Researchers have demonstrated that the ubiquitous Wi-Fi signals blanketing modern homes and offices can be repurposed into a form of radar, allowing attackers to see and track the movements of people through solid walls. This capability, achieved without breaking network encryption or alerting occupants, leverages common internet hardware to create a powerful surveillance system, transforming everyday infrastructure into a tool for surreptitious monitoring and raising significant new questions about personal security and privacy.
This emerging threat does not rely on a single flaw, but rather on the fundamental physics of how radio waves propagate. Multiple research teams have developed distinct methods that turn Wi-Fi networks into sensing devices. Some techniques passively listen to the ambient radio noise, while others actively ping nearby devices to pinpoint their location. All these approaches work by analyzing the minute disturbances that a human body—through actions as large as walking or as small as breathing—causes in a room’s Wi-Fi field. An adversary can perform this surveillance from outside a building using inexpensive, commercially available hardware, making the attacks both highly effective and difficult to detect.
How Wi-Fi Sensing Sees Through Walls
The ability to see through walls using Wi-Fi hinges on a simple principle: every object in an environment affects the radio signals that pass through or bounce off it. Wi-Fi access points and connected devices constantly transmit and receive radio frequency (RF) signals, creating a consistent energy field throughout a space. When a person enters or moves within this field, their body disrupts the signals in predictable ways. These disturbances, though subtle, contain a wealth of information about the source of the disruption. An external attacker can use a receiver to measure these changes in signal strength and pattern to infer the presence and movement of people.
Modern Wi-Fi systems unintentionally make this data easier to exploit through a feature called channel state information, or CSI. CSI is detailed data that devices use to report back to the router about the quality of the connection, including information on signal fading, scattering, and power levels. This allows the router to adjust its transmissions for a better, more stable connection. However, CSI data also provides a high-resolution snapshot of the physical environment between the transmitter and receiver. By analyzing this stream of information, an attacker can detect the slight chest movements of a person breathing or track their path from one room to another.
Evolving Snooping Techniques
Early methods of Wi-Fi-based surveillance required an attacker to transmit their own signals into a building and measure the reflections, a technique that risked detection. More recent research, however, has focused on stealthier approaches. One major breakthrough involves purely passive listening. In this scenario, an attacker needs only a Wi-Fi receiver, which could be a commodity smartphone, to monitor the existing signals already being generated by a target’s network. A team from the University of Chicago and the University of California, Santa Barbara, demonstrated that by simply listening, they could accurately determine if a room was occupied and detect motion, all without sending a single packet of data or breaking encryption.
A more aggressive method exploits a loophole in the standard 802.11 Wi-Fi protocol that researchers have termed “polite Wi-Fi.” Normally, Wi-Fi devices are secured to only communicate with trusted devices on their network. However, researchers discovered that nearly any Wi-Fi device can be forced to send back an acknowledgment packet, or “ACK,” if it receives a data packet addressed to its unique MAC identifier, even if the sender is unauthorized. An attacker can repeatedly send these packets and measure the precise time it takes for the ACK to return. This time-of-flight measurement allows the attacker to calculate the device’s location to within about a meter. Researchers developed a small, $20 device called Wi-Peep that could be mounted on a drone to fly near a building and map the location of every Wi-Fi-enabled device inside, from laptops to smartwatches.
From Motion Detection to Detailed Imaging
The sophistication of Wi-Fi sensing has advanced far beyond simple motion detection. While initial research focused on confirming whether a person was present, later work has achieved surprisingly detailed imaging of human bodies. A team at Carnegie Mellon University developed a system that uses Wi-Fi signals to generate 3D maps of people in a room, capturing their specific pose and movements. This method effectively creates a low-resolution, radar-like image of subjects through walls, turning wireless signals into a vision system.
Achieving this level of detail requires advanced data processing techniques. The raw Wi-Fi signal data reflecting off a human body is noisy and complex, not something a person could interpret visually. To solve this, the Carnegie Mellon researchers employed a neural network to make sense of the patterns. They used a machine learning model called DensePose, which was originally trained to map human poses from 2D camera images, and adapted it to work with the Wi-Fi signal data. This process, known as transfer learning, allowed the system to learn how to translate the complex RF signal disruptions into recognizable human figures, effectively teaching the computer to see people based only on radio waves.
A Double-Edged Sword of Applications
Proponents of this technology highlight its potential for positive, non-intrusive monitoring. As a low-cost alternative to cameras, Wi-Fi sensing could be used to monitor the well-being of elderly individuals who live alone, automatically detecting a fall or a lack of movement without placing cameras in private spaces like bedrooms. Similarly, it could be used as a security system to detect intruders without the privacy compromises of video surveillance. The goal, according to some researchers, is to pave the way for broadly accessible and privacy-preserving algorithms for human sensing.
Despite these beneficial applications, the potential for misuse presents a serious threat. The same technology could be used by a thief to determine when a home is empty or to locate valuable smart devices like TVs and laptops inside. An attacker could track the movements of security guards within a bank by following the location of their phones or smartwatches. Because Wi-Fi signals penetrate walls and are often detectable far beyond the property line, this technology effectively removes the physical privacy that buildings are meant to provide. It opens the door to a new form of silent, invisible surveillance against which most people have no defense.
Potential Defenses and Countermeasures
As researchers have exposed these vulnerabilities, they have also begun proposing and testing potential defenses. One promising strategy involves signal obfuscation. This approach modifies the Wi-Fi access point to actively transmit a customized “cover” signal, which essentially injects noise into the airwaves. This added noise masks the subtle signal changes caused by human motion, making it much harder for a passive listener to distinguish meaningful patterns from the interference. In tests, this defense was shown to dramatically reduce the human detection rate while simultaneously increasing the attacker’s false positive rate.
To combat active attacks like the one using Wi-Peep, a different defense has been proposed that introduces randomness. The attack relies on precise timing of the acknowledgment packets sent back by a targeted device. A proposed countermeasure would program devices to introduce a tiny, randomized delay—perhaps just a fraction of a microsecond—before they respond. A signal traveling at the speed of light covers 300 meters in one microsecond, so even a minuscule and variable delay is enough to corrupt the time-of-flight calculation. This defense would render precise localization useless, increasing the margin of error from one meter to over 10 or 15 meters, which is often larger than the building itself.
