Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

May 27, 2026 · 6 min read

German Researchers at KIT Identified People With Nearly 100% Accuracy Using Ordinary WiFi—No Phone, No Device, No Password—By Reading How an Unencrypted Stream of Router Feedback Data Bends Around the Human Body, and They Warn Every Router Could Become Invisible Surveillance Infrastructure

A team at the Karlsruhe Institute of Technology demonstrated that the radio waves already filling every room carry a usable biometric. By reading the unencrypted feedback that WiFi devices constantly send to a router, and training an AI on how a person's body reshapes those signals, they identified individuals across 197 participants with accuracy approaching 100 percent. The targets carried no device. Their phones were off. They never knew it happened.

An editorial photograph of a small WiFi router sitting on a shelf in a quiet, empty café interior lit by soft daylight, with shallow depth of field and subtle indigo tones evoking invisible radio waves filling the room

Key Takeaways

  • Researchers at the Karlsruhe Institute of Technology (KIT)—Professor Thorsten Strufe, Julian Todt, and Felix Morsbach—identified people from ordinary WiFi signals with accuracy approaching 100 percent across 197 participants, with results presented at the ACM Conference on Computer and Communications Security (CCS 2025).
  • The attack, named BFId, reads beamforming feedback information that WiFi devices broadcast to routers without any encryption, so anyone within wireless range can capture it using only a standard WiFi device.
  • Identification works even when the target carries no device and their phone is off, because the method reads how a human body reshapes the radio waves moving through the room rather than tracking any signal the person emits.
  • Accuracy held regardless of viewing angle or walking pattern, which means the technique recognizes a person rather than a single gesture, gait, or position.
  • The researchers warn that ubiquitous wireless networks could become a near comprehensive surveillance layer that is invisible by design and raises no suspicion, with a café WiFi network able to recognize a regular visitor without any notice.

How Can WiFi "See" a Person?

WiFi can sense a person because a human body is a large, water filled obstacle that absorbs, reflects, and scatters radio waves in a measurable way as it moves through a space. A WiFi router and the devices connected to it are constantly exchanging signals across a room, and every wall, chair, and body in that room alters the path those signals take. When a person stands between a router and a laptop, the waves arriving at the laptop are weaker on some paths, delayed on others, and bounced in along new ones. That distortion is not noise to the network—it is information the network actively measures so it can steer its signal more efficiently.

The academic name for this kind of fingerprint is channel state information, or CSI. CSI describes, for each frequency the radio uses, how much the signal was attenuated and phase shifted on its way from transmitter to receiver. Because a person's exact shape, height, posture, and the way they distribute mass while moving are individual, the pattern of distortion they impose on the channel is individual too. Prior CSI based research already showed device free identification working in the lab, and a transformer based approach reported in 2025 reached 99.82 percent accuracy on stationary subjects by reading the amplitude and phase perturbations a single body imposes on the signal.

What Did the Researchers Actually Demonstrate?

The KIT team demonstrated that a passive observer needs neither the WiFi password nor any cooperation from the router to pull this fingerprint out of the air. Their attack, BFId, targets beamforming feedback information (BFI), a stream of data that WiFi devices send back to the router to report how they are currently receiving the signal so the router can shape its next transmission. The critical flaw the researchers exploited is that BFI is transmitted without encryption. Anyone within range of the network can listen to those feedback packets with an ordinary WiFi device and reconstruct a usable, real time picture of how bodies are bending the signal in the room.

From there the team trained AI models on the captured feedback. Across 197 participants the system identified individuals with accuracy approaching 100 percent—reported elsewhere as roughly 99.5 percent—and, importantly, that accuracy held regardless of the angle a person was viewed from or how they happened to be walking. A system that only recognized one specific gait could be defeated by walking differently. A system that recognizes the person across angles and movement patterns is recognizing something far closer to a stable biometric. The work was presented at CCS 2025, one of the most rigorous venues in computer security.

Why Is Device Free Identification a Bigger Threat Than Phone Tracking?

Device free identification is more dangerous than phone tracking because it removes the one thing a person can control. Almost every existing form of physical tracking depends on something the target carries or emits—a phone broadcasting WiFi probe requests, a Bluetooth beacon, a loyalty app, an advertising ID. Each of those has a defense, even if an inconvenient one: turn the device off, leave it at home, reset the identifier, deny the permission. BFId defeats all of those defenses at once, because it does not read anything the target carries. It reads the target's body. Turning the phone off changes nothing, since the feedback data being mined comes from the network's own devices, not the victim's.

This is also what separates it from web side identification techniques. A device level identifier or a browsing pattern can at least be perturbed or spoofed. Research on browsing behavior fingerprinting across four domains showed how stable an online identity can be even without cookies, but those signals still originate from choices a user makes at a keyboard. A radio fingerprint is closer to a face. As KIT's Julian Todt put it, "This technology turns every router into a potential means for surveillance. If you regularly pass by a café that operates a WiFi network, you could be identified there without noticing it." Felix Morsbach framed the systemic risk plainly: "The omnipresent wireless networks might become a nearly comprehensive surveillance infrastructure with one concerning property: they are invisible and raise no suspicion."

Can You Defend Against WiFi Sensing?

For now, an individual standing in a room covered by someone else's WiFi has very little personal defense, which is exactly why the researchers are raising the alarm at the protocol level. The fingerprint is generated by the network's infrastructure and the unencrypted feedback it produces, not by anything the target controls, so the usual personal mitigations—airplane mode, a faraday sleeve, leaving a phone behind—do not touch it. The realistic fixes are structural rather than individual.

The most direct fix is encrypting beamforming feedback so a passive eavesdropper can no longer read it off the air, which would require changes to the WiFi standard and the firmware that implements it. Network operators can reduce exposure by limiting transmit power and physical coverage so the readable signal does not spill far beyond the intended space, and regulators can begin treating radio frequency fingerprints as the biometric data they functionally are. This mirrors the broader pattern in ambient sensing, where always on consumer hardware quietly collects identifying data—the same dynamic at work in Samsung TV ACR tracking, where the device a person already owns becomes the sensor. On the web, defenders have responded to fingerprinting with tools like a Chrome fingerprint spoofer extension, but no browser extension can spoof the shape of your body in a radio field.

What Happens Next?

The realistic next step is pressure on the standards bodies that define WiFi to close the unencrypted feedback channel BFId depends on, because a published, peer reviewed attack against ubiquitous hardware tends to force a response. Encrypting beamforming feedback is technically feasible and would directly blunt this specific technique, though deployment across the installed base of routers would take years given how slowly firmware reaches older hardware.

In the meantime the more important shift is conceptual. Privacy law and threat modeling have largely assumed that a person who carries no tracked device is, physically, anonymous in a space. This research breaks that assumption. If a standard router in a café, a lobby, a clinic, or a polling place can recognize who walks through it, then the surveillance question is no longer only about the data we hand over—it is about the radio environment we cannot opt out of. The people most exposed are the ones for whom being recognized in a particular place carries real consequences: sources, organizers, patients, dissidents. For everyone else, it is a quiet reminder that the most thorough surveillance systems are the ones nobody can see.

Further reading from the original disclosure is available from KIT's press release, the ScienceDaily summary, and Tom's Hardware's reporting on the 99.5% accuracy result.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.