Mathy Vanhoef

Abusing Wi-Fi to localize someone's devices inside their room. Attacker spoofs beacons to pretend there's buffered traffic for all clients. Every clients will request this traffic and thereby reveal their MAC address. Fake frames are sent to the victim and the time-of-flight of the response (here the response is an acknowledgement frame) is used for localization

Free PDF access: https://randompaper1234.tiiny.site/
Official paper website: https://dl.acm.org/doi/abs/10.1145/3495243.3560530

This can be done from cheap drones. They used an ultra-light DJI mini 2 drone with two lightweight Wi-Fi chips: an ESP8266 & ESP32. Idea is that you can now "look inside a room" and learn where devices are located. For instance, you can learn the location of Wi-Fi security cameras.

PDF.js viewer

Nov 15, 2022 at 5:14pmWeb
Show threadkurtseifried (he/him)Nov 15, 2022
@vanhoefm Seeing as how Farrady cages aren't an option, e.g. https://laughingsquid.com/scottish-house-surrounded-by-chainmail-box/ and wiring stuff isn't an option (a lot of IoT is WiFi only, no network port), is there any realistic solution here that doesn't;t involve magic like "make drones go away?"
A Giant Chainmail Box That Keeps a Historic Scottish House From Crumbling Due to Extreme Rain

Tom Scott visited The Hill House in Helensburgh, Scotland, which is surrounded by a chainmail box that keeps the house from crumbling.

Laughing Squid
Show threadMathy VanhoefNov 15, 2022
@kurtseifried not really for existing Wi-Fi devices. You can randomize when exactly a receiver sends the acknowledgement frame, that will make it harder to use time-of-flight measurements. Doing that typically requires changes to the firmware and/or hardware.
Show threadkurtseifried (he/him)Nov 15, 2022
@vanhoefm Hrmmm. Adding an RNG sleep statement to the hardware basically, but even then with enough replies I suspect you'd be able to do some math magic to average it out if you collected enough (10? 1000?) and get an answer, less precise, but still an answer. This is a fascinating problem. #CWE reminder
Show threadMathy VanhoefNov 15, 2022

@kurtseifried Yeah using an RNG is one option, but then you can average out the noise.

In general, whenever you emit a radio signal, you can be localized. Whether that's Wi-Fi or not. So completely preventing localization seems impossible. I think you can only make it harder / more expensive.

Show threadDominic WhiteNov 15, 2022
@vanhoefm what flags in a beacon indicate buffered traffic?
Show threadMathy VanhoefNov 15, 2022
@singe They abused the TIM bitmap
Show threadDominic WhiteNov 15, 2022
@vanhoefm is it a MAC reveal on all clients?
Show threadMathy VanhoefNov 15, 2022
@singe I assume most clients that see the injected beacon (and aren't asleep). I think this is a working link to the PDF: https://randompaper1234.tiiny.site/
PDF.js viewer

Show threadJulian Andres Klode 🏳️‍🌈Nov 19, 2022
@vanhoefm that sounds like a convient way to do presence detection based on where the phone is.