Description
Inferring which keys a user is typing on a keyboard from CSI fluctuations caused by finger and hand motion above the keys. The problem is the canonical worst-case privacy demonstration for WiFi sensing: a modest commodity NIC can recover keystrokes with surprisingly high per-key accuracy from across the room without the user's knowledge. It is niche in volume of follow-up work but heavily cited as evidence that "wireless sensing" is also "wireless side-channel attack".
Why it's hard (and why that matters)
- Keystrokes are sub-second, low-energy events — recovery requires fine CSI temporal resolution.
- Cross-keyboard, cross-user, and cross-environment transfer is poor in defensive terms (good for the user) and an active research problem in offensive terms.
- The problem demonstrates that any deployed CSI-sensing system could be repurposed as a side-channel, which constrains acceptable deployments.
- Mitigations (jammers, randomized typing, physical shielding) are awkward; the simplest defense is to disable CSI extraction at the AP.
Common approaches
- CSI amplitude-and-phase per-key fingerprinting with classical classifiers.
- Per-keyword recovery using language priors over recovered key sequences.
- Channel-feature engineering tuned to the upper-band keystroke frequency.