With all of the Wi-Fi-connected devices in our homes, whether they are televisions, security cameras, smartphones, tablets, or laptops, most of us are always near at least one of them. Smartphones in particular have a tendency to be glued to their owners. These devices open up a world's worth of information and all manner of conveniences to their owners, so this is a good thing on balance, right? Probably so, but for someone with bad intentions, these connected devices can be exploited for nefarious purposes. If someone were able to determine the location of the Wi-Fi-connected devices in your home, for example, they would be able to gain information about where the occupants are, find the locations of security cameras, locate valuable electronics, and more.
Locating Wi-Fi-connected devices has been done, but the techniques that make it possible typically rely on multiple arrays of large antennas and lengthy scanning times. It goes without saying that if someone is hanging around outside your house all afternoon with an antenna array in their hand, you should be suspicious. For reasons such as this, Wi-Fi localization attacks have not been considered practical for real work applications. A duo of researchers at the University of Waterloo and the University of Illinois Urbana-Champaign have turned this old assumption of impracticality on its head with their description of a Wi-Fi localization exploit they call Wi-Peep. They have outlined how an inconspicuous and inexpensive device can locate hidden Wi-Fi devices without their cooperation.
The attack first scans for all available Wi-Fi devices by exploiting the 802.11 power saving mechanism by imitating the access point and telling all connected devices to contact the access point to receive buffered packets. This causes all devices on the network to send a response that the attacker can intercept and use for device identification. Having discovered the layout of the network, requests can be targeted at each Wi-Fi device. With the knowledge that 802.11 devices always respond to ACK packets, even if they originate from outside networks, as long as they are unencrypted or incorrectly encrypted, the team knew that they could count on responses to such requests in all situations. By measuring the time-of-flight between the sending of the request and the received response, it is possible to determine how far away the device is.
It was found in the course of this work that the time which a device sends a response to an ACK after receiving a packet, which is supposed to be fixed at 10 microseconds, actually varied from 8 to 13 microseconds. This significantly influences the time-of-flight calculations that are critical to localization, so a novel algorithm had to be developed to correct for these variations. Another problem discovered with time-of-flight measurements along the way was due to the multipath effect. This means that multiple copies of a signal arrive at the receiver through different paths. Since Wi-Peep ACK sequences are captured at the millisecond level, it was possible to capture numerous packets as an attacker walks or flies by. The multitude of measurements with spatial diversity allowed the researchers to effectively correct for this multipath effect.
The Wi-Peep technique was implemented on the tiny DJI mini 2 drone equipped with ESP32 and ESP8266 Wi-Fi-capable microcontrollers. The hardware weighs less than 10 grams and costs less than 20 dollars, making it both inexpensive to deploy and difficult to detect. This drone was deployed in a real-world test where it was found that it could localize devices on an 802.11ax Wi-Fi 6 network to within about four feet of their true locations in a three story home. This scan was completed within two minutes.
This exploit is one example of how the gadgets we rely on can be used against us in unexpected ways. The fact that Wi-Peep is non-obvious in practice and does not require the target network to be tampered with makes it practical to implement in the real world. It is important that exploits such as this are discovered and described so that we can take proactive measures to guard against them. The research team found that adding randomized amounts of delay between the receipt of a packet and the response added a large error to location estimates and may be a good approach to protecting against Wi-Peep attacks.