YIBADA

New password, sniffing method relies on rogue Wi-Fi networks

| Nov 14, 2016 10:47 PM EST

Securing phone with password lock is not anything new; however, the latest flaw in Android edition phone is that it provides an easy access to hack phone passwords.

Smartphone passwords are typically safe to use as long as no one is watching or the device is free of malware but a new Wi-Fi method can now allow hackers to guess passwords.

Researchers from the University of South Florida, University of Massachusetts in Boston and the Shanghai Jiao Tong University has come up with a new way to sniff out passwords through Wi-Fi. The victim would need to be connected to the Wi-Fi hotspot itself.

One caveat is that the attack requires the Wi-Fi hotspot to be close to the victim itself. Researchers call the attack WindTalker and it guesses passwords and PINS through the lapses in Wi-Fi signals, Toms Hardware has learned.

In deeper technical terms, WindTalker makes use of Channel State Information (CSI) which is used by the Wi-Fi protocol. The alterations in the signal which can be detected if a user types on the screen are used to interpret a possible PIN or password combination even without the need to exactly snoop on the phone's screen visually.

WindTalker completely bypasses any encrypted connections and information as it only needs a victim to connect to a seemingly harmless free Wi-Fi connection. No malware is even installed in the victim's device.

Fortunately, the WindTalker attack still has lots of limitations. WindTalker currently works for only one model of a Wi-Fi network card and a modified firmware code which has been found to be prone to crashing, Naked Security reported.

Still, hackers could find a way to expand the limits of the said attack in the near future considering that technology does evolve fast. Users also have more options to keep safe from such attacks.

For one, they can use two-factor authentication or 2FA. Even if the hacker does get the password from sniffing through the Wi-Fi signal, they still will not be able to open the account because they need to authenticate a second time via another method unavailable to them.

Related News

Most Popular

EDITOR'S PICK