Skip to content
Naked Security Naked Security

Closed doors are no match for a Wi‑Fi peeping tom and a smartphone

Researchers have found that a smartphone and some smart number crunching can track people moving in their homes as they reflect radio waves.

Wherever people are these days, there are wireless transmissions, be it GPS, AM/FM, or Wi-Fi.
If you’re in a home, at the office, or walking down the street, you’re being bathed in signals, ranging in RF frequency from a few kilohertz to terahertz. Many of the invisible transmissions pass through us, while others bounce off.
It’s the signals that bounce off us that interest researchers, who’ve identified a way to use smartphones to see through walls, analyze reflected, ambient transmissions, and spy on people’s presence and movements in their own homes or offices.
This might sound familiar: MIT researchers also used wireless transmissions three years ago to do the same thing. They created a device that can discern where you are and who you are, detecting gestures and body movements as subtle as the rise and fall of a person’s chest, from the other side of a house, through a wall, even though subjects were invisible to the naked eye.
Earlier systems had drawbacks, however. The MIT system, as well as earlier systems, required knowing the exact position of Wi-Fi transmitters and had to be logged in to the network so they could send known signals back and forth, according to MIT Technology Review.
For example, a system created by University of Utah researchers in 2009 involved a 34-node wireless network. You couldn’t exactly put MIT’s 2015 RF-Capture system into your pocket, either. Other drawbacks: the MIT system’s sensor was fussy. It required a person to be walking directly at it to function and had a tougher time picking up on somebody walking at an angle.


The latest in peeping tom technology is far different: it only requires a smartphone and some clever computation. A team of researchers headed up by Yanzi Zhu, at the University of California Santa Barbara, have demonstrated using a smartphone to successfully track people in 11 real-world locations, with “high accuracy.”
As the researchers describe in their recently published paper, titled Adversarial WiFi Sensing, their technique enables unprecedented invasion of privacy:

We believe that, by leveraging statistical data mining techniques, even a weak adversary armed with only passive off-the-shelf Wi-Fi receivers can perform invasive localization attacks against unsuspecting targets.

They suggest one attack scenario: thieves looking to break in to an office building. Specialized Wi-Fi hardware – devices such as directional antenna, antenna array, and Universal Software Radio Peripheral (USRP) – are not only expensive; they’re bulky and conspicuous.
But commodity Wi-Fi receivers could be used to identify the location of employees or security personnel, enabling the thieves to avoid detection. They could take advantage of near-ubiquitous Wi-Fi transmissions – such as digital assistants or Wi-Fi access points – to passively locate and track moving users.
Unlike earlier systems, the researchers’ smartphone location attacks are entirely passive, relying on Wi-Fi sniffing that doesn’t actively transmit any RF signals.
MIT Technology Review describes the challenges Zhu and his team were up against when it comes to the noisy, smeared world of RF signals that forced them to come up with a computational scheme to enable them to pick out humans and their movements:

If humans were able to see the world as Wi-Fi does, it would seem a bizarre landscape. Doors and walls would be almost transparent, and almost every house and office would be illuminated from within by a bright light bulb – a Wi-Fi transmitter.
But despite the widespread transparency, this world would be hard to make sense of. That’s because walls, doors, furniture, and so on all reflect and bend this light as well as transmitting it. So any image would be impossibly smeared with confusing reflections.
But this needn’t be an issue if all you are interested in is the movement of people. Humans also reflect and distort this Wi-Fi light. The distortion, and the way it moves, would be clearly visible through Wi-Fi eyes, even though the other details would be smeared. This crazy Wi-Fi vision would clearly reveal whether anybody was behind a wall and, if so, whether the person was moving.

Out of this Wi-Fi haze, Zhu and his team had to detect changes in ordinary Wi-Fi signals that would point to the presence of human bodies.
The problem is that Wi-Fi sniffers don’t render images. Zhu and his team instead relied on measuring signal strength as they walked around a building. After all, you can’t figure out where signal-distorting humans are without knowing where the signals are coming from. On their walk, they took brief spatial measurements of the received signal strength (RSS) and where it strengthened and faded out, depending on an app they had built that used the smartphone’s built-in accelerometers to record their movement and to then analyze the change in signal strength as they moved.
Walking back and forth helped them to pretty reliably nail the location of a transmitter, they said:

We found that consistency check across 4 rounds of measurements is sufficient to achieve room level localization of 92.6% accuracy on average.

The researchers tested their technique using Nexus 5 and Nexus 6 Android smartphones to peep into 11 offices and apartments whose owners had agreed to participate in the project. Many of those locations had Wi-Fi devices, and they found that the more there were, the easier it made their job:

We see that with more than 2 Wi-Fi devices in a regular room, our attack can detect more than 99% of the user presence and movement in each room we have tested.

How to draw the Wi-Fi blinds?

The researchers propose three possible defenses: geo-fencing Wi-Fi signals, rate limiting Wi-Fi signals, and signal obfuscation.
Geo-fencing works pretty well to fend off attackers who might go after us with cellphones and algorithms in this manner: it more than doubled localization errors, dropping room-level accuracy from 92.6% to 41.15%. In practice, though, it’s extremely tough to deploy and configure. Rate limiting messes up devices’ operability, particularly Internet of Things (IoT) devices.
That leaves signal obfuscation: adding noise so devices can’t be located accurately. The downsides include that attackers can just use an extra sniffer to suss out the noise and subtract it from the signal traces. Another major drawback is extra consumption of Wi-Fi bandwidth and energy at the access point. Still, it looks to be the best potential defense so far: the researchers hope to refine obfuscation defense in the future to protect against these attacks.
For now, people should be advised that Wi-Fi everywhere might be convenient, but it also threatens our privacy, they said:

While greatly improving our everyday life, [wireless transmissions] also unknowingly reveal information about ourselves and our actions.

4 Comments

I for one welcome our new… kidding.
The charts and maps are fine–but I really wanna see what this *looks* like. Is it similar to DareDevil’s “world on fire?”

There is another way. There are paints, curtains, and other materials that block RF signals. So if you make the exterior walls and windows so that they block RF, then those sniffers would go blind.

Use VLAN’s – segregate. Why not use the same technology that noise cancelling uses – direct the WiFi away from the windows and toward the windows broadcast the exact opposite at a lower power which should cancel out most of the signal from leaking. Also 5G leaks less – set up on a per room basis with much lower power output. Also seeing as most attacks start with deauthenticate (Krack / Broadpwn etc.) WiFi protected frames can help. Passive sniffers for deauthentication requests can be a first line detection of all those script kiddies armed with Kali Linux. Use honeypots. Failing that a big baseball bat…. (joking).

I can understand how this might make physical security teams nervous for banks and other institutions with something worth stealing by those willing to risk jail time for (minimally) breaking and entering, but personally, as security conscious as I am (I am reading this, after all), I really don’t care if someone knows I’m walking across the room, down a corridor, etc. There’s enough other ways to detect physical presence that this just doesn’t phase me. I refuse to wear a tinfoil hat. I prefer to actually live my life without worrying about things like this. There’s enough real world threats to deal with.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?