Researchers have identified a security vulnerability affecting modern internet routers that allows hackers to steal passwords over Wi-Fi.
In a paper published on Sept. 7, researchers from Chinese and Singaporean universities said the exploit — dubbed WiKI-Eve — is “the first Wi-Fi-based KI attack with no need for hacking or specialized hardware.” The paper revealed that it can infer individual keystrokes with about 88.9 percent accuracy.
WiKI-Eve can eavesdrop on keystrokes to uncover passwords. It also uses “adversarial learning schemes to enable its inference generalizable towards unseen scenarios.”
This vulnerability affects most routers with 2013 that have 802.11ac or Wi-Fi 5 technology. “WiKI-Eve achieves 88.9% inference accuracy for individual keystrokes and up to 65.8% top-10 accuracy for stealing passwords of mobile applications,” the researchers said.
These findings are particularly alarming because, according to NordPass, the most common password people used in 2022 was “123456” — a basic, numerical password.
“Our results expose critical vulnerabilities in widely-used applications (e.g., WeChat) and hence underscore an urgent need for enhanced security measures against such risks,” the paper warned.
Passwords Can Be Stolen While Being Typed
The researchers elaborated on the sophisticated mechanism that WiKI-Eve employs. This is a technique in machine learning where two neural networks, one generating data and the other evaluating it, compete to improve the quality of the generated data — in this case, it is leveraged for malicious purposes.
This framework allows the attack to adapt and target different types of passwords, even those entered in applications like WeChat — which the researchers used as a case study.
The researchers conducted 50 experiments to guess the passwords of WeChat accounts. Looking at the top five passwords WiKI-Eve generated in each scenario, they found its accuracy was 50 percent.
“These experiments evidently demonstrate the practicality of WiKI-Eve in real-world scenarios,” the paper said.
The researchers also examined how factors like typing speed and distance from the Wi-Fi access point influence the success of an attack. “WiKI-Eve still achieves sufficiently good performance in fast typing case with speed from [1.5, 2.0] cps,” the paper noted, highlighting the attack’s effectiveness across varying conditions.
This is not the first research to highlight major Wi-Fi risks. In June 2022, a group of researchers from the University of Hamburg, Germany, revealed that Wi-Fi probe requests can be used to track and compromise users and their devices. In another example, in October 2021, an Israeli researcher cracked 70 percent of Tel Aviv’s Wi-Fi networks from the street.
And in December 2022, a paper by researchers at Carnegie Mellon University revealed that basic Wi-Fi routers can be used to detect and perceive the poses and positions of humans and map their bodies clearly in three dimensions.
Protecting Yourself From Wi-Fi Vulnerabilities
To defend yourself against the vulnerabilities exposed by WiKI-Eve, the paper lays out several defense strategies. The most direct method is encrypting internet data traffic, particularly on public Wi-Fi. “The most direct defense strategy is to encrypt data traffic, hence preventing attackers from obtaining BFI in clear text,” the paper said.
Another proposed solution is keyboard randomization. In this approach, the layout of the keyboard changes randomly whenever a user tries to enter a password. “One may consider keyboard randomization as an indirect defense strategy,” the paper noted.
The researchers also explored advanced defense strategies like signal obfuscation (scrambling). This method uses technology to scramble Wi-Fi channels and make data unreadable to attackers. “We suggest to exploit MIMO (multiple-in multiple-out) technology adopted by Wi-Fi hardware to scramble Wi-Fi channels,” the researchers said. While this strategy would require hardware or firmware changes, it does present a promising path for future Wi-Fi security enhancements.
We strongly advise against using basic, numerical passwords. Instead, we recommend creating an alphanumeric password and also including special characters. Read our guide to creating a secure password to learn how to create stronger passwords.
“Currently, the accuracy of attacking alphanumeric passwords is not high, and the accuracy decreases in the password length even for numerical passwords. So I guess using more complicated passwords, at least longer ones, could be a makeshift for now,” Jun Luo, one of the researchers behind the study, told VPNOverview.
For more insights about game-changing vulnerabilities, follow us on X (Twitter), Threads, and Mastodon!
