Security researchers at the Karlsruhe Institute of Technology (KIT) in Germany have published a paper demonstrating that unencrypted beamforming data broadcast by Wi-Fi devices during normal operation can be used to identify individuals walking through a room with 99.5% accuracy, regardless of whether the individuals are carrying Wi-Fi devices. The tactic leverages the router's beamforming tech to identify individuals with up to 99.5% accuracy, and it works with existing routers, too.
The system, called BFId, requires no specialized hardware, no access to the target Wi-Fi network, and works even if the person being tracked isn't carrying a wireless device. The team tested the attack on 197 participants, the largest dataset ever used in Wi-Fi-based identification works, and plans to present its findings at the ACM Conference on Computer and Communications Security (CCS) in Taipei.
Wi-Fi-based identification isn’t new; prior systems have used channel state information (CSI), a physical-layer measurement of how radio signals degrade between transmitter and receiver, to recognize people by their gait. But CSI extraction requires modified firmware that only works on a handful of network interface cards, most notably the Intel 5300, a NIC released in 2008 that's widely used in research, and fewer than 6% of deployed Wi-Fi devices supported CSI extraction as of 2023, according to the paper.
BFId exploits a different data source: beamforming feedback information (BFI). Introduced in Wi-Fi 5 (802.11ac), beamforming allows access points to steer transmissions toward specific clients. To do this, connected devices periodically measure the wireless channel and send compressed feedback back to the router, which is then broadcast unencrypted on the MAC layer, meaning any Wi-Fi adapter set to monitor mode can capture it passively.
A single eavesdropping device can record BFI from every client on a network simultaneously, capturing multiple perspectives of any person in the area. CSI-based attacks, by contrast, only capture one perspective per malicious node.
The researchers found that BFI substantially outperformed CSI in identification accuracy despite being a lossy, lower-resolution derivative of CSI data. On the same 170-person subset, BFI achieved 99.5% accuracy compared to 82.4% for CSI. The paper attributes this to BFI's compression acting as a form of noise filtering, and to higher spatial resolution, with each BFI data point containing 740 features versus 212 for CSI.
The team tested several potential mitigations, such as reducing the frequency of beamforming reports, which had minimal effect on BFI accuracy, even at heavily degraded sample rates. Encrypting BFI transmissions would require changes to the Wi-Fi standard and could break backward compatibility with existing devices.
"The technology is powerful, but at the same time entails risks to our fundamental rights, especially to privacy," Professor Thorsten Strufe from KASTEL, KIT's cybersecurity institute, said in a press release published on Science Daily.
The researchers noted that IEEE published the 802.11bf amendment in 2025, which formally standardizes Wi-Fi sensing for applications like presence detection and environment monitoring. The team argues the standard lacks adequate privacy protections and is calling for safeguards to be added before Wi-Fi sensing becomes widely deployed.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
