Researchers at the University of South Florida have discovered a new kind of cyberattack that could give hackers access to your digital passwords and personal information without using traditional malware.
This new class of cyberattacks, presented and published at the 2018 ACM SIGSAC Conference on Computer and Communications Security in Toronto, allows hackers to eavesdrop on someone’s typing. Traditionally, this type of intrusion requires the installation of malware – malicious software that infects the victim’s computer. Using a keylogger program within the malware, hackers are able to monitor and transmit typed information, such as passwords.
The new method, discovered by USF researchers Yao Liu, PhD, and Zhuo Lu, PhD, and their research teams, does not require the use of any malicious software or direct access to the victim’s computer. Instead, researchers say channel state information extracted from a WIFI signal is all attackers need to determine what you’re typing.
Liu says that hackers can set up a malicious WIFI network to attract potential victims or deploy a specialized monitoring device that can “listen in” while you type on a public network. When connected to a WIFI network, keyboard activity leaves a sort of digital footprint in the signal. Through machine-learning algorithms, the researchers in the USF Dept. of Computer Science & Engineering, and Electrical Engineering showed it’s possible to determine, with a high degree of accuracy, what was originally typed.
While this method of eavesdropping has been demonstrated before, previous techniques required a time-intensive training phase that made it extremely impractical. Now, through USF’s research, it’s clear that high-level hackers could in fact utilize the technique.
“For us as cyber security experts, understanding these attack angles are very important because it gives us the opportunity to defend against these attacks before they become problematic,” Liu said.
Researchers emphasize that this type of cyberattack is not something the general public should be overly concerned about. Instead, this research will act as a starting point for computer scientists developing different methods to defend against these types of attacks.