OAuth Flaw in Expo Platform Affects Hundreds of Third-Party Sites, Apps

WiKI-Eve – Stealing Wi-Fi Passwords by Eavesdropping on Keystrokes

Mobile devices and apps play a growing role in user identification, but password theft, resembling identity theft, invites diverse eavesdropping attacks, including stealthy indirect ones using side-channels.

Indirect attacks, like those using side channels (acoustic, electromagnetic, etc.), pose higher risks by stealthily inferring passwords without needing to see the target screen.

The following cybersecurity researchers from their respective universities recently unveiled a new exploit to steal WiFi passwords by eavesdropping on keystrokes, which is dubbed “WiKI-Eve”:-

Jingyang Hu (Hunan University, China)

Hongbo Wang (Nanyang Technological University, Singapore)

Tianyue Zheng (Nanyang Technological University, Singapore)

Jingzhi Hu (Nanyang Technological University, Singapore)

Zhe Chen (Fudan University, China)

Hongbo Jiang (Hunan University, China)

Jun Luo (Nanyang Technological University, Singapore)

Wi-Fi Passwords by Eavesdropping

Wi-Fi CSI, unique among side channels, can infer keystrokes for password theft, posing data deficit challenges. That’s why researchers proposed the WiKI-Eve to steal numerical passwords through BFI variations.

Cybersecurity analysts used BFI on Wi-Fi, avoiding hardware hacking, and employed deep learning with adversarial training for keystroke inference in WiKI-Eve, ensuring practicality with limited data and addressing data deficiency.

There are two CSI-based KI methods, and here we have mentioned them:-

In-band KI (IKI)

Out-of-band KI (OKI)

Security analysts used a laptop (Acer TravelMate with Intel AX210 Wi-Fi NIC) in experiments due to Android limitations. They captured BFIs with Wireshark in monitor mode, analyzed using Matlab and Python with PyTorch, and publicly shared their data and preprocessing code online.

Security analysts evaluate using keystroke classification accuracy and top-𝑁 password inference accuracy. Keystroke accuracy measures correct keystrokes, while top-𝑁 accuracy checks if a candidate password in the top-𝑁 probability matches the true one for inference.

Experts first demonstrate WiKI-Eve’s building blocks with micro-benchmarks, then evaluate overall performance and practical factors. Real-world experiments show WiKI-Eve stealing WeChat Pay passwords and their application to QWERTY keyboards.

To demonstrate WiKI-Eve’s practicality, they perform a real-world experiment where Eve stealthily steals Bob’s (victim) WeChat Pay password while he makes a transaction using an iPhone 13 in a 5m × 8m conference room, with Eve eavesdropping from 3m away.

Encrypting data traffic is a direct defense against WiKI-Eve, but it can complicate systems with high user dynamics. Keyboard randomization, an indirect defense, shifts the complexity to users but can inconvenience those relying on muscle memory for password entry.

WiKI-Eve, a versatile Wi-Fi KI attack, requires no hacking or specialized hardware, offering broad applicability. Its adversarial learning generalizes to unseen domains.

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.

The post WiKI-Eve – Stealing Wi-Fi Passwords by Eavesdropping on Keystrokes appeared first on Cyber Security News.

   Read More 

Cyber Security News 

Ukraine at D+608: Privateers are rising.

Ukraine’s successes in the Black Sea are part of a long-war strategy. Russian privateers are increasingly active against Ukrainian targets, and are paying particular attention to financial transactions.   Read More 

The CyberWire