Researchers from the University of California, Santa Barbara, and the University of Chicago have published a paper which identifies the risk of bad actors using smartphones’ WiFi signals to “see” through walls and surreptitiously track humans in their private rooms and offices. The paper also proposes methods to defend against such malicious monitoring.

Researchers examined the problem of adversarial WiFi sensing and the potential risk to people’s personal privacy resulting from the widespread deployment of wireless devices and the information about users’ location, movement, and other physiological properties that WiFi transmissions carry. Researchers list the paper’s four primary contributions:

Identify the risks to location privacy from human body’s blockage and reflections of ambient WiFi signals.

Proposed a two-step algorithm for adversarial localization and tracking of unsuspecting moving targets across rooms.

Implemented a prototype of the attacker system on commodity smartphones, and show (using real-world measurements) that the attack is feasible and accurate in 11 different settings, including both office buildings and residential apartments.

Propose and evaluate three different possible defenses, including geo-fencing WiFi signals, rate limiting WiFi signals, and signal obfuscation.

The research team generated a two-step method for their attack model:

Localizing Anchors inside the Target Building. Continuous Target Monitoring.

In the first step, researchers identified “Anchor Devices,” which could be any WiFi transmitter such as routers, laptops, or IoT devices like voice assistants. They used the correlation between received signal strength (RSS) of sniffed WiFi packets and the distance between the anchor and the sniffer to estimate the anchor location. Attackers could thus receive transmissions from identified anchor devices and conduct localizing measurements from outside the target room, office or building.

Attack scenarios in a doctor’s office.

In the second step, the attack model used a fixed WiFi sniffer located outside of the target human’s home/office for continuous monitoring of WiFi transmissions. When the target moves, their body will block or reflect WiFi signals from anchor devices the same room and trigger variations in the signals being monitored by the attack model, which can then leverage this data to infer the target’s location in the room.

Localization results from Monte Carlo sampling. Each red dot is the estimated anchor location from a sample; the rectangle marks the room of the anchor.

To test the effectiveness of the Step 1 attack, researchers set up 11 real world test scenarios to process RSS traces and find and locate stationary WiFi devices. The model showed 40 percent accuracy when the team “blindly” fed in RSS measurements. Accuracy rose to 90 percent when the paper’s data sifting method was used.

In the step 2 attack experiments, the attack model was used to detect the presence of the target human in the room. Accuracy increased corresponding to the number of local anchor devices the system was monitoring: 87.8 percent with one anchor device, 98.5 percent with two, and 99.8 percent with three anchor devices.

Proposed methods for defending against such attacks focus on reducing the quantity and quality of the WiFi signals captured by the sniffer. Geo-fencing WiFi signals involves either reducing signal strength or making it more directional, both of which have the downside of negatively affecting the user’s own connectivity. Rate limiting WiFi signals can help defend against attacks by reducing the frequency of WiFi transmissions, but this measure is not effective with IoT devices which must make frequent transmissions.

Signal obfuscation meanwhile involves adding noises to WiFi signals in temporal or spatial forms. The advantage of this defence is that it can be easily deployed by WiFi APs that support transmit power adaptation on the fly, and no firmware or hardware changes are needed for individual WiFi devices. One downside here is the extra bandwidth and energy consumption. Researchers plan to work on developing more efficient AP obfuscation strategies.

The paper Adversarial WiFi Sensing is on arXiv.