Wi-Fi signals can be used to sense and track a person's location without consent by analyzing the channel state information (CSI) of packets. This poses a privacy risk. The document proposes obfuscating the CSI through randomization techniques at the transmitter to "blur" location fingerprints while maintaining communication performance. Experiments show basic randomization reduces correct localization from over 90% to under 20% for a single receiver. Advanced techniques balance privacy and packet delivery rate. Proper CSI manipulation can help counter unwarranted Wi-Fi tracking while allowing normal operation.
Wi-Fi Sensing: Attack on Privacy & Countermeasures
1. Wi-Fi Sensing:
Attack on Privacy &Countermeasures
Advanced Networking Systems, DII
University of Brescia – Italy
https://ans.unibs.it/
Renato Lo Cigno
with the fundamental contribution of
• Francesco Gringoli
• Marco Cominelli
• Lorenzo Ghiro
2. Outline& Goals
• Wi-Fi Fundamentals
• CSI-based Wi-Fi Localization & Sensing
• Learning positions with CNNs fingerprinting
• Obfuscation through CSI randomization
• Proper manipulation of the CSI at the transmitter or with and intelligent ambient can
hide position information & maintain communication performance
Speck&Tech- Trento, Sept.29, 2022. Wi-FiSensing:Attack ... renato.locigno@unibs.it
1
3. Outline& Goals
• Wi-Fi Fundamentals
• CSI-based Wi-Fi Localization & Sensing
• Learning positions with CNNs fingerprinting
• Obfuscation through CSI randomization
• Proper manipulation of the CSI at the transmitter or with and intelligent ambient can
hide position information & maintain communication performance
Speck&Tech- Trento, Sept.29, 2022. Wi-FiSensing:Attack ... renato.locigno@unibs.it
2
4. Common view of Wi-Fi
But we are interested in Wi-Fi
packets and signals, not the network!
Speck&Tech- Trento, Sept.29, 2022. Wi-FiSensing:Attack ... renato.locigno@unibs.it
3
AP
AP
AP Wired LAN / Eth Switch
AP: Access Point
"INTERNET"
Router
5. Wi-Fi packets & signals - 1
• 802.11 comes in many flavors: g/a/h/ac/ax ...
• They define different packet formats and transmission technologies,
including MIMO
Speck&Tech- Trento, Sept.29, 2022. Wi-FiSensing:Attack ... renato.locigno@unibs.it
4
h11
h22
6. Wi-Fi packets & signals - 2
• 802.11 comes in many flavors: g/a/h/ac/ax ...
• Some fields in the packets remain fixed and are used to help the correct
reception
Speck&Tech- Trento, Sept.29, 2022. Wi-FiSensing:Attack ... renato.locigno@unibs.it
5
L-STF
L-LTF
L-SIG
VHT-SIG-A
VHT-STF
VHT-LTF
VHT-SIG-B
DATA
8µs 8µs 4µs 8µs 4µs 4µs 8µs 4µs 4µs
...
20MHz
20MHz
20MHz
20MHz
256
carriers
80MHz
IDFT X
{...,SIN
n,...}
I/Q samples
central
carrier
modulated signal s(t)
to antenna
{...,Sout
n,...}
randomizer
7. Wi-Fi packets & signals - 3
Speck&Tech- Trento, Sept.29, 2022. Wi-FiSensing:Attack ... renato.locigno@unibs.it
6
• 802.11 comes in many flavors: g/a/h/ac/ax ...
• All versions use OFDM as modulation technique
8. Wi-Fi ChannelStateInformation(CSI)
Speck&Tech- Trento, Sept.29, 2022. Wi-FiSensing:Attack ... renato.locigno@unibs.it
7
• Packet decoding happens
thanks to the knowledge
of the distortion
introduced by the channel
(multipath, refractions, ...)
• This knowledge (CSI) is
obtained thanks analyzing
known portions of the
packets
9. Outline& Goals
• Wi-Fi Fundamentals
• CSI-based Wi-Fi Localization & Sensing
• Learning positions with CNNs fingerprinting
• Obfuscation through CSI randomization
• Proper manipulation of the CSI at the transmitter or with and intelligent ambient can
hide position information & maintain communication performance
Speck&Tech- Trento, Sept.29, 2022. Wi-FiSensing:Attack ... renato.locigno@unibs.it
8
10. Wi-Fi PositionSensing
Speck&Tech- Trento, Sept.29, 2022. Wi-FiSensing:Attack ... renato.locigno@unibs.it
9
input
filter
sampling
equalizer
decoding
localization
system
received
bits
estimated
position
CSI extraction
input
filter
sampling
equalizer
decoding
received
bits
CSI extraction
RX1
RX2
U
• CSI is essential for equalization and high
throughput
• Once extracted the CSI can also be used
to sense & probe the environment
• People (& objects) change the
channel response
11. Wi-Fi PositionSensing
Speck&Tech- Trento, Sept.29, 2022. Wi-FiSensing:Attack ... renato.locigno@unibs.it
10
• CSI most evident
characteristic is the
amplitude change
in frequency
• Amplitude heatmap
with the same person
in two different positions in our lab
• Question: how to exploit this information?
12. CNN Fingerprinting
• Most recent "trend" is using supervised learning with a Convolutional Neural Network
• CSI I/Q samples are fed to the CNN that returns a position classification
Speck&Tech- Trento, Sept.29, 2022. Wi-FiSensing:Attack ... renato.locigno@unibs.it
11
Conv.
Layer
1
Conv.
Layer
2
Fully-Conn.
Layer
1
Fully-Conn.
Layer
2
Fully-Conn.
Layer
3
CNN
CSI
values
(real
/
imag)
8
Indoor
Locations
• It works, we'll see
results
• Still fragile, but AI is
improving VERY fast
13. Localization
• Tracking a person without her/his consent
• Violate privacy
• Often violate laws / rules
• Channel State Information (CSI) carries
details on the propagation environment
Speck&Tech- Trento, Sept.29, 2022. Wi-FiSensing:Attack ... renato.locigno@unibs.it
12
6.60 m
Tx
Rx2
7.00
m
P1
P2
P3
P8
P4
P7
P6
P5
Rx5
Rx1
Rx3
Rx4
`
BIG BROTHER IS
SENSING YOU
14. Localization
• Big Brother
• Controls one (or more) receivers
• Knows the position of Tx (e.g., an Access Point)
• The victim
• Is unaware of the system
• Does not need to hold a Wi-Fi device
Speck&Tech- Trento, Sept.29, 2022. Wi-FiSensing:Attack ... renato.locigno@unibs.it
13
6.60 m
Tx
Rx2
7.00
m
P1
P2
P3
P8
P4
P7
P6
P5
Rx5
Rx1
Rx3
Rx4
`
BIG BROTHER IS
SENSING YOU
15. Outline& Goals
• Wi-Fi Fundamentals
• CSI-based Wi-Fi Localization & Sensing
• Learning positions with CNNs fingerprinting
• Obfuscation through CSI randomization
• Proper manipulation of the CSI at the transmitter or with and intelligent ambient
can hide position information & maintain communication performance
Speck&Tech- Trento, Sept.29, 2022. Wi-FiSensing:Attack ... renato.locigno@unibs.it
14
16. CSI Randomization
• Proper manipulation at the
transmitter "blur" the fingerprints
• Different manipulations result in
different "blurring"
• Manipulation should not hamper
communication
performance
Speck&Tech- Trento, Sept.29, 2022. Wi-FiSensing:Attack ... renato.locigno@unibs.it
15
17. ManipulationPrinciples
1. Do not alter power emission
2. Guarantee that the pre-distortion random changes are compatible with
human (time correlation)
3. Guarantee that the pre-distortion random changes in frequency are
compatible with the real channel
4. Hide distortion information to prevent reverse
engineering within a reasonable time horizon
5. Do not change the communication performance
of the system
Speck&Tech- Trento, Sept.29, 2022. Wi-FiSensing:Attack ... renato.locigno@unibs.it
16
18. Basic Manipulation
• Multiply the samples amplitude by a Uniform-Markov random process
Speck&Tech- Trento, Sept.29, 2022. Wi-FiSensing:Attack ... renato.locigno@unibs.it
17
23. Packet Delivery Rate
• PDR is influenced by
manipulation
• Proper analysis of the
properties can reduce
the impact
MedComNet'21- PassiveDevice Free... marco.cominelli@unibs.it
22
0 1 2 3 4 5 6 7 8 9
MCS
0
20
40
60
80
100
PDR
[%]
Clean
Filter & Clip
Filter & Clip no Max
Clip & Filter
Clip & Filter no Max
24. Wi-Fi Sensing:
Attack on Privacy &Countermeasures
Advanced Networking Systems, DII
University of Brescia – Italy
https://ans.unibs.it/
Renato Lo Cigno
¡Thanks for theAttention!
Editor's Notes
- Describe the scenario
- How come we can localize people with WiFi? Not everyone knows it.
- STRESS the person does not neet to wear a device
- Describe the scenario
- How come we can localize people with WiFi? Not everyone knows it.
- STRESS the person does not neet to wear a device
- Skip detailed description of the lab here, it comes later
- Very quik presentation, refer to the paper for details
- The figure is just for exemplification, doesn't matter if it has not been obtained with the specific technique of this paper
– Highlight on the picture that keeping Principle 3 is not trivial
- The formula is used only to refer to the paper for the math
Explain that there are collisions due to the missing MAC in the SDR
Highlight that maximum obfuscation obtained with rule of thumb ruins communications, but does not destroy them
Stress that this correction is a first attempt based on the observation that clipping at the very end may introduce high frequency components, and even this "small correction" leads to very good results.