Select Language

WISERS: A Contactless Side-Channel Attack via Wireless Charging Coil Whine and Magnetic Perturbations

Analysis of WISERS, a novel side-channel attack that infers smartphone user interactions by sensing coil whine and magnetic field perturbations from wireless chargers.
wuxianchong.com | PDF Size: 3.5 MB
Rating: 4.5/5
Your Rating
You have already rated this document
PDF Document Cover - WISERS: A Contactless Side-Channel Attack via Wireless Charging Coil Whine and Magnetic Perturbations
View PDF Document Download PDF Translate PDF
Home » Documentation » WISERS: A Contactless Side-Channel Attack via Wireless Charging Coil Whine and Magnetic Perturbations

Table of Contents

1. Introduction

Wireless charging, particularly the Qi standard, has become ubiquitous in modern smartphones. This paper introduces a novel, contactless side-channel attack named WISERS (WIreless chargER Sensing system). Unlike prior attacks requiring physical access or compromised devices, WISERS leverages two inherent physical phenomena—coil whine and magnetic field perturbations—emitted during wireless power transfer to infer fine-grained user interactions on a charging smartphone, such as passcode entry and app launches.

2. The WISERS Attack Framework

WISERS operates by correlating changes in smartphone power draw (triggered by screen content changes during user input) with measurable physical emissions from the charger's induction coil.

2.1 Physical Phenomena Exploitation

  • Coil Whine: Audible noise caused by magnetostriction and piezoelectric effects in the coil due to alternating current (AC) fluctuations.
  • Magnetic Field Perturbation: Changes in the local magnetic field strength and pattern caused by varying current in the charger's coil, as described by Ampere's Law.

2.2 Three-Stage Attack Process

  1. Sensing & Configuration: Measures ambient features (e.g., initial battery level) to calibrate the attack.
  2. Inter-Interface Switch Inference: Uses patterns in coil whine to detect transitions between different phone screens/interfaces.
  3. Intra-Activity Inference: Analyzes magnetic field perturbations to discern specific actions within an interface (e.g., keystrokes on a soft keyboard).

Key Performance Metrics

Attack Accuracy: >90.4% for inferring sensitive information (e.g., passcodes).

Effective Range: Up to 20cm (8 inches) from the target.

Battery Level Threshold: Effective even when battery is below 80%, overcoming a key limitation of prior work.

3. Technical Details & Mathematical Model

The core physical principle is Ampere's Force Law. The force ($\vec{F}$) on a current-carrying conductor (the coil) in a magnetic field is:

$\vec{F} = I (\vec{L} \times \vec{B})$

Where $I$ is the current, $\vec{L}$ is the length vector of the conductor, and $\vec{B}$ is the magnetic field. User interactions change the smartphone's power draw ($\Delta I$), altering the current in the charger coil. This change in $I$ modulates the force $\vec{F}$, causing minute physical vibrations (coil whine) and perturbations in the emitted magnetic field $\vec{B}$.

The attack essentially performs a cross-modal signal analysis, mapping these physical signal modulations ($S_{whine}(t)$, $S_{mag}(t)$) back to the causative user interaction events ($E_{user}$).

4. Experimental Results & Evaluation

Extensive tests were conducted using popular smartphones and Commercial Off-The-Shelf (COTS) wireless chargers.

4.1 Accuracy & Performance Metrics

The system demonstrated high accuracy in inferring discrete and continuous inputs:

  • Screen Unlock Passcodes: Inference accuracy exceeded 90.4% for numeric PINs.
  • App Launch Detection: High success rate in identifying which application was opened from the home screen.
  • Keystroke Timing: Able to discern timing patterns between key presses on soft keyboards.

Chart Description: A hypothetical bar chart would show "Attack Success Rate (%)" on the Y-axis against "Type of Inferred Information" (Passcode, App Launch, Keystroke) on the X-axis, with all bars above the 90% mark.

4.2 Resilience to Impact Factors

WISERS was tested against various confounding factors and showed resilience to:

  • Different smartphone models and charger brands.
  • Varying ambient noise levels (for acoustic sensing).
  • Presence of other electronic devices causing minor magnetic interference.

5. Analysis Framework & Case Example

Scenario: Inferring a 4-digit PIN during screen unlock.

  1. Signal Acquisition: An attacker's device (e.g., another smartphone with appropriate sensors) placed within 20cm records audio (via microphone) and magnetic field data (via magnetometer) during the victim's unlock attempt.
  2. Feature Extraction: The audio signal is processed to isolate the coil whine component. The magnetic data is filtered to highlight perturbations in the low-frequency range corresponding to power draw changes.
  3. Pattern Matching & Inference: The system correlates the extracted signal features with a pre-trained model. Four distinct "bursts" of magnetic perturbation, each paired with a specific acoustic signature change, are identified and mapped to the four digit-presses of the PIN. The sequence and timing reveal the passcode.

6. Core Insight & Analyst's Perspective

Core Insight: WISERS isn't just another side-channel; it's a stark demonstration of the physicality of digital security. It weaponizes the fundamental, unavoidable physics of electromagnetic induction—a process designed for convenience—into a potent surveillance tool. The attack's elegance lies in its passivity; it doesn't inject malware or intercept data, it simply listens and feels the device's physical conversation with its charger.

Logical Flow: The research logic is impeccable. It starts from a well-known engineering nuisance (coil whine) and a fundamental law (Ampere's Law), observes their modulation by system load, and rigorously traces this modulation back to user-induced load changes. The three-stage framework cleanly separates the problem: calibration, macro-context (screen switches), and micro-context (keystrokes). This modularity is reminiscent of successful attack frameworks in other domains, like the systematic approach to cache-based side channels outlined in works like "Cache-timing attacks on AES" by Bernstein.

Strengths & Flaws: The strength is its terrifying practicality—using COTS hardware, requiring no device compromise, and working under previously safe assumptions (battery >80%). Its flaw, however, is its current reliance on proximity (~20cm). While a major threat in crowded cafes or offices, it's not a remote internet-scale exploit. Yet, this is a feature, not a bug, for targeted espionage. A more critical flaw is the evaluation's focus on controlled settings. Real-world environments with multiple simultaneously charging devices or strong ambient magnetic fields (e.g., near industrial equipment) could significantly degrade performance, a challenge also faced by other sensory side-channels like acoustic keyboard attacks.

Actionable Insights: For the security community, this is a five-alarm fire for the IoT and mobile industry. Mitigations must move beyond software. Hardware designers need to consider electromagnetic and acoustic side-channel resistance as a design requirement. Potential countermeasures include: (1) Active Noise Cancellation: Embedding actuators in chargers to emit anti-phase signals to cancel coil whine. (2) Power Load Obfuscation: Introducing random, minimal fluctuations in power draw during idle periods to mask user-induced changes, similar to traffic shaping in network anonymity systems like Tor. (3) Shielding: Incorporating magnetic shielding materials in charger casings, though this may impact efficiency. The standard-setting bodies like the Wireless Power Consortium (WPC) must urgently update Qi specifications to include side-channel leakage tests.

7. Future Applications & Research Directions

  • Extended Range Sensing: Research into more sensitive sensors (e.g., high-precision magnetometers) or signal amplification techniques to increase the effective attack distance.
  • Cross-Device Inference: Exploring if the magnetic "footprint" is unique enough to identify specific app usage or even website browsing activity within a browser.
  • Defensive Machine Learning: Developing on-device or on-charger ML models that can detect the characteristic signal patterns of an ongoing WISERS-like snooping attempt and trigger an alert or countermeasure.
  • Broader Target Scope: Applying the same principles to other wirelessly charged devices like true wireless earbuds, smartwatches, or even future laptops, which may have richer user interfaces.
  • Integration with Other Side Channels: Fusing data from this side channel with others (e.g., power analysis from the mains, thermal emissions) for more robust and detailed user profiling, a multi-modal approach gaining traction in side-channel research.

8. References

  1. Wireless Power Consortium. "The Qi Wireless Power Standard." [Online]. Available: https://www.wirelesspowerconsortium.com/
  2. Bernstein, D. J. "Cache-timing attacks on AES." 2005.
  3. Genkin, D., Shamir, A., & Tromer, E. (2014). "RSA key extraction via low-bandwidth acoustic cryptanalysis." In Advances in Cryptology–CRYPTO 2014.
  4. Zhu, J., Park, T., Isola, P., & Efros, A. A. (2017). "Unpaired image-to-image translation using cycle-consistent adversarial networks." In Proceedings of the IEEE international conference on computer vision (CycleGAN).
  5. National Institute of Standards and Technology (NIST). "Side-Channel Attack Testing Methodologies." [Online]. Available: https://csrc.nist.gov/
  6. Zhang, Y., et al. "WISERS: A Contactless and Context-Aware Side-Channel Attack via Wireless Charging." In Proceedings of the ... IEEE Symposium on Security and Privacy, 2023. (The source paper analyzed).