It would seem that that's not the moral of the story: it looks like your device doesn't even have to connect to the wifi. It appears that this is more like using wifi as radar to detect finger movements.

Real moral of the story: Read the article before commenting.

Yes, I think a passive listener in promiscuous mode would work. And more listeners located around the room would be even better, if their signals could be very precisely correlated in time.

In more detail: CSI is available to the _receiver_ of the wifi packet. In other words:

• Your phone can determine CSI for all AP broadcasts. (Useful for indoor positioning)

• The AP can determine CSI for any packet sent to it. Thus your phone would have to be associated. (Or, at least trying to associate.)

• A passive listener in promiscuous mode should still work -- maybe -- though I couldn't say for certain. The CSI value would not be identical to what the AP receives since the listener is in a different physical location and is not synchronized to the AP. The CSI data is In-phase and Quadrature values which can only be interpreted in relation to the clock that is being used to sample the radio signal. But maybe this approach manages to get around clock sync issues somehow.

• If your finger locations change without any wifi packet transmission, there is no way to detect that.

I'd say the best mitigation is to turn off wifi while typing your password. Then turn it on just before hitting "Submit" or "Enter" or whatever.

So then its probably a pretty good idea to randomize the number keypad for the lock screen, which I do. Does this defeat that, I can't think of a way it does..

The paper focused on an attack against a payment system, not the lock screen, so you'd need to randomize every password input keyboard at the system level.

Probably not a bad idea...

Another option would be to use thumbprints for all authorizations after the device is unlocked.

How do you randomize the keypad? Is it possible on iPhone?

I think that wifi devices only send a sounding packet when requested from the AP. You need to know you are capturing a sounding packet to determine CSI (or have it send explicitly by the receiver aka explicit beamforming).

If you're that paranoid, you might want to also keep in mind that it would be far more reliable to shoulder surf via video surveillance. As a bonus, it even works with radios disabled.