Nov 15, 2016 | By Nick

A joint team of researchers from the Shanghai Jaio Tong University, the University of Massachusetts at Boston, and the University of South Florida has found that hackers can now gather sensitive information such as passwords by essentially 3D scanning and registering your finger movements. The technique devised by the researchers, called WindTalker, can effectively read a user's finger movements on their phone screen using channel state information (CSI)

Even though many people are increasingly using their phones for online banking and payments, there is little thought given to what security risks it could pose. And while computer hackers have traditionally opted for virus and malware-based attacks, smartphones are susceptible and offer different points of entry. Now, a team of researchers is proving this by demonstrating how they have used a malicious WiFi hotspot to infiltrate a smartphone to create a ‘keystroke inference framework’. Using this method, the researchers proved that they could effectively retrieve the passwords for Alipay, a third part payment platform, on a number of different mobile phones. The Association of Computing Machinery has published its paper: "When CSI meets public Wi-Fi: Inferring your mobile phone password via WiFi Signals", which details the research and findings. 

"We implemented WindTalker on several mobile phones and performed a detailed case study to evaluate the practicality of the password inference towards Alipay, the largest mobile payment platform in the world,” they said. “The evaluation results show that the attacker can recover the key with a high successful rate."

Essentially the system uses the phone’s own touchscreen against it. WindTalker can interpret the movement of your own fingers from the shadows created above the screen. Once it has analyzed the screen coverage impressions, which are basically the shadows and interference patterns your fingers create while typing in sensitive information, it can determine your keystrokes and passwords.

The researchers explained: "Since the received signal reflects the constructive and destructive interference of several multi-path signals scattered from the wall and surrounding objects, the movements of the fingers while password input can generate a unique pattern in the time-series of CSI values, which can be used for keystrokes recognition."

The system required multiple antennas and a Multiple Input Multiple Output (MIMO) antenna to effectively gather the complex waveforms data. The controller software detects small phase differences to cancel weak signals and reinforce others to build a complex picture of the Channel State Information.

This WindTalker WiFi hack does require some specialist equipment. But the necessary antennae are freely available on eBay and costs hundreds, rather than thousands of dollars. If cybercriminals can infiltrate your bank without having to install spyware on your phone then it’s clearly an attractive proposition and a malicious WiFi hotspot in an airport, train station or busy city center location could compromise a vast number of phones.

The hackers can easily determine when you are connecting to an online payment system thanks to the IP address of the secure server you connect to. The software provided the three most likely PIN numbers or passwords and with time the team could almost certainly refine the program further. Unlike other hacks, WindTalker doesn’t leave a trace, either, which could make it doubly attractive to cybercriminals.

So what is the answer to this phone hack? It’s actually very simple. The hackers can determine the position of your fingers on the screen, but that is all. So if the banks and online payment merchants simply randomize the keypad then this hack won’t work.

At that point the cybercriminals would need to infiltrate the phone’s browser simultaneously, and break through the bank’s complex encryption, to gain access to the missing information, turning WindTalker from a relatively simple procedure into an overly complex and convoluted approach that doesn’t have the same appeal for the hackers.

Smartphone technology is moving forward at an incredible rate and 3D scanning technology is becoming increasingly integrated into our daily lives. As Augmented and Virtual Reality become more standard and as camera technology and UI form stronger bonds, 3D scanning technology will come with a wealth of benefits, but at the same time it leaves us open to new types of hacks.

The IT security world is engaged in an ongoing arms race with cybercriminals and white hat hackers like the WindTalker team are finding new weaknesses all the time. Other researchers have found ways to use the phone's in-built microphone to record the keystrokes and webcams have proven surprisingly effective, too. There is one simple fix for all of these attacks and we’re sure you’ll see randomized keypads sooner rather than later. If you want to be safe in the meantime, you can always avoid using banking or payment apps in non-secure WiFi connections.

 

 

Posted in 3D Scanning

 

 

Maybe you also like:


   






Leave a comment:

Your Name:

 


Subscribe us to

3ders.org Feeds 3ders.org twitter 3ders.org facebook   

About 3Ders.org

3Ders.org provides the latest news about 3D printing technology and 3D printers. We are now six years old and have around 1.5 million unique visitors per month.

News Archive