This damaging cyberattack could steal your passwords over Wi-Fi

Wireless networks
Wi-Fi 6E giver lynhurtigt og stabilt internet i hjemmet (Image credit: Shutterstock / Vasin Lee)

A new cyberattack that is being called WiKI-Eve has been observed stealing certain passwords over Wi-Fi with a 90% success rate in most modern routers built since 2013.

The attack exploits a vulnerability in the beamforming feedback information (BFI) technology that has graced our routers since the introduction of 802.11ac, otherwise known as Wi-Fi 5.

The research, which comes from academics belonging to two Chinese universities and one Singaporean university, demonstrates how hackers can ‘overhear,’ thus intercept, the clear-text being transmitted between device and router.

Connected to Wi-Fi? Chances are, you may be at risk

According to the researchers, WiKI-Eve “achieves 88.9% inference accuracy for individual keystrokes and up to 65.8% top-10 accuracy for stealing passwords of mobile applications.”

A separate SafetyDetectives study shows 13 of the top 30 most commonly used passwords comprise just numbers, stating that “numeric patterns are worldwide favorites.”

The paper goes on to call WiKI-Eve “the first WiFi-based hack-free keystroke eavesdropping system,” adding that the device an attacker chooses to use can be as discrete as a mobile device that supports monitor mode by the Wi-Fi NIC.

Describing a hypothetical situation in which a victim harmlessly connects to a public network, the researchers state that a password securely entered into a legitimate site is not as secure as one would hope, thanks to this vulnerability introduced with Wi-Fi 5 routers.

In a bid to demonstrate just how easy it is for an attacker to obtain information about a user, the team goes on to set up a real-world case study where they are able to access a set-up victim’s WeChat Pay information when using an iPhone, alluding to compromised credentials and even information about the digital payment.

While the theoretical and lab-grown examples produce alarming results, real-world executions of such attacks are fortunately less common, however the study plays an important role in demonstrating the clear need for improved wireless security moving forward.

More from TechRadar Pro

Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

Read more
China
Chinese hackers develop effective new hacking technique to go after business networks
Cartoon Phishing
Over a billion credentials stolen were stolen in malware attacks in 2024
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Huge cyber attack under way - 2.8 million IPs being used to target VPN devices
Bluetooth
Top Bluetooth chip security flaw could put a billion devices at risk worldwide
ransomware avast
AI is helping hackers get access to systems quicker than ever before
A digital representation of a lock
Gen Z and Millennial social media accounts are ripe for the taking and this doesn’t surprise me
Latest in Security
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Latest in News
Oura Ring 4
Activity tracking on Oura Ring is about to get a whole lot better, but I've got bad news about your step count
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Millwall FC The Den
The UK's first football club mobile network is here - but you probably won't guess which team has launched it
Android Auto
Android Auto 14.0 is rolling out now – and it'll soon swap Google Assistant for the smarter Gemini
The Witcher 4
You're probably not playing The Witcher 4 until 2027 at the earliest, per CD Projekt's latest financial update