Is your WiFi spying on you?
 |
WiFi networks could pose significant privacy risks even to people who aren’t carrying or using WiFi-enabled devices, say researchers at the Karlsruhe Institute of Technology (KIT) in Germany. According to their analysis, the current version of the technology passively records information detailed enough to identify individuals moving through networks, prompting them to call for protective measures in the next iteration of Wi-Fi standards.
Although wireless networks are ubiquitous and highly useful, they entail privacy and security risks. One such risk stems from a phenomenon known as WiFi sensing, which the researchers at KIT’s Institute of Information Security and Dependability (KASTEL) define as “the inference of information about the networks’ environment from its signal propagation characteristics”.
“As signals propagate through matter, they interfere with it – they are either transmitted, reflected, absorbed, polarized, diffracted, scattered, or refracted,” they write in their study, which is published in the Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security (CCS ’25). “By comparing an expected signal with a received signal, the interference can be estimated and used for error correction of the received data.”
An under-appreciated consequence, they continue, is that this estimation contains information about any humans who may have unwittingly been in the signal’s path. By carefully analysing the signal’s interference with the environment, they say, “certain aspects of the environment can be inferred” – including whether humans are present, what they are doing, and even who they are.
“Identity inference attack” is a threat
The KASTEL team terms this an “identity inference attack” and describes it as a threat that is both widespread and serious. “This technology turns every router into a potential means for surveillance,” says Julian Todt, who co-led the study with his KIT colleague Thorsten Strufe. “For example, if you regularly pass by a café that operates a WiFi network, you could be identified there without noticing it and be recognized later, for example, by public authorities or companies.”
While Todt acknowledges that security services, cybercriminals, and others do have much simpler ways of tracking individuals – for example, by accessing data from CCTV cameras or video doorbells – he argues that the ubiquity of wireless networks lends itself to being co-opted as a near-permanent surveillance infrastructure. There is, he adds, “one concerning property” about wireless networks: “They are invisible and raise no suspicion.”
The identity of individuals could be extracted using a machine-learning model
Although the possibility of using WiFi networks in this way is not new, most previous WiFi-based security attacks have relied on analysing so-called channel state information (CSI). These data indicate how a radio signal changes upon reflection from walls, furniture, people, or animals. However, the KASTEL researchers note that the latest Wi-Fi standard, known as Wi-Fi 5 (802.11ac), alters the landscape by enabling a new, potentially easier form of attack based on beamforming feedback information (BFI).
While beamforming uses similar information to CSI, Todt explains that it does so on the sender’s side rather than the receiver’s. This means that a BFI-based surveillance method would require only standard devices connected to the Wi-Fi network. “The BFI could be used to create images from different perspectives that might then serve to identify persons that find themselves in the WiFi signal range,” Todt says. “The identity of individuals passing through these radio waves could then be extracted using a machine-learning model. Once trained, this model would make an identification in just a few seconds.”
In their experiments, Todt and colleagues studied 197 participants as they walked through a Wi-Fi field while being simultaneously recorded using CSI and BFI from four angles. The participants had five different “walking styles” (such as walking normally and while carrying a backpack) as well as different gaits. The researchers found that they could identify individuals with nearly 100% accuracy, regardless of recording angle or individual walking style (gait).
“Risks to our fundamental rights”
“The technology is powerful, but at the same time entails risks to our fundamental rights, especially to privacy,” says Strufe. He warns that authoritarian states could use the technology to track demonstrators and members of opposition groups, prompting him and his colleagues to “urgently call” for protective measures and privacy safeguards to be included in the forthcoming IEEE 802.11bf WiFi standard.
“The literature on all novel sensing solutions highlights their utility for various novel applications,” says Todt, “but the privacy risks that are inherent to such sensing are often overlooked, or worse, these sensors are claimed to be privacy-friendly without any rationale for these claims. As such, we feel it necessary to point out the privacy risks that novel solutions such as WiFi sensing bring with them.”
The researchers propose developing approaches to mitigate the risk of identity inference attacks. However, they recognize that this will be difficult, as such attacks exploit the physical properties of the wireless signal. “Ideally, we would influence the WiFi standard to contain privacy-protections in future versions,” says Todt, “but even the impact of this would be limited as there are already millions of WiFi devices out there that are vulnerable to such an attack.”
Isabelle Dumé is a contributing editor to Physics World
from physicsworld.com 12/12/2025
Δεν υπάρχουν σχόλια:
Δημοσίευση σχολίου