Hand coverage Hand Coverage’s inference on CSI
Continuous press number 1-0 each for 5 times24
Click ‘1’ for 5 times
Click ‘4’ for 5 times
Click ‘0’ for 5 times
A CSI stream
![Page 25: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/25.jpg)
Finger click’s inference on CSI– sharp convex
CSI – Finger motion
25
Same numbersSimilarity
Different numbersDissimilarity
Quick click’s influence on multi-path propagation
![Page 26: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/26.jpg)
Possible
CSI – Finger motion
26
Possible to findfinger motion
Possible to identify finger motion
![Page 27: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/27.jpg)
Possible
CSI – Finger motion
27
Possible to inferkeystroke (even
password)!
![Page 28: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/28.jpg)
OUTLINE
MotivationAttack ScenarioSystem DesignEvaluationCase StudyConclusion
28
![Page 29: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/29.jpg)
Attack Scenario
29
Target
Hidden Devices
1m
Antennas
A public WiFi provided by attacker’s computer• OS: Linux• CPU: Inter(R) Core(TM)
i5-3317U 1.70GHz CPU
![Page 30: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/30.jpg)
Attack Scenario
30
Target
Antennas ($20)• TDJ-2400BKC antenna
working in 2.4GHz
![Page 31: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/31.jpg)
Attack Scenario
31
Target
Intel 5300 NIC ($5)• CSI Tools
![Page 32: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/32.jpg)
OUTLINE
MotivationAttack ScenarioSystem DesignEvaluationCase StudyConclusion
32
![Page 33: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/33.jpg)
How to infer password using CSI?
How to enforce victim’s device to be a WiFisender?
33
Challenges
How to locate CSI segments generated by password input?
How to reduce noise in raw CSI data?
![Page 34: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/34.jpg)
System Design
Existing system modelWindTalker System model
CSIHotspot
VictimOutput
Four Modules Four Challenges
WindTalker Schematic
34
![Page 35: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/35.jpg)
First Challenge
CSIHotspot
VictimOutput
WindTalker Schematic
CSI Collection Module
35
How to enforce victim’s device to be a WiFisender?
![Page 36: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/36.jpg)
Attacker Victim's device
ICMP based CSI Collection Module
HotspotWi-Fi Connection
36
Wi-Fi packets
![Page 37: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/37.jpg)
Attacker Victim's device
ICMP based CSI Collection Module
Hotspot
37
packets Collect CSI need
enough Wi-Fi
Wi-Fi packets
CSI can be extracted from Wi-Fi packets’ preamble
![Page 38: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/38.jpg)
ICMP Request
ICMP ReplyAttacker Victim's device
Attacker sending ICMP request in 800Hz, getting CSI data in 800Hz
ICMP based CSI Acquirement Module
HotspotWi-Fi Connection
38
![Page 39: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/39.jpg)
ICMP Request
ICMP ReplyAttacker Victim's device
Can be done without victim’s awareness
ICMP based CSI Acquirement Module
HotspotWi-Fi Connection
39
Attacker sending ICMP request in 800Hz, getting CSI data in 800Hz
![Page 40: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/40.jpg)
Second Challenge
CSIHotspot
VictimOutput
WindTalker Schematic
Sensitive Input Module
40
How to locate CSI segments generated by password input?
![Page 41: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/41.jpg)
Sensitive Input Module
41
How to locate CSI segments generated by password input?
There are many keystrokes! Which 6 keystrokes are
password?
![Page 42: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/42.jpg)
Sensitive Input Module
Make the system more efficient
42
How to locate CSI segments generated by password input?
Malicious WiFi hotspot
![Page 43: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/43.jpg)
Sensitive Input Module
43
How to locate CSI segments generated by password input?
Malicious WiFi hotspot
Construct Sensitive IP Pool Wireshark
![Page 44: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/44.jpg)
Third Challenge
CSIHotspot
VictimOutput
WindTalker Schematic
Data Preprocessing Module
44
How to reduce noise in raw CSI data?
![Page 45: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/45.jpg)
Data Preprocessing Module
Reducing NoiseUsing Directional Antenna
Using Omni-directional Antenna
Using Directional Antenna
Dizzy Obvious
45
![Page 46: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/46.jpg)
Reducing NoiseLow Pass Filtering
Dimension Reduction
Principal Component Analysis (PCA) on subcarriers
Select top few projections of CSI data
Remove the noisy projections of CSI data
46
Signal Processing methods
![Page 47: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/47.jpg)
Fourth Challenge
CSIHotspot
VictimOutput
WindTalker Schematic
Data Preprocessing Module
47
How to infer password using CSI?
![Page 48: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/48.jpg)
Password Inference Module
Keystroke Extraction
Low-pass Filter
Original Data
Smooth Data
48
![Page 49: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/49.jpg)
Password Inference Module
Keystroke Extraction
Variance
Smooth Data
Choose Segments
49
![Page 50: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/50.jpg)
Password Inference Module
Keystroke Extraction
Variance
Smooth Data
Extraction
50
![Page 51: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/51.jpg)
Password Inference Module
Keystroke Recognition
Dynamic Time WarpingClassifier TrainingRecognition
51
![Page 52: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/52.jpg)
Password Inference Module
Keystroke Recognition
Same NumberDTW Distance
52
![Page 53: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/53.jpg)
Password Inference Module
Keystroke Recognition
Different NumberDTW Distance
53
![Page 54: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/54.jpg)
OUTLINE
MotivationAttack ScenarioSystem DesignEvaluationCase StudyConclusion
54
![Page 55: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/55.jpg)
Classification between Different Numbers
10 Volunteers3 Types of Phone
55
Each Volunteer:Press 10 Loops
Each Loop:from 1-2-3-…-0
![Page 56: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/56.jpg)
Classification between Different Numbers
10 Volunteers3 Types of Phone
56
Each Volunteer:Press 10 Loops
Each Loop:from 1-2-3-…-0
![Page 57: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/57.jpg)
Classification between Different Numbers
10 Volunteers3 Types of Phone
57
Each Volunteer:Press 10 Loops
Each Loop:from 1-2-3-…-0
![Page 58: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/58.jpg)
58
Classification Results:
Classification between Different Numbers
Cross validation accuracy. Each times, 1loop for testing and 9 loops for training.
![Page 59: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/59.jpg)
82% in Xiaomi, 73% in Nexus and 64% in Samsung59
Classification Results:
Classification between Different Numbers
![Page 60: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/60.jpg)
Possible candidates for “123456”125484215487123456……
60
* * * * * *
6-digit password is a fixed password format for Alipay, Wechat pay and many other online banks.
Use Password Candidates
Infer 6-digit password
![Page 61: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/61.jpg)
Possible candidates for “123456”125484215487123456
……
3 Loops for training 200 passwords from ten volunteers 61
* * * * * *
6-digit password is a fixed password format for Alipay, Wechat pay and many other online banks.
Use Password Candidates
Infer 6-digit password
![Page 62: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/62.jpg)
Possible candidates for “123456”125484215487123456
……
3 Loops for training 200 passwords from ten volunteers 62
* * * * * *
6-digit password is a fixed password format for Alipay, Wechat pay and many other online banks.
Use Password Candidates
Infer 6-digit password
![Page 63: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/63.jpg)
Influence factors
Evaluation on Different Distance
63
Evaluation on Different Direction
![Page 64: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/64.jpg)
OUTLINE
MotivationAttack ScenarioSystem DesignEvaluationCase StudyConclusion
64
![Page 65: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/65.jpg)
Case Study
65
Simulate Real-world Scenario
Click Demo to See Details
Combine Four Technical Modules
![Page 66: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/66.jpg)
Case Study
66
Simulate Real-world Scenario
Click Demo to See Details
Combine Four Technical Modules
Case Study Results
Carry out case study 10 times:
Candidates Number
Successfully Inference
51050
100
2479
![Page 67: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/67.jpg)
OUTLINE
MotivationAttack ScenarioSystem DesignEvaluationCase StudyConclusion
67
![Page 68: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/68.jpg)
Hardware Limitations
68
Fixed Typing GestureUser Specific Training
Limitations
![Page 69: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/69.jpg)
Hardware Limitations
69
Limitations
Attacker Victim's device
Hotspot
Intel 5300 NIC
Wi-Fi Connection
![Page 70: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/70.jpg)
Hardware Limitations
70
Limitations
Attacker Victim's device
Hotspot
Intel 5300 NIC
Wi-Fi Connection
Wi-Fi NIC Crashed!
![Page 71: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/71.jpg)
Hardware Limitations
71
Limitations
Fixed Typing GestureToo quick typeStrange hand motionDisturbance nearby
![Page 72: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/72.jpg)
Hardware Limitations
72
Limitation
Fixed Typing GestureUser Specific TrainingText CaptchasPlain content analysis
![Page 73: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/73.jpg)
Random Layouts of Keyboard
73
Countermeasure
1 2 34 5 67 8 9
0
After typing 1 2 34 5 67 8 9
0
![Page 74: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/74.jpg)
Random Layouts of KeyboardChange Typing Gesture
74
Countermeasure
NextClick
![Page 75: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/75.jpg)
Random Layouts of KeyboardChange Typing GesturePreventing the collection of CSI
75
Countermeasure
Attacker Victim's device
Hotspot
![Page 76: When CSI Meets Public WiFi: Inferring Your Mobile Phone ...nsec.sjtu.edu.cn/publications/2016/CCS 2016.pdf · Smart Phones through WiFi Channel State Information(CSI). OUTLINE. Motivation](https://reader034.fdocuments.net/reader034/viewer/2022050402/5f7fbb2385a970656442eefc/html5/thumbnails/76.jpg)
76
Conclusion and Future WorkWe present WindTalker, a novel attack that usesphysical layer information to attack applications inthe upper layers (Encryption may not work).
It is expected to have a broad potential applicationfor password inference in mobile devices (encryptedtraffic analysis + CSI analysis should be cool).
Major issue is the CSI collection module is notreliable: using advanced tools to enhance it.