Mathy VanhoefNov 15, 2022

Abusing Wi-Fi to localize someone's devices inside their room. Attacker spoofs beacons to pretend there's buffered traffic for all clients. Every clients will request this traffic and thereby reveal their MAC address. Fake frames are sent to the victim and the time-of-flight of the response (here the response is an acknowledgement frame) is used for localization

Free PDF access: https://randompaper1234.tiiny.site/
Official paper website: https://dl.acm.org/doi/abs/10.1145/3495243.3560530

This can be done from cheap drones. They used an ultra-light DJI mini 2 drone with two lightweight Wi-Fi chips: an ESP8266 & ESP32. Idea is that you can now "look inside a room" and learn where devices are located. For instance, you can learn the location of Wi-Fi security cameras.

PDF.js viewer

Show threadDominic WhiteNov 15, 2022
@vanhoefm what flags in a beacon indicate buffered traffic?
Show threadMathy Vanhoef
@singe They abused the TIM bitmap
Nov 15, 2022 at 5:48pmWeb
Show threadDominic WhiteNov 15, 2022
@vanhoefm is it a MAC reveal on all clients?
Show threadMathy VanhoefNov 15, 2022
@singe I assume most clients that see the injected beacon (and aren't asleep). I think this is a working link to the PDF: https://randompaper1234.tiiny.site/
PDF.js viewer