SpiderMon:Towards Using Cell Towers as Illuminating Sources for Keystroke Monitoring Kang Ling,Yuntang Liu,Ke Sun,Wei Wang,Lei Xie and Qing Gu State Key Laboratory for Novel Software Technology,Nanjing University [lingkang.yuntangliu,kesun)@smail.nju.edu.cn,[ww.Ixie,guq}@nju.edu.cn Abstract-Cellular network operators deploy base stations with a high density to ensure radio signal coverage for 4G/5G LTE base station 1723 networks.While users enjoy the high-speed connection provided by cellular networks,an adversary could exploit the dense cellular deployment to detect nearby human movements and 0 even recognize keystroke movements of a victim by passively listening to the CRS broadcast from base stations.To demonstrate this,we develop SpiderMon,the first attempt to perform passive continuous keystroke monitoring using the signal transmitted by commercial cellular base stations.Our experimental results show Attacker that SpiderMon can detect keystroke movements at a distance of 5-15m 15 meters and can recover a 6-digits PIN input with a success Figure 1.SpiderMon leverage cellular base stations as illuminating sources rate of more than 51%within ten trials when the victim is behind for passive keystroke monitoring. the wall. ating sources".Therefore,it is harder to detect these attackers I.INTRODUCTION since they do not transmit any signal.Second,cellular signals Keystroke inference attacks are extremely dangerous since have larger coverage areas than Wi-Fi signals.Compared to the attacker could infer the content or even passwords typed Wi-Fi APs that are mostly installed in buildings,cellular by the user through side-channels that can hardly be detected. signals cover both outdoor and indoor areas.Third,cellular Existing works have used videos [1],[2],Inertial Measurement BSs provide highly stable reference signal sources.Cellular Units (IMU)[3],[41.and sound signals [5]-9]in side-channel BSs use GPS-regulated oscillators and low-noise amplifiers attacks that effectively infer the keystroke sequence,see Table to generate Cell-Specific Reference Signal (CRS)at a regular I.Recently,researchers discovered that Wi-Fi radio signals can rate of up to 4,000 times per second,which are more stable in also be used as the medium for keystroke inference attacks both the phase and the amplitude than the signals generated by [10]-[13].However,most of these existing attack models are low-end Wi-Fi devices.Finally,Wi-Fi transmissions could be short-ranged or requires active signal transmission. easily blocked since they use Carrier-Sense Multiple Access In this paper,we first show that an attacker can passively (CSMA)protocols.However,it is against FCC regulations listen to the commercial 4G/5G signals and infer the keystroke to interfere with cellular transmissions.Thus,users cannot sequence of a victim at a distance of 15 meters(Figure 1).As protect themselves by transmitting an interfering signal,as cellular network operators are using high-density deployments suggested in PhyCloak [17]. to improve radio signal coverage for 4G/5G networks.such We develop SpiderMon',a system that performs long- attacks could be pervasive in the near future.Currently,for range keystroke monitoring using the signal transmitted by outdoor areas,macro/micro Base Stations (BSs)are deployed commercial cellular BSs.The design of SpiderMon faces three with a high density of more than 0.3 BS/km2 in urban regions technical challenges.First,capturing the subtle changes caused [14].For indoor areas,radio repeaters and femtocells are by the keystroke movements at a distance of 15 meters is chal- deployed in most buildings to improve the radio signal quality lenging.To address this challenge,we first use a directional [15].As envisioned by the Ultra-Dense Networks (UDN)in antenna to amplify the signal reflected by the victim,as well 5G networks,the distance between cellular access points could as reducing the interferences of nearby movements.We then be a few meters for indoor deployments and 50 meters for design a block Principal Component Analysis (PCA)algorithm outdoor deployments [16].While users enjoy the high-speed that further amplifies the signal by combining signals in connections provided by 4G/5G cellular networks,such dense different subcarriers.Second,it is challenging to infer the cellular deployment leads to severe information leakage issues keystroke sequence of a continuous typing process,where that most users are unaware of. the victim types in a natural manner by continuously moving The cellular signal is a new type of side-channel attack from one key to the next.Existing works treat each keystroke medium that could be more harmful than Wi-Fi signals.First, cellular-based attackers are passive listeners.They use the I We name the system as SpiderMon because it monitors the victim by the small disturbance of a time-frequency grid formed by LTE CRS as shown in signal transmitted by commercial cellular BSs as the "illumin- Figure 2(d),just as a spider that uses its web to detect the prey.SpiderMon: Towards Using Cell Towers as Illuminating Sources for Keystroke Monitoring Kang Ling, Yuntang Liu, Ke Sun, Wei Wang, Lei Xie and Qing Gu State Key Laboratory for Novel Software Technology, Nanjing University {lingkang,yuntangliu,kesun}@smail.nju.edu.cn, {ww,lxie,guq}@nju.edu.cn Abstract—Cellular network operators deploy base stations with a high density to ensure radio signal coverage for 4G/5G networks. While users enjoy the high-speed connection provided by cellular networks, an adversary could exploit the dense cellular deployment to detect nearby human movements and even recognize keystroke movements of a victim by passively listening to the CRS broadcast from base stations. To demonstrate this, we develop SpiderMon, the first attempt to perform passive continuous keystroke monitoring using the signal transmitted by commercial cellular base stations. Our experimental results show that SpiderMon can detect keystroke movements at a distance of 15 meters and can recover a 6-digits PIN input with a success rate of more than 51% within ten trials when the victim is behind the wall. I. INTRODUCTION Keystroke inference attacks are extremely dangerous since the attacker could infer the content or even passwords typed by the user through side-channels that can hardly be detected. Existing works have used videos [1], [2], Inertial Measurement Units (IMU) [3], [4], and sound signals [5]–[9] in side-channel attacks that effectively infer the keystroke sequence, see Table I. Recently, researchers discovered that Wi-Fi radio signals can also be used as the medium for keystroke inference attacks [10]–[13]. However, most of these existing attack models are short-ranged or requires active signal transmission. In this paper, we first show that an attacker can passively listen to the commercial 4G/5G signals and infer the keystroke sequence of a victim at a distance of 15 meters (Figure 1). As cellular network operators are using high-density deployments to improve radio signal coverage for 4G/5G networks, such attacks could be pervasive in the near future. Currently, for outdoor areas, macro/micro Base Stations (BSs) are deployed with a high density of more than 0.3 BS/km2 in urban regions [14]. For indoor areas, radio repeaters and femtocells are deployed in most buildings to improve the radio signal quality [15]. As envisioned by the Ultra-Dense Networks (UDN) in 5G networks, the distance between cellular access points could be a few meters for indoor deployments and 50 meters for outdoor deployments [16]. While users enjoy the high-speed connections provided by 4G/5G cellular networks, such dense cellular deployment leads to severe information leakage issues that most users are unaware of. The cellular signal is a new type of side-channel attack medium that could be more harmful than Wi-Fi signals. First, cellular-based attackers are passive listeners. They use the signal transmitted by commercial cellular BSs as the “illuminLTE base station Attacker Figure 1. SpiderMon leverage cellular base stations as illuminating sources for passive keystroke monitoring. ating sources”. Therefore, it is harder to detect these attackers since they do not transmit any signal. Second, cellular signals have larger coverage areas than Wi-Fi signals. Compared to Wi-Fi APs that are mostly installed in buildings, cellular signals cover both outdoor and indoor areas. Third, cellular BSs provide highly stable reference signal sources. Cellular BSs use GPS-regulated oscillators and low-noise amplifiers to generate Cell-Specific Reference Signal (CRS) at a regular rate of up to 4,000 times per second, which are more stable in both the phase and the amplitude than the signals generated by low-end Wi-Fi devices. Finally, Wi-Fi transmissions could be easily blocked since they use Carrier-Sense Multiple Access (CSMA) protocols. However, it is against FCC regulations to interfere with cellular transmissions. Thus, users cannot protect themselves by transmitting an interfering signal, as suggested in PhyCloak [17]. We develop SpiderMon1 , a system that performs longrange keystroke monitoring using the signal transmitted by commercial cellular BSs. The design of SpiderMon faces three technical challenges. First, capturing the subtle changes caused by the keystroke movements at a distance of 15 meters is challenging. To address this challenge, we first use a directional antenna to amplify the signal reflected by the victim, as well as reducing the interferences of nearby movements. We then design a block Principal Component Analysis (PCA) algorithm that further amplifies the signal by combining signals in different subcarriers. Second, it is challenging to infer the keystroke sequence of a continuous typing process, where the victim types in a natural manner by continuously moving from one key to the next. Existing works treat each keystroke 1We name the system as SpiderMon because it monitors the victim by the small disturbance of a time-frequency grid formed by LTE CRS as shown in Figure 2(d), just as a spider that uses its web to detect the prey