The contact-free sensing nature of Wi-Fi has been leveraged to achieve privacy breaches, yet existing attacks relying on Wi-Fi CSI (channel state information) demand hacking Wi-Fi hardware to obtain desired CSIs. Since such hacking has proven prohibitively hard due to compact hardware, its feasibility in keeping up with fast-developing Wi-Fi technology becomes very questionable. To this end, we propose WiKI-Eve to eavesdrop keystrokes on smartphones without the need for hacking. WiKI-Eve exploits a new feature, BFI (beamforming feedback information), offered by latest Wi-Fi hardware: since BFI is transmitted from a smartphone to an AP in clear-text, it can be overheard (hence eavesdropped) by any other Wi-Fi devices switching to monitor mode. As existing keystroke inference methods offer very limited generalizability, WiKI-Eve further innovates in an adversarial learning scheme to enable its inference generalizable towards unseen scenarios. We implement WiKI-Eve and conduct extensive evaluation on it; the results demonstrate that WiKI-Eve achieves 88.9% inference accuracy for individual keystrokes and up to 65.8% top-10 accuracy for stealing passwords of mobile applications (e.g., WeChat).

翻译：Wi-Fi的非接触式感知特性已被用于隐私侵犯，然而现有依赖Wi-Fi信道状态信息的攻击需要入侵Wi-Fi硬件以获取所需CSI。由于紧凑型硬件导致此类入侵极度困难，其能否跟上快速发展的Wi-Fi技术高度存疑。为此，我们提出无需入侵即可窃听智能手机击键的WiKI-Eve。WiKI-Eve利用最新Wi-Fi硬件提供的新特性——波束赋形反馈信息：由于BFI以明文形式从智能手机传输至接入点，任何切换到监控模式的Wi-Fi设备均可窃听该信息。针对现有击键推断方法泛化能力极有限的问题，WiKI-Eve进一步创新性地采用对抗学习方案，使其推断能够泛化至未见场景。我们实现了WiKI-Eve并开展广泛评估，结果表明：WiKI-Eve对单次击键的推断准确率达88.9%，在窃取移动应用程序（如微信）密码时最高前10位准确率达到65.8%。