WiFi sensing

WiFi packets are not just data — they are calibrated radio signals that bounce off walls, furniture, and people on their way to their intended receiver. Modern signal-processing techniques can extract Channel State Information (CSI) from those reflections and use it to build a low-resolution image of what is moving inside the radio's coverage area. The technique is published, the open-source tooling exists, and it improves every year.

What it can do, in the published literature:

• Through-wall presence detection — knowing whether a room is occupied, and roughly where in the room a person is standing or moving, without any sensor in the room.
• Motion classification — distinguishing walking from sitting from lying down; distinguishing normal activity from a fall.
• Gait identification — identifying a specific person from their walking pattern, the way fingerprints identify hands.
• Vital-signs measurement — extracting breathing rate and (in some configurations) heart rate from the chest-movement reflections.
• Activity inference — distinguishing typing from eating from sleeping; in some published demonstrations, distinguishing specific keystrokes from the micro-motions of the hands.

The mechanism that makes the target's own radio the critical input. An observer outside a residence who is working only with their own equipment is at a disadvantage — their signal must penetrate the wall outbound and the reflections must penetrate the wall back, with the wall attenuating both passes. Adding a WiFi router inside the target's environment changes the equation entirely. The observer now does not need to push their own signal through the wall. They only need to passively receive reflections of the target's own signal, which is broadcasting at full power from inside the space being observed. The wall now only attenuates one direction of the path instead of two.

The unencrypted-headers gap. WPA2 and WPA3 encrypt the packet payload — what is being said. They do not encrypt the packet headers and timing information — the metadata from which CSI is extracted. A passive observer in radio range can read the CSI from a WPA3-secured network as easily as from an open one; the encryption is irrelevant to the sensing layer. This is structural to 802.11 and not a vendor defect.

Bluetooth has analogous sensing properties. BLE beacons are simpler to fingerprint and track than WiFi but easier to localize; the combination of WiFi-based imaging and Bluetooth-based device tracking gives an observer with both data streams a richer picture than either alone.

The continuing-research angle. The IEEE 802.11bf working group is in the process of standardizing WiFi sensing as a first-class feature of consumer WiFi, intended to enable fall detection, occupancy sensing, smart-home automation. The standardization is a public good for many applications. It is also formalizing and making cheaper the same set of techniques that an adversarial observer would use.

The "always-on" amplification. Phones and laptops keep their radios active 24/7 by default for background sync. Smart-home devices broadcast continuously. The target who sleeps with a phone on the nightstand and a WiFi router in the next room is illuminating the interior of their sleeping space with WiFi reflections for the eight hours they are most vulnerable — the same sleep window that matters on multiple defensive mechanisms simultaneously.

The defensive practice is straightforward and is detailed in the No wireless technique entry: ethernet wherever possible, radios off when not actively in use, fewer wireless devices in residential space, scheduled router-radio-off overnight. The radio that is off cannot illuminate the room.

This tactic pairs with proximity wireless exploitation — the active-attack counterpart. Both work from within radio range; both are far easier when the target is the one supplying the radio.