Researchers Track Humans Through Walls via Wi-Fi Using Nothing More Than a Single Smartphone

Researchers at the Universities of Chicago and California at Santa Barbara have updated their paper detailing a new privacy attack on commodity Wi-Fi hardware, allowing attackers to track users inside private buildings — using nothing more than an off-the-shelf smartphone.

"Our work demonstrates a new set of silent reconnaissance attacks, which leverages the presence of commodity Wi-Fi devices to track users inside private homes and offices, without compromising any Wi-Fi network, data packets, or devices," the researchers claim in their paper's abstract. "We show that just by sniffing existing Wi-Fi signals, an adversary can accurately detect and track movements of users inside a building.

"This is made possible by our new signal model that links together human motion near Wi-Fi transmitters and variance of multipath signal propagation seen by the attacker sniffer outside of the property. The resulting attacks are cheap,highly effective, and yet difficult to detect. We implement the attack using a single commodity smartphone, deploy it in 11 real-world offices and residential apartments, and show it is highly effective."

The team's work is interesting, as it requires no specialist hardware beyond a single off-the-shelf smartphone, but it does come with a few drawbacks. Chief among these is that it is only capable of locating a human to a single room, and lacks the resolution to pick up fine-grained motion - or even, the researchers admit, to "separate humans from large animals." This stands in contrast to systems like RF-Pose, which are more costly and complex to implement.

There is a defense against the attack, too: access point-based signal obfuscation, "where the Wi-Fi Access Point actively injects [a] customised cover signal for its associated devices. This defence," the researchers explain, "effectively creates noise to the signal measurements, such that the attacker is unable to identify change due to human motion. Our defence is easy to implement, incurs no changes to devices other than the AP, but reduces the human detection rate to 47% while increasing the false positive rate to 50%. Such ambiguity renders the attack useless in practice."

The latest version of the team's paper, which was first published in October 2018 and is currently in its third revision, is available under open access terms on arXiv.org.