TL;DR: Researchers at Germany's Karlsruhe Institute of Technology (KIT) demonstrated that standard WiFi routers can identify individual people with 99.5% accuracy, without cameras, without the target carrying any device, and without any special equipment. The attack intercepts unencrypted "beamforming feedback" signals that every WiFi device broadcasts, then uses machine learning to build a body-specific profile from how radio waves bounce off you. Tested on 197 people. Published at ACM CCS 2025 in Taipei. The researchers are now warning that the upcoming IEEE 802.11bf WiFi sensing standard could make this worse. Here's what this means for you.

Every Router Is a Camera Now

Walk past a coffee shop. Sit in an airport terminal. Stand in a mall. If there's a WiFi network operating nearby (and there almost always is) you can be identified. Not your phone. Not your laptop. You.

In October 2025, researchers Julian Todt, Felix Morsbach, and Professor Thorsten Strufe from KIT's KASTEL security institute presented a paper at the ACM Conference on Computer and Communications Security in Taipei that should have set off alarms in every privacy office on the planet. It's called "BFId: Identity Inference Attacks Utilizing Beamforming Feedback Information." The name is dry. The implications are not.

Their system achieved 99.5% accuracy (plus or minus 0.38%) across 197 test subjects. It identified people regardless of their walking style, from multiple viewing angles, at reduced sample rates. The only thing it needed was a standard WiFi router.

No cameras. No specialized sensors. No LIDAR. No app on your phone. Just the WiFi signals already bouncing around you right now.

How Radio Waves Rat You Out

Here's the technical version, made human: WiFi routers use something called beamforming to steer their signals toward connected devices. To do this efficiently, every connected device sends back "beamforming feedback information" (BFI): data about how the radio signals are propagating through the space around it.

This feedback is sent in plaintext. Unencrypted. Readable by anyone within range.

When a person stands or moves between a WiFi device and a router, their body disrupts the radio signals in a way that's unique to them. Your height, build, posture, gait (even subtle things like shoulder width and arm swing) create a distinct disruption pattern. The BFI data captures these disruptions.

Todt and his team figured out how to turn those disruption patterns into identity signatures. Their machine learning model trains on the BFI data, and once trained, can identify a known individual in seconds.

"If you regularly pass by a café that operates a WiFi network, you could be identified there without noticing it and be recognized later, for example by public authorities or companies," Todt explained.

Think about that. The café doesn't need cameras. You don't need to connect to anything. You just need to exist within range of a WiFi signal, and the signal does the rest.

The Surveillance System That's Already Everywhere

Cameras are visible. People notice them, argue about them, occasionally cover them with spray paint. WiFi routers? Nobody looks twice.

Morsbach put it plainly: WiFi networks represent "a nearly comprehensive surveillance infrastructure with one concerning property: they are invisible and raise no suspicion."

He's right. WiFi access points blanket every office building, shopping center, transit station, hospital, school, restaurant, and home in the developed world. The infrastructure for person-level identification surveillance isn't being built. It's already built. It just needed someone to figure out how to use it.

That's what Strufe's team at KASTEL did. And they did it with commodity hardware, the same equipment powering the router sitting in your living room right now.

Previous WiFi-based identification methods required specialized LIDAR sensors or expensive custom equipment. BFId killed that barrier. Standard hardware. Near-perfect accuracy. Already deployed everywhere.

Who Would Use This?

The researchers raised one scenario explicitly: authoritarian governments tracking protesters and political dissidents. WiFi-based surveillance would let a regime monitor who attends opposition meetings without installing a single camera. No footage to leak. No hardware to photograph and post on social media. Just invisible radio waves.

But it's not just authoritarian states. Consider:

  • Retailers already track your phone's WiFi probe requests to monitor foot traffic. BFId-style identification doesn't require your phone to be on.
  • Employers could monitor which rooms employees visit and how long they stay (bathroom breaks included) through existing office WiFi networks.
  • Landlords and property managers could track tenant movements through building WiFi without installing cameras in common areas.
  • Law enforcement could place a surveillance-equipped router near a target's regular route. No warrant for a camera needed. It's just a WiFi access point.
  • Advertising companies could identify individual shoppers in malls without facial recognition, sidestepping biometric privacy laws in Illinois, Texas, and other states.

And here's the problem: because this technique doesn't collect biometric data in the traditional sense (no face, no fingerprint, no iris) it may fall outside existing privacy regulations entirely. No law specifically protects your WiFi radio signature.

The Standard That Could Make It Worse

IEEE published the 802.11bf standard in September 2025, one month before the BFId paper was presented. This standard is designed to turn WiFi sensing from an academic curiosity into a built-in feature of every wireless device.

802.11bf formalizes WiFi's ability to detect presence, motion, gestures, and objects. The use cases sound reasonable: elderly fall detection, smart home automation, breathing rate monitoring. The problem is that these capabilities are architecturally identical to surveillance capabilities. The same system that detects grandma falling can detect a protester entering a building.

The KIT researchers are calling for privacy safeguards to be written into the standard before it's widely deployed. Specifically, they want the beamforming feedback information encrypted, which would prevent the passive eavesdropping that makes BFId possible.

Right now, BFI is sent in plaintext because there was never a reason to encrypt it. It was just technical feedback between router and device, not supposed to be useful to anyone else. That assumption is dead.

What You Can (and Can't) Do

The bad news: you can't stop WiFi signals from bouncing off your body. If you exist in a space with WiFi, the signals will interact with you whether you like it or not.

What You Can't Control

You can't prevent BFI collection from routers you don't own. Public WiFi, office networks, your neighbor's mesh system all generate BFI data that could theoretically be captured. You'd have to live in a Faraday cage.

What You Can Control

If you manage WiFi networks, check whether your router firmware supports BFI encryption. Most don't yet, but as 802.11bf rolls out, look for implementations that encrypt feedback channels. Push your hardware vendor to adopt encrypted BFI.

Demand Standards Action

The IEEE 802.11bf standard is still being implemented. The window to demand encrypted BFI as a requirement, not an option, is closing. Contact the IEEE 802.11bf Task Group and advocate for mandatory privacy protections.

Watch the Research

BFId is a proof of concept, not a deployed surveillance tool, yet. But the gap between "paper published" and "product shipped" keeps shrinking. Follow KIT's KASTEL institute and the ACM CCS proceedings for follow-up work.

The Invisible Panopticon

We've spent years arguing about cameras on streetlights, facial recognition at airports, and Ring doorbells pointed at sidewalks. All visible. All debatable. All subjects of legislation in at least some jurisdictions.

WiFi-based identification makes all of that look quaint. It's invisible, ubiquitous, operates through walls, doesn't require the target to carry anything or do anything, and exists on infrastructure that's already installed in nearly every indoor space on Earth.

99.5% accuracy. 197 test subjects. Commodity hardware. Published and peer-reviewed.

Strufe, Todt, and Morsbach did the responsible thing: they published the attack and called for defenses before someone deployed it in silence. The question is whether anyone listens before "WiFi sensing" becomes just another feature bullet point on your next router's box.

Your WiFi is watching. It always was. Now it knows who you are.

References

  1. Todt, Morsbach, Strufe - "BFId: Identity Inference Attacks Utilizing Beamforming Feedback Information" - ACM CCS 2025, Taipei
  2. Karlsruhe Institute of Technology - "The Spy Who Came in from the WiFi: Beware of Radio Network Surveillance" (October 2025)
  3. Gadget Review - "Researchers Warn WiFi Is Being Quietly Turned Into a Mass Surveillance System" (February 2026)
  4. TechSpot - "Wi-Fi Can Accurately Identify People, Even if They Aren't Carrying a Phone" (October 2025)
  5. IEEE 802.11bf - WLAN Sensing Standard (September 2025)
  6. KASTEL Security Research Lab - WiFi Surveillance Research Announcement