If you pass by a café that operates a WiFi network, you can be identified – even if you do not carry a cell phone with you. Researchers of Karlsruhe Institute of Technology (KIT) have found a way to identify people solely through recording WiFi communication. They point out that this constitutes a significant risk to privacy. It is unnecessary for the persons to carry any devices on them, nor is any specific hardware needed to identify people present in the range of the WLAN. It takes nothing but WiFi devices communicating with each other in the person’s surroundings. This creates patterns comparable to a images shot by cameras, just based on radio waves. The research team calls for adequate privacy safeguards.
“By observing the propagation of radio waves, we can create an image of the surroundings and of persons who are present,” says Professor Thorsten Strufe from KASTEL – KIT’s Institute of Information Security and Dependability. “This works similar to a normal camera, the difference being that in our case, radio waves instead of light waves are used for the recognition,” explains the cybersecurity expert. “Thus, it does not matter whether you carry a WiFi device on you or not.” Switching your device off does not help: “It’s sufficient that other WiFi devices in your surroundings are active.”
WiFi Routers as “Quiet Observers”
“This technology turns every router into a potential means for surveillance,” warns Julian Todt from KASTEL. “If you regularly pass by a café that operates a WiFi network, you could be identified there without noticing it and be recognized later – for example by public authorities or companies.” Felix Morsbach stresses that it is true that there are easier methods for secret services or cybercriminals to observe people right now – for example by accessing CCTV cameras or video doorbells. “However, the omnipresent wireless networks might become a nearly comprehensive surveillance infrastructure with one concerning property: they are invisible and raise no suspicion.” Actually, WiFi networks exist in almost all homes, offices, restaurants, and public spaces today.
No Special Hardware Required
Unlike attacks with LIDAR sensors or previous WiFi-based methods, which use channel state information (CSI) – i.e. measured data that indicate how a radio signal changes when it reflects off of walls, furniture, or persons – the attackers do not need any special hardware. This method requires nothing but a standard WiFi device. It works by exploiting the communication of legitimate users of the WLAN, whose devices are connected to the WiFi network. These regularly send feedback signals within the network, also called beamforming feedback information (BFI), to the router – in unencrypted form so that it is readable by anybody in range. This creates images from different perspectives that can serve to identify the respective persons. Once the underlying machine-learning model has been trained, the identification only takes a few seconds.
Almost 100% Accuracy – Technology Entails Risks to Privacy
In a study with 197 participants, the team could infer the identity of persons with almost 100% accuracy – independently of the perspective or their gait. “The technology is powerful, but at the same time entails risks to our fundamental rights, especially to privacy,” emphasizes Strufe. The researchers warn that this is particularly critical in authoritarian states where the technology might be used for the observation of protesters. Therefore, they urgently call for protective measures and privacy safeguards in the forthcoming IEEE 802.11bf WiFi standard.
Funding and Publication
The project was funded under the Helmholtz “Engineering Secure Systems” topic. The researchers have presented their results at the “ACM Conference on Computer and Communications Security” (CCS) in Taipei. The paper is available at https://publikationen.bibliothek.kit.edu/1000185756.
Original publication
Todt, Julian; Morsbach, Felix; Strufe, Thorsten: BFId: Identity Inference Attacks utilizing Beamforming Feedback Information, ACM, 2025. DOI: 10.1145/3719027.3765062 (from October 13, 2025, DOI link not yet activated).
Being “The University in the Helmholtz Association”, KIT creates and imparts knowledge for the society and the environment. It is the objective to make significant contributions to the global challenges in the fields of energy, mobility, and information. For this, about 10,000 employees cooperate in a broad range of disciplines in natural sciences, engineering sciences, economics, and the humanities and social sciences. KIT prepares its 22,800 students for responsible tasks in society, industry, and science by offering research-based study programs. Innovation efforts at KIT build a bridge between important scientific findings and their application for the benefit of society, economic prosperity, and the preservation of our natural basis of life. KIT is one of the German universities of excellence.