Security News > 2023 > September > New WiKI-Eve attack can steal numerical passwords over WiFi
A new attack dubbed 'WiKI-Eve' can intercept the cleartext transmissions of smartphones connected to modern WiFi routers and deduce individual numeric keystrokes at an accuracy rate of up to 90%, allowing numerical passwords to be stolen.
The team found that it's reasonably easy to identify numeric keystrokes 90% of the time, decipher 6-digit numerical passwords with an accuracy of 85%, and work out complex app passwords at an accuracy of roughly 66%. While this attack only works on numerical passwords, a study by NordPass showed that 16 out of 20 of the top passwords only used digits.
The WiKI-Eve attack is designed to intercept WiFi signals during password entry, so it's a real-time attack that must be carried out while the target actively uses their smartphone and attempts to access a specific application.
For six-digit numerical passwords, WiKI-Eve could infer them with an 85% success rate in under a hundred attempts, remaining consistently above 75% in all tested environments.
The researchers also experimented with retrieving user passwords for WeChat Pay, emulating a realistic attack scenario, and found that WiKI-Eve deduced the passwords correctly at a rate of 65.8%. The model consistently predicted the correct password within its top 5 guesses in over 50% of the 50 tests conducted.
Chrome extensions can steal plaintext passwords from websites.