Upload
ngonhi
View
225
Download
3
Embed Size (px)
Citation preview
When CSI Meets Public Wi-Fi:
Inferring Your Mobile Phone Password via Wi-Fi Signals
Presented By:
Keshav Yerra
IntroductionSmart Mobile Devices are everywhere.
Rise of Mobile Payment Applications
Online Mobile Payment
In Year 2015
900 Million Users100 million transactions per day1 trillion dollars transactions.
Payment Protections
Protections for mobile payment security
The Packets are encrypted
Transport Protocol: TLS/SSL
6-Digit Password
Limited Password attempts
Password Inference
Keystroke Inference Methods:
Accelerometer based method – 2015 Acoustic based method – 2014 Camera based method – 2014
Their assumption cannot hold in mobile payment scenario.
Channel State Information
CSI : Channel State Information
CSI reflects the state of its transmission channel
Wind Talker
■ WindTalker aims to find out what your password is by analyzing the interference with the multipath Wi-Fi signals caused by your hands as you type.
Features
Only one device required to attack
Identifying the sensitive time input window( ex: Password input) by considering the SSL traffic and CSI flow.
Successfully attacks Alipay mobile payment app on several mobile devices.
OUTLINE
■Motivation
■ Attack Scenario
■ System Design
■ Evaluation
■ Conclusion
OUTLINE
■Motivation
■ Attack Scenario
■ System Design
■ Evaluation
■ Conclusion
CSI Collection
■ Change CSI collection method to get a valid CSI data
Out-of-band Keystroke inference(OKI) model
IKI model
In-band Keystroke Inference model (IKI)
CSI- Hand Motion
■ Factors Inferences CSI during typing in mobile devices.
Finger Motion
CSI- Hand Motion
■ Factors Inferences CSI during typing in mobile devices.
CSI – Hand Coverage
■ Hand Coverage Inference on CSI
CSI Stream
• Continuous press of number 1-0 each for 5 times
CSI – Hand Coverage
■ Hand Coverage Inference on CSI
CSI Stream
• Continuous press of number 1-0 each for 5 times
CSI – Finger Motion
■ Fingers click’s inference on CSI – Sharp Convex
Quick click’s influence on multi – path propagation
CSI – Finger Motion
■ Fingers click’s inference on CSI – Sharp Convex
Quick click’s influence on multi – path propagation
CSI – Finger Motion
■ Fingers click’s inference on CSI – Sharp Convex
Quick click’s influence on multi – path propagation
CSI – Finger Motion
Possible to find Finger Motion
Possible to IdentifyFinger Motion
OUTLINE
■Motivation
■ Attack Scenario
■ System Design
■ Evaluation
■ Conclusion
Attack Scenario
OUTLINE
■Motivation
■ Attack Scenario
■ System Design
■ Evaluation
■ Conclusion
CHALLENGES
■ How to enforce victim’s device to be a Wi-Fi sender?
■ How to locate CSI segments generated by password input?
■ How to reduce Noise in raw CSI Data?
■ How to infer password using CSI?
System Design
■ Wind Talker system model
■ Four modules Four challenges
First Challenge
■ How to enforce victim’s device to be a Wi-Fi sender?
■ CSI collection module
ICMP based CSI Collection module
CSI can be extracted from Wi-Fi packet’s preamble
ICMP based CSI Acquirement module
• Attacker sending ICMP request in 800Hz, getting CSI data in 800Hz
• Can be done without the victim’s knowledge
Second Challenge
■ How to locate CSI segments generated by password input?
Sensitive Input Module
■ How to locate CSI segments generated by password input?
Third Challenge
■ How to reduce Noise in raw CSI Data?
Signal Processing Methods
■ By using Directional Antenna’s instead of Omni- directional Antenna’s
■ Reducing Noise
1. Low Pass Filtering
2. Dimension Reduction
Forth Challenge
■ How to infer password using CSI?
■ Data Preprocessing Module
Password Inference Module
Password Inference Module
OUTLINE
■Motivation
■ Attack Scenario
■ System Design
■ Evaluation
■ Conclusion
Classification between different numbers
10 Volunteers 3 types of phones
Each Volunteer:press 10 loops
Each loop:from 1-2-3…0
Classification between different numbersClassification Results:
82% in Xiaomi, 73% in Nexus, 64% in Samsung
OUTLINE
■Motivation
■ Attack Scenario
■ System Design
■ Evaluation
■ Conclusion
Limitations■ Hardware Limitation
■ Fixed Typing Gesture
Countermeasure
■ Random Layouts of Keyboard
■ Changing typing gestures
■ Preventing the collection of CSI
Conclusion and Future Work
■ WindTalker an interesting attack that uses the information from the physical layer to attack applications in the upper layers.
■ It is expected to have a broad potential application for password inference in mobile devices.
■ Major issue is the CSI collection module is not that reliable.
■ Due to the limitation of Intel 5300 NIC, the current WindTalker cannot work for IOS devices, which will be a part of future work.
References
[1] IEEE Std. 802.11n-2009: Enhancements for higher throughput. http://www.ieee802.org, 2009.
[2] Ali, K., Liu, A. X., Wang, W., and Shahzad, M. Keystroke recognition using wifisignals. In Proceedings of the 21st Annual International Conference on Mobile Computing and Networking (2015), ACM, pp. 90–102.
[3] Balzarotti, D., Cova, M., and Vigna, G. Clearshot: Eavesdropping on keyboard input from video. In Security and Privacy, 2008. SP 2008. IEEE Symposium on (2008), IEEE, pp. 170–183.
[4] Benko, H., Wilson, A. D., and Baudisch, P. Precise selection techniques for multi-touch screens. In Proceedings of the SIGCHI conference on Human Factors in computing systems (2006), ACM, pp. 1263–1272.
[5] Cheng, N., Wang, X., Cheng, W., Mohapatra, P., and Seneviratne, A. Characterizing privacy leakage of public wifi networks for users on travel. In INFOCOM, 2013 Proceedings IEEE (2013), IEEE, pp. 2769–2777.