WiFi Sensing: How intelligence services monitor you – and how pentesters use the method to your advantage

WiFi Sensing has gained considerable importance in recent years – not only in research, but also in real-world applications. The ability to analyze Wi-Fi signals to detect movements and activities is not only interesting for smart home and security applications. Intelligence services have also recognized that this technology is a powerful tool for covert surveillance But how exactly does this work? And how do we use these technologies in the context of penetration testing

Table of Contents

Basics: What is WiFi Sensing?

WiFi Sensing is based on the analysis of Channel State Information (CSI)which is included in modern WLAN protocols such as IEEE 802.11n/ac.

  • CSI data provide detailed information about the Amplitudes and Phase shifts individual subcarriers in a WLAN signal.
  • Changes in these values ​​occur when Wi-Fi signals are reflected, broken or blocked by objects or people.
  • By analyzing these changes over time, movements and positions in space can be reconstructed.

A simplified example:

A person moves in a room with active WiFi. The reflections of the signal on the person cause specific patterns in the CSI data that can be analyzed and interpreted

How intelligence agencies use WiFi sensing

use intelligence services WiFi Sensing especially for covert surveillance in situations where the use of cameras or other sensors would be too conspicuous. Typical applications include:

  1. room monitoring: By passively analyzing Wi-Fi signals, movement patterns within a room can be detected without physical presence or visual contact.
  2. people detection: Movement patterns can be analyzed so finely that they can be used to distinguish between people or activities (e.g. sitting, walking, standing).
  3. education in critical areas: Especially in security-critical environments, WLAN analyses can help to detect unauthorized movements or activities.
  4. hostage rescue and tactical operations: Security agencies can use WiFi sensing to locate the position of people in a room. By finely analyzing the signal reflections, it is possible to detect movements, whereabouts and even potential body postures. While the technology cannot yet directly detect weapons, abrupt movement patterns or typical changes in the CSI data could indicate sudden threats. This can help make life-saving decisions in hostage rescues and minimize risks for emergency responders.

The big advantage: Wi-Fi is ubiquitousIn contrast to traditional surveillance methods, WiFi Sensing does not require special sensors or cameras – the existing WiFi signal is sufficient.

WiFi Sensing in Penetration Testing: Our Approach

The Physical Assessments we use similar techniques to penetrate security-critical areas and uncover vulnerabilities:

  1. spatial exploration: By analyzing local Wi-Fi signals, we can determine whether an area is frequented by people. This helps us recognize movement patterns and identify time windows in which we can operate unnoticed.
  2. circumvention of security mechanisms: Changes in CSI data tell us whether, for example, guards or cameras are present in certain areas. This allows us to plan routes that bypass security measures.
  3. Proof of Concept with Nexmon: As part of a penetration test, we often create a technical proofhow attackers can use WiFi sensing to track movements within a building. A particularly powerful tool for this is NexmonThis framework allows modifying the WLAN firmware of Broadcom chips to extract CSI data in real time.

Technical implementation:

  • Nexmon enables the extraction of CSI data from compatible WLAN chips (e.g. on Raspberry Pi or similar devices).
  • The collected data is processed using tools such as MATLAB or Python analyzed and visualized.
  • This data helps us identify and detect movements, locations and potential vulnerabilities in a space.
Proof of Concept: How to use a Raspberry Pi with Nexmon tools for WiFi sensing.

Proof of Concept: A Simple WiFi Sensing Demo

A proof of concept (PoC) can be realized using a Raspberry Pi and a compatible Broadcom WiFi chip. Here are the basic steps:

  1. Hardware: A Raspberry Pi 3 or 4 equipped with Nexmon is compatible.
  2. Software: Installation of the Nexmon tools and modification of the WLAN firmware for CSI data acquisition.
  3. Analysis : Extraction and visualization of CSI data to identify movements in space.


Result: Movements or activities in the room cause clear patterns in the CSI data.

				
					import matplotlib.pyplot as plt
import numpy as np

# Beispiel-Daten simulieren (in echt durch Nexmon extrahiert)

time = np.linspace(0, 10, 1000)
csi_data = np.sin(time) + np.random.normal(0, 0.1, len(time))
plt.plot(time, csi_data)
plt.title(‘Beispiel: CSI-Datenvisualisierung’)
plt.xlabel(‘Zeit (s)’)
plt.ylabel(‘Amplitude’)
plt.show()

Result: Movements or activities in the room cause clear patterns in the CSI data.

Protection against WiFi Sensing: What Companies Should Know

Complete protection against WiFi sensing is hardly possible because this technology is based on ubiquitous WiFi signals. Nevertheless, there are two sensible approaches to minimize the risks and even gain security benefits:

  1. Use of technology for self-protection: Companies can actively use WiFi Sensing to detect potential security incidents, such as break-ins or unauthorized movements in security-critical areas. By analyzing the WiFi signals, activities can be monitored without having to install additional sensors.

  2. Signal shielding in critical areas: In particularly sensitive environments – such as research departments or meeting rooms – care should be taken to ensure that WLAN signals are effectively shielded. This can render attacks based on WiFi sensing ineffective. This can be achieved, for example, through special structural measures such as Faraday cages or signal-blocking materials.

Instead of just acting reactively, companies can also use these technologies proactively to uncover security gaps and better protect themselves.

Conclusion: Security through offensive analysis

WiFi Sensing is not only a tool for intelligence services or research institutions. It also offers penetration testing and Physical Assessments a decisive advantage in making security gaps visible.

We show our customers how attackers can use modern technologies - and how to protect themselves against them. WiFi is everywhere. Let's use it correctly.

ward off industrial espionage
Protect your secrets from targeted hacking attacks.
To the consultation
Follow for more!
Linkedin-in Instagram Youtube Facebook f
Newsletter Form

Cybersecurity insider access with exclusive content and early access to security-relevant information

Become a Cyber ​​Security Insider

Get early access and exclusive content!

OTHER CONTRIBUTIONS

Table of Contents

2 comments

  1. Hello, what if you don't have Wi-Fi and have also deactivated Wi-Fi and Bluetooth on your phone.

    the monitoring then also works.
    Greetings, Marie

    Reply

    1. Hi Marie,

      If Wi-Fi and Bluetooth are completely deactivated – both on the router and on the smartphone – no connection can be established via these radio channels.
      However, this does not automatically mean that any form of surveillance is no longer possible:

      Devices can often still use mobile data (4G/5G) as long as the SIM card is active. This can be used to transmit location and usage data.

      Even without an internet connection, local sensors (e.g. GPS, accelerometer) can collect data that is later transmitted once a connection is re-established.

      Some devices have additional radio modules (e.g. NFC) that could also be active if they are not turned off separately.

      In short:
      Turning off Wi-Fi and Bluetooth will eliminate these two transmission paths, but complete protection against surveillance requires you to disable all possible wireless and data connections or turn off the device entirely.

      Reply

Do you have any questions or additions? bring it on!
Write a comment and we will reply as soon as possible!

Your email address will not be published. Required fields are marked with *.

Share your feedback and help us improve our services!

Share your feedback and help us improve our services!

Take 1 minute to give us some feedback. This way we can ensure that our IT security solutions meet your exact needs.

PSN_KU_Cover
NewsLetter Form Pop Up New

Become a Cyber ​​Security Insider

Subscribe to our knowledge base and get:

Early access to new blog posts
Exclusive content
Regular updates on industry trends and best practices

Please accept the cookies at the bottom of this page to be able to submit the form!
Survey
Survey