Using Wi-FI to See through Walls

This technique measures device response time to determine distance:

The scientists tested the exploit by modifying an off-the-shelf drone to create a flying scanning device, the Wi-Peep. The robotic aircraft sends several messages to each device as it flies around, establishing the positions of devices in each room. A thief using the drone could find vulnerable areas in a home or office by checking for the absence of security cameras and other signs that a room is monitored or occupied. It could also be used to follow a security guard, or even to help rival hotels spy on each other by gauging the number of rooms in use.

There have been attempts to exploit similar WiFi problems before, but the team says these typically require bulky and costly devices that would give away attempts. Wi-Peep only requires a small drone and about $15 US in equipment that includes two WiFi modules and a voltage regulator. An intruder could quickly scan a building without revealing their presence.

Research paper.

Tags: , , , ,

Posted on November 8, 2022 at 6:15 AM24 Comments

Comments

Phillip November 8, 2022 8:01 AM

So now I have to “Spidey” stick my laptop to the ceiling of my hotel room? …If there is another floor. You are making this really, really, amazing.

Scott Lewis November 8, 2022 9:40 AM

@ “-”

It’s not unsolicited advertising. Are you thinking that sentence was paid for by Amazon? It’s a rather interesting point, that’s all. Not all Roomba’s do that, I believe. Mine does, but it’s one of the lower end models that has that feature, and to be fair… it does an “ok” job at best.

Frank B. November 8, 2022 10:09 AM

Soon to be used by employers on their work from home employees across ‘Murica. Heck it’s probably coming soon to a police department near you.

lurker November 8, 2022 10:48 AM

WiFi’s friendliness to other devices might pose a significant threat in the wrong circumstances.
. . .
A thief using the drone could find vulnerable areas in a home or office by checking for the absence of security cameras . . .

What is the business case for “security” cameras to broadcast on wifi? I even caused consternation in a previous location when I pointed out the wired cameras were visible to anyone who knew the IP Nr (which was trivial to deduce). Shifting them to a dedicated VLAN was one step up, still findable to a dedicated opponent.

But a camera spewing its pictures openly into the sky gives new meaning to “friendly”.

- November 8, 2022 12:22 PM

@Scott Lewis:

The link is to an IT company. The single sentance is indicative of such posts.

Have a look on the current 100 comments page for quite a few of that form flagged up today.

Because of the sentance was sort of vaguely related I said,

‘Looks like,’

Rather than ‘is’.

Aaron November 8, 2022 1:17 PM

This is why the only real security you’ll ever have is inside your head and they are coming for that space too!

Wait November 8, 2022 3:16 PM

There are some practical hurdles to be overcome if one to fly a drone.
– Drones operators must has line of sight to the drone. This means if a drone is in sight but the operator can be seen, then alarms are set of in knowledgeable persons that something fishy is going on.
– Drone operators must respect the privacy of persons and properties where they are flying. Do a drone on a clandestine mission will raise red flags as its flight path will not respect the privacy of persons and properties. The drone will raise alarms that something unlawful is being conducted using the drone.
– There are plenty of flight restrictions to limit the use of drones. Usability of drones that follows the law would be at the mercy of drone flight restrictions. Any flights ignoring the restrictions only draws attention that something unlawful is be carried out.
– USA and other countries now mandate drones have identification transmitters.

So the regulations of drones are a huge hurdle against using drones for eavesdropping using Wifi.

Bob Paddock November 8, 2022 3:18 PM

@Aaron, the US Army War Collage already has, in 1998:

“The Mind Has No Firewall” by Timothy L. Thomas.

Timothy L. Thomas, “The Mind Has No Firewall,” Parameters 28, no. 1 (1998),
dio:10.55540/0031-1723.1871
[dio: Digital Object Identifier]

Clive Robinson November 8, 2022 5:43 PM

@ Wait, ALL,

Re : assumed physical hurdles.

“Drones operators must has line of sight to the drone.”

Not true at all, drones even very inexpensive drones can fly a GPS way-point course. You can drmonstrate theis on many drones by cutting the operators TX signal and the drone flys back under GPS to it’s point of origin…

“Drone operators must respect the privacy of persons and properties where they are flying. “

And how is that enforced technically?

Let me think, err it’s not…

“USA and other countries now mandate drones have identification transmitters.”

And what’s to stop an illicit drone operator disabling or removing the identification transmitter.

These so called hurdles are like “maintainance locks” they are only effective against the incompetent and the idly curious. Even pre-teen children with “a bit of nouce” could get over such hurdles.

There is a saying of,

“Rules are for the guidence of the wise and for fools to obey without question.”

Scott Lewis November 8, 2022 7:02 PM

@ –

So it is. I never click on names so I would have missed that. He did accidentally make an interesting comment at the very least.

SpaceLifeForm November 8, 2022 8:05 PM

@ Scott Lewis, -, ALL

If the handle shows up as Red, there is a URL behind it.

That is a Red Flag. The poster may be trying to create SEO.

If it is Red, mouse over it before you decide on the credibility.

Ted November 8, 2022 9:56 PM

I’m not sure if I understand this correctly… but is it impossible to prevent a WiFi device from sending an ACK response to a 802.11 packet – even from an imitated access point?

It’s wild that a suggested solution is to work with WiFi chipset vendors to add timing noise. Even this only appears to throw off the time-of-flight measurements and hence more precise location tracking. But you’re still going to get a response. Polite WiFi is a doozy.

SpaceLifeForm November 8, 2022 11:18 PM

@ Ted

This is a nothingburger. As long as the WIFI AP is broadcasting, it can be trilateralated, even through walls.

If you can find a WIFI AP that allows you to not broadcast SSID, let me know. And if you find one (they do exist), see if your client will be able to see it (manual settings), and it will allow you connect.

Good luck. The AP is still broadcasting even with a hidden SSID.

Ted November 9, 2022 8:48 AM

@SpaceLifeForm

This is a nothingburger. As long as the WIFI AP is broadcasting, it can be trilateralated, even through walls.

Not quite sure I understand. The targeted network’s WiFi access point would be broadcasting as usual. But the individual devices (eg: smartphones, tablets, etc.) could be asleep

“The 802.11 standard allows Wi-Fi devices to turn off their radios and go to sleep periodically to save power.”

So the imitated access point on the drone can pick up the network’s SSID and use it to spoof beacon packets to all the devices and get them to wake up and respond. These responses can be sniffed.

And the time it takes for them to respond gives info about their distance and location.

They appear to deal with the signal’s multipath effect by taking hundreds of measurements. However they noted:

“L7 is probably the most challenging location on the main floor because it is surrounded by several big appliances.”

vas pup November 9, 2022 5:47 PM

@ALL: so now Stingray technology used by our ‘wizards’ in LEAs should utilize this as additional feature?
see https://en.wikipedia.org/wiki/Stingray_phone_tracker

The EU Watergate? Pegasus spyware scandal grows
https://www.dw.com/en/eu-watergate-the-pegasus-spyware-scandal-keeps-spreading/a-63687981

“Pegasus infiltrates mobile phones to extract data or activate a camera or microphone to spy on owners. The company says the tech is designed to fight crime and terrorism, but it has been found by investigators to have been used on journalists, activists, dissidents and politicians worldwide.

In the past eighteen months, Hungary, Poland, Spain and Greece have all been accused of using Pegasus or equivalent technology against citizens or politicians.

In Poland and Hungary, use of such spyware is an “integral element” of a “system, which is designed to control and even oppress the citizens — that is, critics of the government, opposition, journalists, whistleblowers,” said Dutch EU lawmaker Sophie in ‘t Veld on Tuesday, as she presented a damning interim European Parliament report.”

Very good video inside with reference to the company – link inside. Finally, their phone has hardware activated video and microphone!!!!

https://www.bittium.com/secure-communications-connectivity/secure-smartphones-for-professionals

My nickel on Pegasus: I am 100% for its usage by LEAs for fighting REAL violent criminals but I am 100% against its usage towards political opponents. If central LEA of the country used it primary for latter, not former it is on the path to becoming Ministry of Truth or and Love (see ‘1984’).

SpaceLifeForm November 9, 2022 5:59 PM

@ Ted, Clive

Re: go to sleep periodically

Have you ever noticed your smart phone WIFI was on after you woke up?

And you had turned WIFI off?

There may be an advantage to having irregular sleep schedules like Clive and myself.

You may notice events and connect dots.

No SIM card required.

Neill November 9, 2022 6:02 PM

New firmware with “radio strength randomization” (alike ASLR) would make it harder to use

The WiFi AP logfiles could reveal a roaming drone moving different than a human and in unexpected ways (e.g. sudden change in altitude). Factor the wind conditions into it, small drones are easily blown sideways

.

Phillip November 9, 2022 11:39 PM

@SpaceLifeForm, et al.

This is good: “trilateralated”, not because of the triads, but because of the Trilateral Commission. You know, there is some old conspiracy saw, or another, about this entity?

Anyway, I got a real kick out of Mike Meyer’s “Pentaverate”, though it uses very crude humor. Just mentioning crudeness – to respect policy. The plot does thicken with some internet thing (not to spoil A answer).

Winter November 10, 2022 9:11 AM

@Philip

Anyway, I got a real kick out of Mike Meyer’s “Pentaverate”, though it uses very crude humor.

Me too. I liked the trans-/sub-atlantic hyperloop. I so much want that.

Quantry November 10, 2022 10:25 AM

@ vas pup, thanks re “EU Watergate”[1][2]
You said,

on Pegasus: I am 100% for its usage by LEAs for fighting REAL violent criminals

but this entails a great deal of “mind reading” ability, and enables “creative interpretation”, and is fodder for vendetta seekers… What human is able to look into someones life and get it right even a fraction of the time. This is ultimately nothing but pure psychopathic staziism by extremely self-righteous and self-serving, vultching voyeurs, IMO.

[1] See her webpage for the link
‘https://www.sophieintveld.eu/nl/sophie-in-t-veld
[2] The EUROPA bio for “Rapporteur: Sophie in ‘t Veld”
‘https://www.europarl.europa.eu/meps/en/28266/SOPHIA_IN%20’T%20VELD/home

Jim Lux November 12, 2022 11:30 PM

Even if you can accurately measure time of flight, turning that into an actual image is very, very difficult. The problem is that everything reflects the signals as well as letting some through. So imagine that you’re looking through a kaleidoscope or fun house of partly silvered mirrors.

The problem is generically called inversion, and folks doing seismic and ground penetrating radar have been working on it for decades. In some situations, you can do pretty well, but in most, the resulting image is difficult to interpret.

Check out the work of the Army Research Lab – it’s all on dtic.

https://apps.dtic.mil/sti/citations/ADA522101
https://apps.dtic.mil/sti/citations/ADA503440
https://apps.dtic.mil/sti/pdfs/ADA496571.pdf

Dick Mills November 13, 2022 4:37 PM

Could someone use this to make a perimeter security? It might be cheaper and have longer range than motion sensors. Just raise an alarm if any WIFI responds to the query.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.