- Joined
- 31.10.19
- Messages
- 1,634
- Reaction score
- 5,432
- Points
- 113
The density of WiFi hotspots in cities has reached such a level that it allows deployment of a mass surveillance system identifying every person who walks past an access point, even if they do not carry a mobile phone. Researchers from the Karlsruhe Institute of Technology (KIT) published a scientific paper with a technical description of such a system. A mass surveillance system uses the beamforming technique, which appeared in the WiFi 5 (802.11ac) communication standard adopted in 2013–2014. As reported on Habr, the technology was refined only in the sixth generation, WiFi 6 (802.11ax).
Beamforming
Beamforming, also known as spatial filtering, is a signal processing technique for directional transmission and reception of signals. As stated in marketing materials, the router no longer lights up in all directions, but follows the user with a beam.
From a technical perspective, a directed beam is created by combining elements in an antenna array such that signals at certain angles experience constructive interference while others experience destructive interference. As a result, a beam pattern arises, which provides a qualitative signal improvement compared to omnidirectional reception/transmission. Beamforming is used for spatial selectivity at both the transmitter and the receiver. The technique has found numerous applications in radar, sonar, seismology, wireless communications, radio astronomy, acoustics and biomedicine.
Person identification via WiFi Signal
As they propagate, radio waves interact with objects in various ways - they pass through, reflect, are absorbed, polarized, diffracted (bend around an object), scattered or refracted. By comparing the expected signal with the received one, one can estimate interference and use it for error correction. However, this estimate inherently contains information about the environment through which the signal passed. For example, the appearance of a person in the path of the waves will increase the amount of disturbance. By carefully analyzing the signal’s interference with the surrounding environment, one can infer certain aspects of that environment. For instance, whether people are present, what actions they are performing and who they are. These surveillance methods have evolved into a separate research field called WiFi Sensing. Although most of the existing literature focuses on the benefits of WiFi Sensing, privacy threats are obvious. With activity recognition and ubiquitous WiFi hotspots, sensitive information can be collected. For example, identifying a person within the hotspot’s coverage area - and continuing to track them. Person identification based on WiFi can be implemented using various approaches, including analysis of Channel State Information (CSI), which is transmitted by the WiFi protocol at the physical layer.
*comparison of person identification methods based on CSI.
CSI is a rich source of information for various WiFi Sensing applications, but accessing this information requires modified firmware that is available only for certain hardware. To enable higher throughput in WiFi 5 (802.11ac) they implemented beamforming. It uses information about the physical environment similar to CSI, but on the transmitter side rather than the receiver side. In a typical scenario, clients send beamforming feedback information back to the access point - is a compressed representation of the current signal characteristics. The key difference from CSI is that BFI is transmitted back to the access point in plaintext. Thus, this information can be easily accessed with commodity equipment, lowering the barrier for development and deployment of real-world applications but making it easier for attackers to craft and execute attacks.
*comparison of WiFi Sensing methods based on BFI.
Given that the IEEE consortium plans to standardize WiFi sensors for broad use in 802.11bf without any privacy protections, privacy risks are particularly increasing. Researchers from KIT showed that people can be identified exclusively from BFI information, even if the person didn't take a mobile phone with them. The method doesn't rely on specialized equipment. It uses ordinary WiFi devices that are around and communicating with each other.
When radio waves traverse space and interact with people, they create characteristic patterns that can be captured and analyzed. The result is roughly similar to filming the surrounding space with a video camera.
WiFi routers as Silent Observers
"Technology turns every router into a potential means of surveillance”, says Julian Todt, one of the study’s authors. “If you regularly walk past a cafe that runs a WiFi network, you can be identified without notice, and later, for example, recognized by state authorities or commercial companies"
Of course, intelligence services and cybercriminals have simpler ways of surveillance - access to CCTV systems or video calls. However, ubiquitous wireless networks can become a new and almost all-encompassing surveillance infrastructure with one property - they are invisible and don't arouse suspicion. WiFi networks operate almost everywhere today: in most homes, offices, restaurants and public places. That means people can be tracked everywhere, including inside apartments. Unlike attacks relying on LIDAR sensors or earlier methods on reflections from walls, furniture or people, the new approach does not require specialized equipment. It's performed using a standard WiFi device. By collecting BFI data, images of people from different angles are generated, allowing their identification, i.e, determining the identity of each subject among hundreds of similar ones. After machine learning model training, the identification process takes several seconds.
*recognition accuracy depending on sampling frequency.
In a study with 197 participants the researchers were able to identify people with almost 100% accuracy, independent of angle or gait. However, this required rather long ML model training, including 20 preliminary passes of each person in the training sample. And tests were not conducted with two subjects simultaneously, only one at a time. So overall the experiment can be considered fairly synthetic, although the recognition accuracy is indeed impressive.
*recognition accuracy depending on gait (normal, with a backpack, carrying a box, fast).
The experiment used two TP-Link Archer BE800 routers, channels 37 and 85, the two lowest non-overlapping 160 MHz channels in the 6 GHz band available in WiFi 6E and Intel AX210 WiFi NICs.
*recognition accuracy depending on the number of subjects in the sample.
The researchers warn that the technology is powerful but potentially dangerous. This is especially critical in authoritarian states where it may be used for mass surveillance of the population. Therefore they strongly call for protective measures and privacy safeguards in the upcoming IEEE 802.11bf WiFi standard. In fact, the motion sensing feature in WiFi 6 is so reliable that new routers out of the box work as motion sensors, and this is even highlighted in advertising:
The WiFi Motion feature in new routers tracks activity in an apartment via a mobile app:
The scientific paper "BFId: Identity Inference Attacks Utilizing Beamforming Feedback Information" was published on November 22, 2025 in the proceedings of “CCS ’25: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security” (DOI: 10.1145/3719027.3765062), PDF.
