You are being watched — by a silent WiFi sniffer outside of your house

With near-ubiquitous deployment of WiFi-enabled smart devices ( e.g., security cameras, voice assistants, and smart appliances), our homes and offices are filled with many WiFi devices. The ubiquity of these devices and their sheer density means that they will fill the air around us with radio frequency (RF) signals, wherever we go. Unfortunately, the RF signals emitted by these devices pose a real security and privacy risk to all of us. They are constantly interacting with (e.g., reflecting off) our bodies, carrying information about our location, movement and other physiological properties to anyone nearby with sufficient knowledge and curiosity.

Our work demonstrates a new set of passive reconnaissance attacks that leverages the presence of ambient WiFi signals to monitor users in their homes and offices, even when the WiFi network, data packets, and individual devices are completely secured and operating as expected. We show that by just sniffing existing WiFi signals, an adversary outside of the target property can accurately detect and track movements of any users down to their individual rooms, regardless of whether they are carrying any networked devices. The resulting attacks are cheap, highly effective, and yet difficult to detect. We implement the attack using a single commodity smartphone, deploy it in 11 real-world offices and residential apartments, and show it is highly effective.

We propose a practical defense against the silent reconnaissance attack using AP-based signal obfuscation, where the WiFi Access Point actively injects customized cover signal for its associated devices. This defense effectively creates noise to the signal measurements, such that the attacker is unable to identify change due to human motion. Our defense is easy to implement, incurs no changes to devices other than the AP, but reduces the human detection rate to 47% while increasing the false positive rate to 50%. Such ambiguity renders the attack useless in practice.